Managing thousands of customers while maintaining personalized service—this is the challenge keeping business leaders awake at night. Unlike purely transactional businesses, customer-centric organizations build long-term relationships that drive repeat business, referrals, and sustainable growth.
The financial services industry has never been more dependent on technology—and never more vulnerable to digital disruptions. From cyberattacks that freeze trading platforms to cloud outages that halt payment processing, the interconnected nature of modern finance creates systemic risks that can cascade across borders and institutions within minutes.
Recognizing these evolving threats, the European Union introduced the Digital Operational Resilience Act (DORA)—Regulation (EU) 2022/2554—a landmark piece of legislation that fundamentally transforms how financial entities must approach ICT (Information and Communication Technology) risk management.
DORA became applicable on January 17, 2025, and financial institutions, insurance companies, investment firms, and their technology vendors are now operating in a new regulatory reality. For firms still catching up—or those planning ahead to 2026 and beyond—understanding DORA's requirements is essential for maintaining compliance, avoiding significant penalties, and building genuine operational resilience.
In this guide, we'll explore everything you need to know about DORA compliance: what the regulation covers, who it applies to, the five pillars of compliance, how it affects your CRM and technology vendor relationships, the penalty framework, and practical steps for achieving and maintaining compliance.
Prior to DORA, EU financial regulation primarily addressed operational risks through capital allocation—essentially, setting aside money to cover potential losses. This approach failed to address the unique challenges of ICT risks, which can threaten the stability of entire financial systems even when capital reserves are adequate.
The Digital Operational Resilience Act closes this critical gap by establishing uniform requirements for the security of network and information systems across the EU financial sector. Unlike previous directives that allowed for varied national implementations, DORA is a regulation—meaning it is directly applicable in all EU Member States without requiring national transposition.
DORA's primary objectives include harmonizing ICT risk management across all types of financial entities, standardizing incident reporting to enable coordinated regulatory responses, establishing resilience testing requirements to verify preparedness, strengthening third-party risk oversight for technology vendors, and facilitating information sharing about cyber threats across the sector.
DORA applies to virtually every type of financial entity operating within the EU, including credit institutions (banks), payment institutions and electronic money institutions, investment firms and asset managers, insurance and reinsurance undertakings, central securities depositories, credit rating agencies, crypto-asset service providers, crowdfunding service providers, data reporting service providers, and pension funds.
Critically, DORA extends its reach to ICT third-party service providers that support financial entities—including cloud service providers, data analytics platforms, software vendors, and managed service providers. Providers designated as "critical" (CTPPs) face direct oversight from European Supervisory Authorities.
In November 2025, the European Supervisory Authorities (EBA, EIOPA, and ESMA) published the first official list of designated Critical ICT Third-Party Providers, marking a crucial milestone in DORA's implementation.
While DORA is an EU regulation, its impact extends globally. Non-EU technology providers serving EU financial institutions must comply with DORA requirements and, in many cases, establish an EU subsidiary to enable proper regulatory oversight.
DORA is structured around five interconnected pillars that together form a comprehensive framework for digital operational resilience.
At DORA's foundation is the requirement for robust ICT risk management frameworks. Financial entities must appoint clearly defined roles responsible for ICT risk oversight, ensure management body involvement in ICT risk decisions, establish reporting lines and accountability structures, and define risk appetite and tolerance thresholds.
The framework encompasses the full lifecycle: identification (maintaining inventories of all ICT assets, systems, and dependencies), protection (implementing security measures including access controls, encryption, and network segmentation), detection (deploying monitoring systems for anomaly detection and threat identification), response (establishing incident response procedures and communication protocols), and recovery (developing and testing business continuity and disaster recovery plans).
Financial entities must also conduct regular ICT risk assessments at minimum annually, implement comprehensive ICT security policies, maintain documentation of all ICT-related policies and procedures, and ensure continuous improvement through lessons learned.
DORA introduces a standardized, three-phase approach to incident reporting that ensures regulators receive timely information about significant ICT-related disruptions.
Incidents are classified based on the number of affected clients or counterparties, duration and geographic spread, data integrity impacts, economic impact and criticality of services affected, and reputational consequences.
The reporting timeline follows three stages:
Financial entities must report major ICT-related incidents and are strongly encouraged to report significant cyber threats voluntarily. The European Supervisory Authorities have published detailed Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS) specifying reporting formats, templates, and procedures.
DORA mandates regular testing to validate that resilience measures actually work under stress. Requirements vary based on entity size and risk profile.
Basic testing requirements apply to all entities and include vulnerability assessments and scans, open source analysis, network security assessments, gap analyses, physical security reviews, source code reviews where feasible, scenario-based tests, compatibility testing, performance testing, end-to-end testing, and penetration testing.
Advanced testing requirements apply to significant financial entities, which must conduct Threat-Led Penetration Testing (TLPT) at least every three years. These tests must be performed by qualified, independent testers, should simulate real-world advanced persistent threats, must cover critical systems and functions, and follow the updated TIBER-EU framework (aligned with DORA RTS in February 2025).
