The Digital Operational Resilience Act — DORA — has been legally binding across the EU since 17 January 2025. There is no grace period, no phased rollout for smaller institutions, and no exemption for banks that are "still working on it." If you are a financial entity operating in the EU, DORA applies to you today.
Yet when we speak to CISOs and CIOs at banks and financial firms across Romania and Czech Republic, we consistently find the same picture: the framework exists on paper, but several key requirements have not been fully implemented — particularly around ICT third-party risk management, resilience testing, and incident classification.
"Most banks have a DORA project underway. The gap is not awareness — it is the depth of implementation. Regulators are not looking for a policy document; they want to see evidence that the controls are working."
Who Does DORA Apply To?
DORA applies to a broad range of financial entities, including:
- Credit institutions (banks)
- Payment institutions and e-money institutions
- Investment firms and asset managers
- Insurance and reinsurance undertakings
- Crypto-asset service providers (CASPs)
- ICT third-party service providers serving any of the above
The Five DORA Pillars
1ICT Risk Management Framework
A documented, board-approved ICT risk management framework covering: asset register, risk assessment process, defined risk appetite, and policies for at least 10 security domains. Reviewed at least annually.
2ICT-Related Incident Management
A documented process for classifying, managing, and reporting ICT incidents. Major incidents must be reported to BNR (Romania) or ČNB (Czech Republic) within 4 hours of classification, with a final report within one month.
3Digital Operational Resilience Testing
Annual resilience testing of all ICT systems. Significant institutions must additionally conduct Threat-Led Penetration Testing (TLPT) every three years — coordinated with the national competent authority.
4ICT Third-Party Risk Management
A complete register of all ICT third-party providers, DORA-compliant contractual terms in all ICT agreements, and an ongoing monitoring process for critical third parties. Article 30 requires participation in information-sharing arrangements.
5Information and Intelligence Sharing
Participation in cyber threat intelligence sharing arrangements. Financial entities operating across multiple countries have additional cross-border coordination obligations.
The 3 Most Common DORA Gaps
Prioritised Action Timeline
| Priority | Action | Timeframe |
|---|---|---|
| Red Priority | Complete ICT third-party register with DORA-required fields | 2–4 weeks |
| Red Priority | Define and document major incident classification criteria | 1–2 weeks |
| Yellow Priority | Review and update all ICT vendor contracts for DORA minimum clauses | 4–8 weeks |
| Yellow Priority | Conduct annual ICT resilience testing and document results | 4–6 weeks |
| Green Priority | Assess TLPT obligation and plan first exercise if required | 3–6 months |
A Note for Smaller and Growing Financial Institutions
DORA was written with large financial institutions in mind, but it applies equally to growing regional banks, fintechs, and payment institutions. The challenge for smaller institutions is that the compliance burden requires either a dedicated internal team or external support.
A managed approach — where an external partner handles the gap assessment, contract review, and documentation framework — is often significantly more cost-effective than building an internal DORA programme from scratch.