DORA Requirements: The Five Pillars
DORA's requirements are organised into five pillars. Together they require financial entities to govern ICT risk, report major incidents, test their resilience, manage third-party dependencies, and, optionally, share threat intelligence. Each pillar below links to a detailed deep-dive with the relevant articles.
The five pillars at a glance
ICT Risk Management
Article 6Governance, frameworks, and controls for managing ICT risk across the financial entity.
ICT Incident Reporting
Articles 17–23Classifying, managing, and reporting major ICT-related incidents to competent authorities.
Digital Resilience Testing
Articles 24–27Regular testing of ICT systems, including threat-led penetration testing (TLPT).
ICT Third-Party Risk
Articles 28–30Managing risk from ICT third-party providers, including the register of information.
Information Sharing
Article 45Voluntary exchange of cyber-threat intelligence between financial entities.
Where to start
Most entities begin with the ICT risk-management framework and the register of information, since these underpin the other pillars. Use our Readiness Score to see which pillars need the most attention, or work through the compliance checklist.
Frequently asked questions
How many pillars does DORA have?
DORA is organised into five pillars: ICT risk management, ICT incident reporting, digital operational resilience testing, ICT third-party risk, and information sharing.
Are all five DORA pillars mandatory?
Four are mandatory. The fifth, information sharing (Article 45), is voluntary; financial entities may exchange cyber-threat intelligence but are not required to.
Which DORA requirements should a firm address first?
Most entities begin with the ICT risk-management framework and the register of information, as these underpin incident reporting and resilience testing.