DORA · Regulation (EU) 2022/2554

Operational resilience for DORA compliance

DORA is the EU regulation making ICT risk management mandatory for financial entities. Normado generates your ICT risk policies, maps all 94 DORA requirements, and tracks your resilience posture — so you're ready for regulator scrutiny, not scrambling for it.

First 100 customers get all Enterprise features at €49/mo for year one.

You're on the list! We'll be in touch soon.

Example DORA dashboard

app.normado.io/gap-analysis

DORA · Live Compliance

DORA requirements covered71 / 94

ICT risk policies approved9 / 10

Third-party registers24

Incident response runbooks12

What DORA actually requires

Three pillars, plain language

DORA applies to 20+ categories of financial entity — banks, investment firms, crypto-asset providers, insurers — and their critical ICT third parties. The regulation came into force January 17, 2025. Here's what it actually requires.

ICT risk management framework

A formal, board-approved framework covering identification, protection, detection, response, and recovery. Aligned with proportionality — scaled to your entity's size and complexity.

Third-party ICT risk register

A full register of every ICT third party, with criticality classification, exit strategies, concentration risk analysis, and contract clauses meeting Article 30 requirements.

Incident reporting & resilience testing

Major ICT incident reporting to competent authorities within strict timelines, plus Threat-Led Penetration Testing (TLPT) for significant entities every 3 years.

Want the full breakdown? Read our DORA deep-dive.

How Normado covers it

Built end-to-end for DORA

✓
ICT risk policies generated and mappedICT security policy, access control, change management, backup & recovery, business continuity — all aligned to DORA Articles 5-15.
✓
All 94 DORA requirements pre-loadedEach with plain-language guidance based on real DORA implementation experience at a global trading firm.
✓
Third-party register with concentration trackingLog every ICT third party, classify by criticality, flag concentration risk, link to exit strategies.
✓
Incident reporting templates aligned to RTSStructured incident classification matching the EBA/ESMA/EIOPA Regulatory Technical Standards.
✓
TLPT readiness for significant entitiesScope, threat intelligence, red-team test coordination, and remediation tracking — purpose-built for DORA Article 26-27.

Example org compliance

71%DORA

Policies22 / 25

Controls19 / 25

Risks17 / 25

Evidence13 / 25

A living platform, not a one-off project

What ongoing compliance looks like

Consultants deliver a snapshot in time — then you maintain it yourself, re-engage every year, and answer auditor questions from static Word docs. Normado is the living system underneath: always current, always auditable, owned by your team.

Consultant engagement

€15,000 – €50,000

6 – 12 months per cycle

Tailored through months of interviews and workshops
Static deliverables you maintain yourself afterward
Evidence collection, version control, audit prep on you
Re-engage every year for refreshes and new frameworks
Expertise leaves when the engagement ends

Normado platform

€49 – €299 / month

Audit-ready in weeks

AI-generated policies tailored to your org in minutes
Gap analysis, risk register, and controls all in one place
Evidence management with expiry tracking built in
Always current — new frameworks and requirements rolled out automatically
Your team owns the system, always audit-ready

Frequently asked

DORA questions we hear most

Does DORA apply to my company?

DORA applies to 20+ types of financial entity in the EU — banks, investment firms, payment institutions, e-money institutions, crypto-asset service providers, insurance undertakings, and more. It also applies to critical ICT third parties serving those entities. If you provide software, hosting, or data services to a regulated EU financial institution, you are likely in scope indirectly through Article 30 contract requirements.

When did DORA come into force?

DORA was adopted on 14 December 2022 and became fully applicable on 17 January 2025. All in-scope entities should already be complying. Regulators (ECB, national competent authorities) are now actively supervising and have begun inspections.

What is TLPT and do I need it?

Threat-Led Penetration Testing (TLPT) is DORA's advanced red-team testing requirement. Only significant entities designated by their competent authority must perform TLPT — typically large banks, systemic investment firms, and critical infrastructure providers. If you are a small or mid-sized financial entity, TLPT is generally not required, though standard penetration testing under Article 24 still applies.

How does DORA relate to NIS2?

NIS2 and DORA overlap but DORA takes precedence (lex specialis) for financial entities. If you are a financial institution covered by DORA, you comply with DORA — not NIS2 — for ICT risk. If you have subsidiaries outside financial services (e.g. a tech arm), those may still fall under NIS2 separately.

Is my data stored in the EU?

Yes. All Normado infrastructure runs on EU servers (Supabase EU/Ireland region). Your ICT risk data, third-party registers, policies, and evidence never leave EU jurisdiction — matching DORA's data locality expectations for financial entities.

Does Normado also cover other frameworks?

Yes — all Normado-supported frameworks are available in Professional and Enterprise tiers. One control implemented once often satisfies multiple frameworks simultaneously.