Perhaps DORA's most transformative requirement is its comprehensive approach to third-party risk management—recognizing that outsourcing ICT services doesn't outsource responsibility.
Pre-contract, firms must conduct thorough due diligence on prospective ICT providers, assess security posture, regulatory compliance, and operational resilience, and verify business continuity and exit strategies.
Contractually (under Article 30), DORA specifies mandatory elements including complete descriptions of all ICT services provided, locations where data is processed and stored, service level agreements with quantitative and qualitative targets, notice periods and reporting obligations for material changes, incident notification requirements, participation rights in testing programs, exit strategies and transition periods, and subcontracting conditions and restrictions.
On an ongoing basis, firms must maintain a Register of Information (RoI) documenting all ICT third-party arrangements, monitor vendor performance against agreed SLAs, conduct periodic risk reassessments, and review and update contracts to reflect evolving requirements.
By April 30, 2025, competent authorities were required to submit Registers of Information to the ESAs for the CTPP designation process.
While voluntary, DORA strongly encourages financial entities to participate in cyber threat intelligence sharing arrangements. The benefits include earlier detection of emerging threats, understanding of common attack vectors, collective defense improvements, and reduced incident response times.
Any sharing must comply with data protection laws (including GDPR), use trusted communities such as Financial ISACs, establish governance around what information can be shared, and protect confidential business information.
Customer Relationship Management systems like Salesforce and HubSpot are central to how financial institutions manage client relationships, marketing, and sales processes. Under DORA, these systems—and their providers—fall squarely within the regulation's scope.
CRM systems matter for DORA for several reasons. They contain sensitive data including client personal data, financial information, and relationship details. They are business critical—disruption can impair client service, regulatory reporting, and operational efficiency. They involve integration complexity, often connecting with core banking, compliance, and trading systems and creating potential vulnerability chains. And most modern implementations involve cloud dependencies, adding third-party risk considerations.
Due diligence is essential before implementing or renewing CRM platforms. Financial entities must assess the vendor's security certifications and compliance posture, review data residency and processing locations, evaluate business continuity and disaster recovery capabilities, and understand subcontractor relationships and dependencies.
Contractual enhancements under DORA may necessitate amendments to existing CRM agreements, including clear service level agreements with measurable targets, incident notification procedures and timelines, rights to participate in or receive results from security testing, data portability and exit assistance provisions, and audit rights and access to compliance documentation.
Ongoing governance requires including CRM systems in your Register of Information, monitoring vendor security posture through regular assessments, participating in vendor-provided security programs and updates, and planning for and testing exit scenarios.
CRM systems rarely operate in isolation. DORA requires understanding of upstream dependencies (what systems feed data into your CRM), downstream integrations (what systems receive data from your CRM), API security (how integrations are secured and monitored), and data synchronization (how CRM disruption would affect connected systems).
DORA delegates administrative penalty regimes to individual Member States under Article 50, requiring penalties to be "effective, proportionate, and dissuasive." This has resulted in significant variation across the EU.
Corporate penalties vary considerably: Belgium allows fines up to €5 million or 10% of annual turnover (whichever is higher); Italy up to €20 million or 10% of annual turnover; Ireland up to €10 million or 10% of annual turnover; Sweden up to €1 million or 10% of annual turnover or 3x benefit gained; Germany up to €5 million; and the Netherlands up to €5 million (with base amounts from €10,000 to €2.5 million depending on the violation).
Individual penalties for management body members and other responsible individuals range from €100,000 (Finland) to €5 million (Germany, Italy, Belgium).
For designated Critical ICT Third-Party Providers (CTPPs), Lead Overseers can impose periodic penalty payments of up to 1% of the provider's average daily worldwide turnover for each day of non-compliance—potentially representing hundreds of millions of euros for large technology companies.
Beyond fines, DORA violations can result in public censure and reputational damage, restrictions on business activities, prohibition of individuals from holding management positions, enhanced supervisory scrutiny, and mandatory remediation programs.
| Date | Milestone |
|---|---|
| January 16, 2023 | DORA entered into force |
| January 17, 2025 | DORA became applicable—full compliance required |
| February 11, 2025 | TIBER-EU Framework updated to align with DORA TLPT requirements |
| February 18, 2025 | ESAs published roadmap for CTPP designation |
| April 30, 2025 | Deadline for competent authorities to submit Registers of Information to ESAs |
| July 2025 | ESAs notified potential CTPPs of classification |
| November 18, 2025 | ESAs published official list of designated Critical ICT Third-Party Providers |
| January 17, 2026 | European Commission review of DORA effectiveness |
| Ongoing | Continuous compliance, testing, and reporting obligations |
Establish clear accountability by ensuring the management body understands its DORA responsibilities. Designate ICT risk ownership by appointing dedicated roles for ICT risk management. Integrate ICT risk into enterprise risk management—don't treat digital resilience as an IT-only concern. And maintain regular board reporting to keep leadership informed of ICT risk posture and compliance status.
