Skip to main content
DORA Auditor

DORA for Banks & Credit Institutions

Last updated: 3 authoritative sourcesDORA Auditor Editorial Team

Credit institutions, banks authorised under the Capital Requirements Directive, are expressly within DORA's scope under Article 2(1)(a). They must apply the full ICT risk-management framework, report major incidents, run a resilience-testing programme (including TLPT for significant banks), and maintain a register of ICT third-party arrangements. DORA has applied since 17 January 2025.

Why banks are a primary focus

Banks sit at the centre of the financial system and run large, complex ICT estates with heavy reliance on cloud and third-party providers. DORA consolidates and, in places, tightens expectations that were previously spread across EBA guidelines on ICT and outsourcing. For most banks the framework is an uplift and consolidation exercise rather than a standing start.

What bites hardest

Proportionality

DORA applies proportionately: smaller and non-complex institutions face a lighter touch on some obligations, while significant banks carry the heaviest testing and oversight expectations. See our requirements overview and compliance checklist.

Frequently asked questions

Are all banks in scope of DORA?
Do banks have to do TLPT?
How does DORA relate to existing EBA ICT guidelines?

Sources

  1. Regulation (EU) 2022/2554 (DORA), EUR-Lex
  2. European Banking Authority, DORA
  3. ESMA, Digital Operational Resilience Act (DORA)