EU Regulation 2022/2554 · In force Jan 2025
Framework Landing Page

DORA compliance — built for African fintechs with EU exposure.

The Digital Operational Resilience Act applies to financial entities operating in or providing services to the EU. If your fintech, bank, or payments provider touches EU markets, DORA compliance is now mandatory.

Explore the Regulation
In Force Since
Jan 2025
Entities in Scope
20+ types
Max Fine
2% global turnover
The Five Pillars of DORA

Five requirements. All mandatory.
None of them trivial.

DORA consolidates ICT risk management requirements for financial entities into five interconnected pillars. Each requires documented policies, tested controls, and evidence of ongoing compliance.

01
ICT Risk Management
Comprehensive ICT risk framework with board-level ownership, risk appetite, and continuous monitoring.
02
Incident Reporting
Mandatory classification, reporting, and escalation of major ICT incidents to competent authorities within tight deadlines.
03
Digital Operational Resilience Testing
Annual ICT testing programme including vulnerability assessments and — for significant entities — threat-led penetration testing (TLPT).
04
Third-Party ICT Risk
Contractual requirements, concentration risk monitoring, and exit strategies for all critical ICT third-party service providers.
05
Information Sharing
Voluntary participation in threat intelligence sharing arrangements with other financial entities and competent authorities.
Who Is In Scope?

Does DORA apply
to your organisation?

DORA applies to financial entities operating within the EU and their critical ICT third-party service providers — including those based outside the EU serving EU-regulated entities.

In Scope
Financial Entities & Their ICT Providers
Any entity regulated as a financial institution in the EU, and critical ICT third-party service providers serving those entities — regardless of where the ICT provider is based.
Banks & Credit Institutions Payment Institutions E-money Institutions Investment Firms Insurance Companies Crypto Asset Service Providers Critical ICT Vendors to the Above
Why This Affects African Firms
African Fintechs With EU Exposure
If you provide payment processing, cloud infrastructure, SaaS, or data services to EU-regulated financial entities, you may be classified as a critical ICT third-party provider — and face direct DORA obligations.
Payment Processors Cloud Service Providers SaaS Platforms Data Analytics Providers Core Banking Vendors Remittance Platforms
What DORA Requires

Key requirements across
the five pillars.

ICT Risk Management
Board-approved ICT Risk Framework
A documented, board-approved ICT risk management framework with defined roles, risk appetite, and annual review. Includes asset inventory, threat identification, and continuous risk monitoring processes.
Incident Management
Major Incident Classification & Reporting
A documented process to classify ICT incidents by severity. Major incidents must be reported to the competent authority within 4 hours (initial), 24 hours (intermediate), and 1 month (final report). Post-incident reviews are mandatory.
Resilience Testing
Annual ICT Testing Programme
Annual vulnerability assessments and penetration testing for all entities. Significant entities must conduct Threat-Led Penetration Testing (TLPT) every three years using the TIBER-EU methodology — coordinated with regulators.
Third-Party Risk
ICT Third-Party Risk Policy & Contracts
A documented ICT third-party risk policy, register of all ICT providers, concentration risk analysis, and mandatory contractual clauses with all ICT vendors — including audit rights, security SLAs, and documented exit strategies.
Business Continuity
ICT Business Continuity & Disaster Recovery
Documented ICT Business Continuity Plan and Disaster Recovery Plan with defined RTOs and RPOs. Both must be tested at least annually — and the results reported to the board and regulators.
Common Questions

DORA questions,
answered plainly.

Is DORA in force already?

Yes. DORA entered into force on 16 January 2023 and became applicable on 17 January 2025. Financial entities and their critical ICT third-party providers are expected to be compliant now. Regulators across EU member states are beginning supervisory assessments.

Does DORA apply to companies outside the EU?

Yes — indirectly. If your organisation provides ICT services to EU-regulated financial entities and is classified as a "critical ICT third-party service provider," you face direct obligations under DORA including audits by EU supervisory authorities. Even non-critical providers face mandatory contractual requirements from their EU clients.

How does DORA relate to other frameworks like ISO 27001 or GDPR?

DORA is complementary to ISO 27001 and GDPR but is specifically focused on ICT operational resilience in financial services. ISO 27001 provides a strong foundation — many controls overlap. However, DORA adds financial-sector-specific requirements (TLPT, incident reporting timelines, third-party concentration risk) that go beyond ISO 27001. We help organisations use existing ISO 27001 work as a foundation for DORA compliance.

What are the penalties for non-compliance?

Penalties vary by member state but DORA allows fines of up to 1–2% of global annual turnover for financial entities, and up to €5 million for individuals in management positions. Critical ICT third-party service providers face fines of up to 1% of average daily worldwide turnover for each day of non-compliance.

Where do we start with DORA compliance?

Start with a DORA gap assessment — mapping your current ICT risk, incident management, resilience testing, and third-party risk practices against DORA's five pillars. This gives you a prioritised view of what's missing and a realistic roadmap. That's exactly what our 15-minute scoping call will help you plan.

Not sure if DORA applies to you?

Book a 15-minute scoping call. We'll assess your EU exposure, identify your DORA obligations, and give you a clear picture of what compliance involves — no commitment required.

15 min · Free · No sales pitch