Your fintech falls under DORA. You need an ICT risk framework, incident reporting processes, resilience tests, and third-party registers — and the January 2025 deadline has already passed. Complara turns the five DORA pillars into plain-English checklists so your team knows exactly what to implement next.
10-day free trial · No credit card required · Setup in 3 minutes
DORA (Digital Operational Resilience Act) came into force on 17 January 2025. It applies to banks, payment institutions, e-money firms, investment firms, and crypto-asset service providers operating in the EU — and their critical ICT third-party providers.
A comprehensive ICT risk management framework covering identification, protection, detection, response, and recovery — documented and updated annually.
Processes to classify ICT-related incidents by severity and report major incidents to your competent authority within defined timelines (initial report: 4 hours).
Annual testing of ICT systems including vulnerability assessments and, for significant entities, Threat-Led Penetration Testing (TLPT) every three years.
Register of ICT third-party service providers, contractual requirements, and risk assessments for all critical suppliers. Enhanced oversight for critical providers.
Voluntary participation in cyber threat intelligence sharing arrangements with other financial entities.
Management body accountability for ICT risk. Board-level oversight of the ICT risk management framework with defined roles and responsibilities.
DORA is a complex regulation. Complara breaks it into actionable checklist items mapped to each pillar, so your team knows exactly what to implement and what evidence to collect.
Each DORA requirement translated into plain-English tasks your engineering, ops, and risk teams can act on directly.
Attach ICT risk registers, incident logs, test reports, and third-party contracts directly to each checklist item.
Assign risk management items to your CTO, incident items to your security team, and third-party items to procurement — tracked in one place.
Generate a DORA readiness summary to share with your regulator, board, or enterprise customers asking about your operational resilience.
DORA-regulated entities often also need SOC 2 or ISO 27001 for enterprise customers, and NIS2 if they fall under critical infrastructure rules. Complara covers all in one platform.
DORA (Digital Operational Resilience Act) is an EU regulation that came into force on 17 January 2025. It establishes a unified framework for ICT risk management, incident reporting, resilience testing, and third-party oversight across the EU financial sector.
DORA applies to financial entities operating in the EU: banks, payment institutions, e-money institutions, investment firms, crypto-asset service providers, and their critical ICT third-party providers. There's a proportionality principle — microenterprises have lighter obligations.
ICT risk management · Incident classification and reporting · Digital operational resilience testing · ICT third-party risk management · Information and intelligence sharing.
For major ICT incidents: initial notification within 4 hours, intermediate report within 72 hours, and final report within 1 month. Read the full DORA guide →
All five pillars. Plain-English tasks. Evidence storage built in. From first policy to regulator-ready in one place.