DORA for Banks & Credit Institutions
Credit institutions, banks authorised under the Capital Requirements Directive, are expressly within DORA's scope under Article 2(1)(a). They must apply the full ICT risk-management framework, report major incidents, run a resilience-testing programme (including TLPT for significant banks), and maintain a register of ICT third-party arrangements. DORA has applied since 17 January 2025.
Why banks are a primary focus
Banks sit at the centre of the financial system and run large, complex ICT estates with heavy reliance on cloud and third-party providers. DORA consolidates and, in places, tightens expectations that were previously spread across EBA guidelines on ICT and outsourcing. For most banks the framework is an uplift and consolidation exercise rather than a standing start.
What bites hardest
- Threat-led penetration testing (TLPT), significant banks must test live systems at least every three years.
- Register of information, a complete, structured inventory of every ICT third-party arrangement, reportable to the competent authority.
- Major-incident reporting, harmonised classification and tight notification deadlines.
- Board accountability, the management body owns the ICT risk-management framework.
Proportionality
DORA applies proportionately: smaller and non-complex institutions face a lighter touch on some obligations, while significant banks carry the heaviest testing and oversight expectations. See our requirements overview and compliance checklist.
Frequently asked questions
Are all banks in scope of DORA?
Yes. Credit institutions are named in Article 2(1)(a) with no minimum-size carve-out, though proportionality adjusts how some obligations apply.
Do banks have to do TLPT?
Only banks identified as significant by their competent authority must perform threat-led penetration testing, at least once every three years.
How does DORA relate to existing EBA ICT guidelines?
DORA largely absorbs and supersedes the EBA guidelines on ICT and security risk management and on outsourcing for matters it now regulates directly.