Since January 2025, financial entities and ICT service providers have been required to comply with the Digital Operational Resilience Act (DORA). Learn how to efficiently implement vulnerability management, resilience testing and audit-ready compliance evidence.
Free Initial DORA ConsultationReading time: 8 minutes
The Digital Operational Resilience Act (DORA) is EU Regulation (EU) 2022/2554 and has been fully applicable since 17 January 2025. It requires financial entities and their critical ICT service providers to systematically build and demonstrate resilience against cyberattacks and ICT disruptions. For the first time, DORA harmonizes ICT risk management requirements across the EU financial sector and replaces national frameworks such as BAIT, VAIT and KAIT as the primary benchmark.
The regulation applies directly in all EU Member States without requiring national transposition legislation. In Germany, BaFin acts as the central reporting hub for ICT-related incidents and has actively conducted special audits under Section 44 of the German Banking Act (KWG) to assess DORA implementation since 2025.
DORA complements other European cybersecurity frameworks such as the NIS2 Directive and the Cyber Resilience Act, while placing a particular focus on ICT risk management, resilience testing and the secure operation of digital financial services.
DORA applies to financial entities and critical ICT service providers delivering digital services to the financial sector.
DORA applies to more than 22,000 financial entities and ICT service providers across the European Union. The regulation follows the principle of proportionality: smaller institutions are subject to a simplified ICT risk management framework, while significant institutions such as major banks and systemically important insurers must meet more stringent requirements, including mandatory Threat-Led Penetration Testing (TLPT).
DORA affects financial entities such as banks, insurers and payment service providers, as well as critical ICT service providers across the digital supply chain.
DORA structures its requirements into five key areas. Financial entities must demonstrate compliance with all five pillars. Areas where vulnerability management plays a direct role are highlighted below.
DORA structures digital resilience requirements into five pillars that together establish a comprehensive ICT risk management framework.
DORA has been fully applicable since 17 January 2025. BaFin is actively reviewing implementation efforts: by the end of 2025, more than 600 ICT-related incidents had already been reported and several special audits had been initiated. From 2026 onwards, supervisory authorities increasingly expect data-driven evidence of operational resilience rather than policy documentation alone.
DORA has been fully applicable since January 2025. Supervisory authorities increasingly expect reliable evidence of digital resilience.
Vulnerability management is at the core of DORA’s ICT risk management and resilience testing requirements. Greenbone directly supports Articles 9, 10 and 28 with a proven ISO-certified scanning infrastructure and audit-ready reporting.
Continuous vulnerability management supports key DORA requirements, including risk management, resilience testing and audit-ready evidence.
What is DORA and who does the regulation apply to?
The Digital Operational Resilience Act (DORA) is EU Regulation (EU) 2022/2554 and has been fully applicable since 17 January 2025. It requires more than 22,000 financial entities and critical ICT third-party providers across the EU to systematically build and demonstrate resilience against cyberattacks and ICT disruptions. This includes banks, insurance companies, investment firms, payment service providers, crypto-asset service providers and their ICT suppliers.
Does DORA also apply to ICT service providers that supply financial institutions?
Yes. DORA explicitly covers critical ICT third-party providers, not just financial institutions themselves. If your organization operates systems, software or services for banks, insurers or investment firms, you are likely within DORA’s scope. The designation as a critical ICT third-party provider is determined by supervisory authorities.
Is an annual penetration test sufficient to meet DORA requirements?
No. DORA requires continuous vulnerability assessments rather than periodic spot checks. Threat-Led Penetration Tests (TLPTs) are an additional requirement for significant institutions and must be conducted at least every three years in accordance with the TIBER-EU framework. However, they do not replace ongoing vulnerability management, which is necessary to satisfy the baseline requirements set out in Articles 9 and 10.
How does DORA differ from NIS2?
NIS2 is a broad cybersecurity directive for critical sectors and must be transposed into national law. DORA is a directly applicable regulation focused exclusively on the financial sector and imposes far more detailed requirements for ICT risk management, incident reporting, resilience testing and third-party risk oversight. For financial organizations that fall under both frameworks, DORA takes precedence within its specific scope.
What penalties can be imposed for non-compliance with DORA?
Supervisory authorities may impose fines of up to €10 million or 5 percent of global annual turnover. For critical ICT third-party providers, the maximum penalty is €5 million or 2 percent of worldwide annual turnover. Additional consequences may include operational restrictions and reputational damage. BaFin has already initiated active special audits since 2025.
How quickly can OPENVAS SCAN be integrated into existing ICT environments?
Deployment is typically completed within a matter of hours. OPENVAS SCAN supports standard network topologies, segmented environments and hybrid cloud architectures. Greenbone offers both on-premises and cloud-based deployment options, each providing full data sovereignty and independence from US-based cloud infrastructures.
How does DORA relate to the Cyber Resilience Act (CRA)?
The Cyber Resilience Act applies to manufacturers, importers and distributors of digital products across industries. DORA is a sector-specific regulation focused exclusively on the financial sector and governs the operation and risk management of ICT systems. The two frameworks complement one another: financial organizations that also develop or market digital products may fall within the scope of both regulations. → Learn more about the Cyber Resilience Act.
DORA has been in force since January 2025, and BaFin is actively reviewing implementation efforts. Talk to our experts today and discover how OPENVAS SCAN and OPENVAS SECURITY INTELLIGENCE can strengthen your DORA vulnerability management program, whether deployed on premises or in the cloud.
