DORA Glossary
Plain-English definitions of the terms that matter for DORA compliance. Each entry is answer-first and links to the relevant article and pillar.
13 terms
Competent Authority
A competent authority is the national supervisor responsible for overseeing a financial entity's compliance with DORA. Article 46 designates which authority supervises each entity type, such as a national central bank, banking regulator, or securities and markets authority, and it is the body to which major ICT incidents are reported.
Read definitionCritical ICT Third-Party Provider (CTPP)
A critical ICT third-party provider is an ICT provider designated by the European Supervisory Authorities as systemically important to the EU financial sector. Under DORA, CTPPs are subject to a direct EU oversight framework, distinct from the obligations placed on the financial entities that use them.
Read definitionDigital Operational Resilience
Digital operational resilience is a financial entity's ability to build, assure, and review its operational integrity and reliability by withstanding, responding to, and recovering from ICT-related disruptions. It is the central objective of DORA and the outcome all five pillars work toward.
Read definitionFinancial Entity
A financial entity is any organisation listed in DORA Article 2 that falls within the regulation's scope, including credit institutions, payment and e-money institutions, investment firms, insurers, crypto-asset service providers, and around twenty other categories. Financial entities bear the primary obligations across all five DORA pillars.
Read definitionICT Concentration Risk
ICT concentration risk is the risk that arises when a financial entity, or the sector as a whole, becomes overly dependent on a single ICT third-party provider or a small group of them. DORA Article 29 requires entities to assess this risk before and during outsourcing, particularly where substitution would be difficult.
Read definitionICT Risk-Management Framework
The ICT risk-management framework is the documented set of strategies, policies, procedures, and tools that DORA Article 6 requires every financial entity to maintain in order to identify, protect against, detect, respond to, and recover from ICT-related risk. The management body is accountable for it.
Read definitionICT Third-Party Provider (TPP)
Under DORA Article 3(21), an ICT third-party service provider is an undertaking that provides ICT services to a financial entity. These providers fall within scope of DORA's third-party risk-management requirements, including the register of information under Article 28.
Read definitionLead Overseer
The Lead Overseer is the European Supervisory Authority (EBA, ESMA, or EIOPA) appointed under DORA Articles 31–33 to oversee a designated critical ICT third-party provider. It exercises the EU-level oversight powers over the provider directly, separately from the national competent authorities that supervise financial entities.
Read definitionMajor ICT-Related Incident
A major ICT-related incident is an ICT incident that meets DORA's classification thresholds and must therefore be reported to the competent authority. Classification (Article 18) considers factors such as clients affected, duration, geographic spread, data losses, and economic impact.
Read definitionOversight Framework
The Oversight Framework is the EU-level regime, set out in DORA Articles 31–44, under which designated critical ICT third-party providers are supervised directly by a Lead Overseer. It exists to address the concentration risk created by the financial sector's dependence on a small number of major ICT providers.
Read definitionRegister of Information
The register of information is a structured record, required by DORA Article 28, of all contractual arrangements a financial entity has with ICT third-party providers. It must distinguish arrangements that support critical or important functions and be reportable to competent authorities.
Read definitionSubcontracting
Subcontracting under DORA occurs when an ICT third-party provider uses further providers to deliver part of a service to a financial entity. Article 30 requires contracts to specify the conditions for subcontracting ICT services that support critical or important functions, so the entity retains visibility and control over the chain.
Read definitionThreat-Led Penetration Testing (TLPT)
Threat-led penetration testing is an advanced, intelligence-driven test of a financial entity's live production systems required under DORA Article 26 for significant entities. It simulates the tactics of real threat actors and follows the EU's TIBER-EU framework.
Read definition