DORA Compliance: What Financial Services SMBs Need to Know

A practical guide to the Digital Operational Resilience Act — who’s in scope, what the 5 pillars require, and how to assess your readiness in 15 minutes.

The Digital Operational Resilience Act (DORA) is now in force across the EU. If you work in financial services, this regulation directly affects how you manage ICT risk, handle incidents, test your resilience, and oversee your technology suppliers.

But DORA isn’t just for the big banks. It applies to a much wider range of financial entities than most people realise — and it extends to the ICT companies that serve them.

This guide explains what DORA requires in plain English, who needs to comply, and how to check your readiness today.

What Is DORA?

DORA is an EU regulation (not a directive — it applies directly, no national transposition needed) that establishes uniform requirements for the security of network and information systems in the financial sector. It entered into force on 16 January 2023, with the compliance deadline of 17 January 2025.

The goal is straightforward: ensure that financial entities can withstand, respond to, and recover from ICT-related disruptions and threats. The regulation recognises that modern financial services are entirely dependent on technology, and that a single ICT failure can cascade across the financial system.

Does DORA Apply to Your Business?

DORA applies to virtually all regulated financial entities in the EU, including:

  • Credit institutions (banks)

  • Payment institutions and e-money institutions

  • Investment firms

  • Insurance and reinsurance undertakings

  • Crypto-asset service providers

  • Central securities depositories

  • Trade repositories

  • Credit rating agencies

  • Crowdfunding service providers

  • Pension funds (IORPs)

  • Management companies and alternative investment fund managers

Critically, DORA also applies to ICT third-party service providers that serve these entities. If you’re a cloud provider, managed service provider, SaaS company, or data analytics firm serving financial services clients, you are in scope as a third-party provider and your clients will need to assess your resilience.

Key point: Even if you’re a small fintech with 20 employees, if you hold an e-money licence or provide payment services, DORA applies to you. The proportionality principle means smaller entities face lighter requirements, but the core obligations still stand.

The 5 Pillars of DORA

DORA is structured around five pillars. Here’s what each one requires and a checklist to assess your readiness.

Pillar 1: ICT Risk Management

This is the foundation. You must have a comprehensive ICT risk management framework that is documented, regularly reviewed, and approved by your management body.

  • ✅ An ICT risk management framework exists and is documented

  • ✅ The management body (board or equivalent) has approved the framework and oversees its implementation

  • ✅ ICT risk is integrated into your overall risk management framework

  • ✅ ICT systems and assets are identified, classified, and documented

  • ✅ Protection measures are in place: access control, encryption, network security, patch management

  • ✅ Detection capabilities exist for anomalous activities and potential threats

  • ✅ Business continuity and disaster recovery plans cover ICT systems

  • ✅ Lessons learned from incidents and tests feed back into the framework

Pillar 2: ICT-Related Incident Management

You must have processes to detect, manage, and report ICT-related incidents. Major incidents must be reported to your competent authority.

  • ✅ An incident management process exists with clear classification criteria

  • ✅ Major incidents can be detected and classified within defined timeframes

  • ✅ Initial notification to competent authority can be made within 4 hours of classification

  • ✅ Intermediate report can be provided within 72 hours

  • ✅ Final report can be provided within 1 month

  • ✅ Root cause analysis is performed for all major incidents

  • ✅ Incident records are maintained and reviewed

Pillar 3: Digital Operational Resilience Testing

You must test your ICT systems regularly. For significant entities, this includes advanced threat-led penetration testing (TLPT).

  • ✅ A testing programme exists covering vulnerability assessments, network security testing, and scenario-based testing

  • ✅ Tests are conducted at least annually on critical ICT systems

  • ✅ Test results are documented with remediation plans

  • ✅ For significant entities: threat-led penetration testing (TLPT) is planned or conducted every 3 years

  • ✅ Testing covers both internal systems and third-party dependencies

Pillar 4: ICT Third-Party Risk Management

You must manage the risks arising from your dependence on ICT third-party providers. This includes contractual requirements, ongoing monitoring, and exit strategies.

  • ✅ A register of all ICT third-party service providers is maintained

  • ✅ Contracts with ICT providers include required DORA provisions (security, audit rights, exit clauses, sub-outsourcing controls)

  • ✅ Due diligence is performed before engaging ICT providers

  • ✅ Concentration risk is assessed (are you over-reliant on a single provider?)

  • ✅ Exit strategies exist for critical ICT services

  • ✅ Ongoing monitoring of third-party performance and security is in place

Pillar 5: Information Sharing

DORA encourages (but does not mandate for most entities) participation in cyber threat information sharing arrangements with other financial entities and authorities.

  • ✅ You are aware of available information sharing arrangements in your jurisdiction

  • ✅ You have considered joining a financial sector ISAC or similar body

  • ✅ Internal processes exist to receive, assess, and act on shared threat intelligence

What Are the Penalties?

DORA itself doesn’t specify fine amounts — enforcement is through each member state’s competent authority (e.g., the Central Bank of Ireland). However, authorities have broad powers including administrative fines, public censure, withdrawal of authorisation, and personal liability for senior management.

For critical ICT third-party providers designated by the European Supervisory Authorities (ESAs), oversight fees and periodic penalty payments of up to 1% of average daily worldwide turnover can apply.

The bigger risk for most SMBs is contractual: your financial services clients will increasingly require DORA compliance evidence from their ICT suppliers. If you can’t demonstrate compliance, you risk losing contracts.

How to Assess Your DORA Compliance in 15 Minutes

Working through the checklists above gives you a solid understanding of where you stand. But if you want a scored assessment with AI-powered analysis and prioritised recommendations, ShieldIQ’s free DORA compliance assessment covers all 5 pillars.

The platform asks practical, jargon-free questions mapped to DORA’s requirements. AI analyses every response and scores each pillar from 0–100%. You get a spider graph, risk heatmap, and a prioritised action list ranked by effort and impact.

It’s free, takes under 15 minutes, and requires no credit card.

Ready to find out where you stand?

Start your free DORA compliance assessment at app.shieldiqcyber.com

No credit card. No sales call. Under 15 minutes.