Skip to main content
DORA Auditor

DORA Glossary

Plain-English definitions of the terms that matter for DORA compliance. Each entry is answer-first and links to the relevant article and pillar.

13 terms

Competent Authority

A competent authority is the national supervisor responsible for overseeing a financial entity's compliance with DORA. Article 46 designates which authority supervises each entity type, such as a national central bank, banking regulator, or securities and markets authority, and it is the body to which major ICT incidents are reported.

Read definition

Critical ICT Third-Party Provider (CTPP)

A critical ICT third-party provider is an ICT provider designated by the European Supervisory Authorities as systemically important to the EU financial sector. Under DORA, CTPPs are subject to a direct EU oversight framework, distinct from the obligations placed on the financial entities that use them.

Read definition

Digital Operational Resilience

Digital operational resilience is a financial entity's ability to build, assure, and review its operational integrity and reliability by withstanding, responding to, and recovering from ICT-related disruptions. It is the central objective of DORA and the outcome all five pillars work toward.

Read definition

Financial Entity

A financial entity is any organisation listed in DORA Article 2 that falls within the regulation's scope, including credit institutions, payment and e-money institutions, investment firms, insurers, crypto-asset service providers, and around twenty other categories. Financial entities bear the primary obligations across all five DORA pillars.

Read definition

ICT Concentration Risk

ICT concentration risk is the risk that arises when a financial entity, or the sector as a whole, becomes overly dependent on a single ICT third-party provider or a small group of them. DORA Article 29 requires entities to assess this risk before and during outsourcing, particularly where substitution would be difficult.

Read definition

ICT Risk-Management Framework

The ICT risk-management framework is the documented set of strategies, policies, procedures, and tools that DORA Article 6 requires every financial entity to maintain in order to identify, protect against, detect, respond to, and recover from ICT-related risk. The management body is accountable for it.

Read definition

ICT Third-Party Provider (TPP)

Under DORA Article 3(21), an ICT third-party service provider is an undertaking that provides ICT services to a financial entity. These providers fall within scope of DORA's third-party risk-management requirements, including the register of information under Article 28.

Read definition

Lead Overseer

The Lead Overseer is the European Supervisory Authority (EBA, ESMA, or EIOPA) appointed under DORA Articles 31–33 to oversee a designated critical ICT third-party provider. It exercises the EU-level oversight powers over the provider directly, separately from the national competent authorities that supervise financial entities.

Read definition

Major ICT-Related Incident

A major ICT-related incident is an ICT incident that meets DORA's classification thresholds and must therefore be reported to the competent authority. Classification (Article 18) considers factors such as clients affected, duration, geographic spread, data losses, and economic impact.

Read definition

Oversight Framework

The Oversight Framework is the EU-level regime, set out in DORA Articles 31–44, under which designated critical ICT third-party providers are supervised directly by a Lead Overseer. It exists to address the concentration risk created by the financial sector's dependence on a small number of major ICT providers.

Read definition

Register of Information

The register of information is a structured record, required by DORA Article 28, of all contractual arrangements a financial entity has with ICT third-party providers. It must distinguish arrangements that support critical or important functions and be reportable to competent authorities.

Read definition

Subcontracting

Subcontracting under DORA occurs when an ICT third-party provider uses further providers to deliver part of a service to a financial entity. Article 30 requires contracts to specify the conditions for subcontracting ICT services that support critical or important functions, so the entity retains visibility and control over the chain.

Read definition

Threat-Led Penetration Testing (TLPT)

Threat-led penetration testing is an advanced, intelligence-driven test of a financial entity's live production systems required under DORA Article 26 for significant entities. It simulates the tactics of real threat actors and follows the EU's TIBER-EU framework.

Read definition