DORA ICT Risk Applicability Checker

Find your ICT risk duties under the EU Digital Operational Resilience Act

Select a financial entity type — bank, payment institution, insurer, crypto-asset service provider, or ICT third-party provider — to check DORA scope under Regulation (EU) 2022/2554, see whether the full or simplified framework applies, and list the five pillars of obligation. It runs free in your browser on Gera Tools, with nothing uploaded.

Last updated Source: Gera Tools

When did DORA start to apply?

The Digital Operational Resilience Act, Regulation (EU) 2022/2554, has applied since 17 January 2025. It harmonises ICT and cyber-resilience rules across the EU financial sector, replacing a patchwork of sectoral guidance with a single binding regime.

The Digital Operational Resilience Act (DORA), Regulation (EU) 2022/2554, sets a single ICT and cyber-resilience rulebook for the EU financial sector and applies from 17 January 2025. This checker maps your entity type to its DORA scope, tells you whether the full or simplified framework applies, and lists the obligations that follow.

How it works

Scope is driven by entity type. Most regulated financial entities are in scope; a few micro and small intermediaries are excluded, and a band of small, non-interconnected entities may use the simplified ICT risk framework under Article 16:

In scope (full):       banks, payment/e-money institutions, insurers, CASPs,
                       CSDs, CCPs, trading venues, fund managers
In scope (simplified): small non-interconnected investment firms, small IORPs,
                       crowdfunding providers
ICT provider:          oversight only if designated a Critical ICT Third-Party Provider
Excluded:              micro/SME insurance intermediaries, IORPs under 100 members

For in-scope entities the tool then lists DORA’s five pillars and marks which items are reduced under the simplified regime.

The five DORA pillars in detail

Pillar 1 — ICT risk management. Entities must maintain an ICT risk management framework with board oversight, a digital operational resilience strategy, and documented policies for identifying, protecting against, detecting, responding to, and recovering from ICT-related incidents. The simplified framework (Article 16) allows a lighter version of this for qualifying entities.

Pillar 2 — ICT incident management and reporting. Entities must classify ICT-related incidents and report major incidents to the relevant national competent authority (NCA) within defined deadlines: an initial notification within 4 hours, an intermediate report within 72 hours, and a final report within one month. Cyber threats that did not materialise into incidents may be reported voluntarily.

Pillar 3 — Digital operational resilience testing. Most in-scope entities must carry out annual basic testing (vulnerability assessments, scenario-based tests). Significant institutions designated by competent authorities must also conduct threat-led penetration testing (TLPT) every three years under the TIBER-EU framework. TLPT is not required under the simplified framework.

Pillar 4 — ICT third-party risk management. Entities must maintain a register of all ICT third-party providers, assess the risk they pose, and ensure contracts include specific clauses on service level, audit rights, subcontracting, and exit. Critical functions may not be outsourced without heightened controls.

Pillar 5 — Information sharing. DORA encourages voluntary sharing of cyber threat intelligence among financial entities through arrangements or platforms. The simplified framework does not require participation in formal sharing arrangements.

Full vs simplified framework comparison

ObligationFull frameworkSimplified (Art. 16)
ICT risk management frameworkFull documentationLighter policy framework
Incident classification and reportingRequiredRequired
Annual basic testingRequiredRequired
Threat-led penetration testing (TLPT)Required for designated entitiesNot required
Third-party register and contract requirementsFull requirementsProportionate requirements
Information sharingEncouragedNot mandated

Practical notes

A small, non-interconnected investment firm is in scope but can run the simplified Article 16 framework, so its testing and information-sharing duties are lighter than a large bank’s full programme. A major cloud provider is not a financial entity and only faces direct DORA oversight if it is designated critical — otherwise it meets DORA through the contracts its financial clients are required to put in place. Exact proportionality depends on precise size and interconnectedness thresholds, so treat this as an educational screening and confirm borderline cases with your regulator or counsel. All processing stays in your browser.