Conduct comprehensive asset inventory so you know every ICT system, application, and dependency. Implement continuous monitoring by deploying tools for real-time threat detection and system health monitoring. Automate where possible to streamline compliance tasks, documentation, and reporting. And test regularly—don't wait for mandatory testing windows, as resilience should be continuously validated.
Centralize vendor management to maintain complete visibility into all ICT third-party relationships. Risk-tier your vendors by applying proportionate oversight based on criticality and risk. Update contracts proactively—don't wait for renewals to add DORA-required terms. And develop exit capabilities to ensure you can transition away from any vendor if necessary.
Build security awareness by training all staff on ICT risk and their role in resilience. Conduct regular exercises including tabletop and simulation exercises across the organization. Learn from incidents through robust post-incident review processes. And share knowledge by participating in industry information sharing where appropriate.
At Vantage Point, we understand the unique challenges financial services firms face in achieving DORA compliance while maintaining operational efficiency and client service excellence.
Our Salesforce Financial Services Cloud and HubSpot CRM implementations are designed with regulatory compliance at their core, featuring security-first architecture (data encryption, access controls, and audit trails aligned with DORA requirements), integration governance (properly documented and secured connections between CRM and core systems), compliance documentation (comprehensive records to support your Register of Information obligations), and exit planning (implementation approaches that preserve data portability and transition capabilities).
DORA requires understanding of data flows across your technology ecosystem. Our MuleSoft integration and Salesforce Data Cloud expertise helps you map data dependencies and integration points, implement API security and monitoring, create resilient and well-documented integration architectures, and enable real-time visibility into system health.
Compliance isn't a one-time project—it's an ongoing commitment. Vantage Point provides regular compliance assessments against evolving DORA guidance, vendor risk documentation and contract review support, testing and validation of resilience measures, and training and knowledge transfer for your teams.
What is the Digital Operational Resilience Act (DORA)?DORA (Regulation EU 2022/2554) is an EU regulation establishing uniform requirements for ICT risk management, incident reporting, resilience testing, and third-party risk management across the financial services sector. It became applicable on January 17, 2025.
Does DORA apply to non-EU companies?Yes. Non-EU ICT service providers serving EU financial institutions must comply with DORA requirements. Critical third-party providers from outside the EU must establish an EU subsidiary for proper oversight.
What are the main penalties for DORA non-compliance?Penalties vary by Member State but can reach up to €20 million or 10% of annual turnover for organizations, and up to €5 million for individuals. Critical ICT providers face daily penalty payments of up to 1% of global daily turnover.
How does DORA affect my CRM implementation?CRM systems fall within DORA's scope as ICT services supporting financial operations. You must include them in your Register of Information, ensure contracts meet DORA requirements, conduct due diligence on the provider, and incorporate them into your resilience testing program.
What is a Register of Information (RoI) under DORA?The RoI is a mandatory register documenting all contractual arrangements with ICT third-party service providers. It must be maintained at entity, sub-consolidated, and consolidated levels and reported to competent authorities.
How often must threat-led penetration testing be conducted?Significant financial entities must conduct Threat-Led Penetration Testing (TLPT) at least every three years on live production systems supporting critical functions, following the TIBER-EU framework.
What is a Critical Third-Party Provider (CTPP)?CTPPs are ICT service providers designated by the ESAs as critical to the EU financial sector's operational resilience. They face direct oversight from Lead Overseers and must comply with specific regulatory requirements.
DORA represents more than a compliance obligation—it's an opportunity to build genuine operational resilience that protects your institution, your clients, and the broader financial system. The regulation's comprehensive approach to ICT risk management, incident response, testing, and third-party oversight creates a framework for sustainable digital operations.
As we move through 2026, financial institutions that view DORA as a strategic enabler rather than a regulatory burden will be best positioned to thrive. The investments made in resilience today will pay dividends in reduced incidents, faster recoveries, enhanced client trust, and competitive advantage.
Ready to strengthen your digital operational resilience? Contact Vantage Point to learn how our Salesforce, HubSpot, and integration expertise can help your financial services firm achieve and maintain DORA compliance while delivering exceptional client experiences.
Vantage Point specializes in helping financial institutions design and implement client experience transformation programs using Salesforce Financial Services Cloud. Our team combines deep Salesforce expertise with financial services industry knowledge to deliver measurable improvements in client satisfaction, operational efficiency, and business results.
David Cockrum founded Vantage Point after serving as Chief Operating Officer in the financial services industry. His unique blend of operational leadership and technology expertise has enabled Vantage Point's distinctive business-process-first implementation methodology, delivering successful transformations for 150+ financial services firms across 400+ engagements with a 4.71/5.0 client satisfaction rating and 95%+ client retention rate.