Regulation (EU) 2022/2554

DORA asks financial firms to prove they can take an ICT hit and keep running. Rizzqo makes that resilience something you operate — and test.

DORA holds financial entities to five pillars: ICT risk management, incident reporting, resilience testing, third-party risk and information sharing — all owned by the management body. Rizzqo anchors those pillars in your real systems and ICT providers — so a supervisory review meets a working programme, not a binder.

5pillars of digital operational resilience
24hinitial notification for a major ICT incident
Jan 2025applicable since 17 January
Who is in scope

Financial entities and a simplified regime

DORA applies directly to financial entities across the EU — from banks and payment firms to insurers, investment firms and crypto-asset providers. Most run the full ICT risk-management framework; smaller, less complex entities may use a simplified one. Select a class to see what it means for you.

Standard regime

Full framework entities

The complete ICT risk-management framework

Most financial entities: credit institutions, payment and e-money institutions, investment firms, insurers, market infrastructures and crypto-asset service providers run the full framework.

What this class means
  • Banking, payments, investment, insurance, markets and crypto-asset services
  • A documented ICT risk-management framework, reviewed at least yearly
  • Resilience testing, and threat-led penetration testing for significant entities
  • Major-incident reporting and a register of ICT third-party arrangements

Financial entities covered

DORA reaches across the financial sector rather than a list of infrastructure sectors. Alongside the entities themselves, critical ICT third-party service providers — cloud, data and software vendors that finance depends on — fall under direct EU oversight.

Financial entities

The regulated firms that must run the ICT risk-management framework.

Credit institutionsPayment institutionsE-money institutionsInvestment firmsCrypto-asset service providersInsurance & reinsuranceInsurance intermediariesTrading venuesCentral counterpartiesCentral securities depositoriesCredit rating agenciesCrowdfunding providers

ICT third-party providers

Technology providers finance relies on; the critical ones face direct EU oversight.

Cloud service providersData analytics providersSoftware providersManaged IT servicesData centre providers
The five pillars

The building blocks DORA expects

DORA is organised around five pillars, broken into concrete obligations every financial entity must implement on the systems it runs and the providers it relies on. With Rizzqo, the framework is something you can see across your real systems and providers — not something you assert.

Art. 6

ICT risk-management framework

A documented framework with strategies, policies and tools to protect all ICT assets, reviewed at least once a year.

Art. 17–19

Incident management & reporting

A process to detect, classify and report ICT-related incidents, with major-incident notifications to the competent authority.

Art. 11–12

Response & continuity

ICT business-continuity and response plans so critical functions keep running and recover through disruption.

Art. 28

ICT third-party risk

Manage risk from ICT providers end to end, with key contractual terms and a register of all outsourcing arrangements.

Art. 24–26

Resilience testing

A testing programme across the estate, including threat-led penetration testing for entities identified as significant.

Art. 10

Detection & monitoring

Mechanisms to promptly detect anomalous activity, ICT network performance issues and potential single points of failure.

Art. 13

Awareness & training

Digital operational resilience awareness programmes and training built into the ICT risk-management framework.

Art. 9

Protection & prevention

Policies, controls and encryption that protect the confidentiality, integrity and availability of ICT systems and data.

Art. 5

Governance & accountability

The management body owns and is accountable for the framework, approves it, oversees it and keeps its knowledge current.

Art. 12 / 45

Backup & information sharing

Backup, restoration and recovery procedures, plus arrangements to share cyber-threat information with peers.

Major-incident reporting

A major ICT incident opens a supervisor-facing clock

When an ICT-related incident is classified as major, DORA sets a staged reporting timeline to the competent authority. Rizzqo keeps you ready to meet every stage on time, with the incident’s context already to hand.

On detectionFirst
Classification

Classify the incident

Assess the incident against DORA’s criteria — clients affected, duration, data losses, geographic spread — to decide whether it is major.

24 hoursThen
Initial notification

Initial notification

Once classified as major, an initial notification to the competent authority, no later than 24 hours after becoming aware.

72 hoursFinally
Intermediate report

Intermediate report

Within 72 hours of the initial notification, an update on status, impact and the handling and recovery in progress.

1 monthFinally
Final report

Final report

Within one month, a final report with root cause, remediation applied and the lessons taken from the incident.

DORA as a resilience programme

Anchored to your critical functions and their dependencies

Resilience is only real if it maps to what your services actually run on — not a generic checklist. Rizzqo grounds your DORA programme in the systems and ICT providers behind your critical functions, so what you show a supervisor is the live state, not a point-in-time binder.

01

Requirements linked to real assets

Your DORA programme is built on the systems and ICT providers you actually depend on — not a generic checklist that ignores how you really run.

  • Grounded in the systems you actually depend on
  • See where you really stand, pillar by pillar
  • Risk in real money, not a heat-map colour
02

Owner-routed, evidence at the source

Every requirement has a clear owner and stays backed by current evidence as teams do the work — so the estate is audit-ready, not reconstructed before a supervisory review.

  • Clear ownership on every requirement
  • Evidence stays current, not reconstructed
  • ICT third-party register kept up to date
03

An incident workflow against the clock

When an incident is major, the clock starts. Rizzqo keeps the 24-hour, 72-hour and one-month reports ready to file, with the context already in place — so each one is filed on time, not improvised.

  • 24h, 72h and one-month deadlines tracked
  • Incident context ready, not gathered under pressure
  • Initial, intermediate and final reports on tap

DORA starts from your ISMS, then goes further

An ISO 27001 ISMS already carries much of DORA’s ICT risk-management framework — risk analysis, access control, encryption, supplier management. Rizzqo builds on that work and adds what DORA asks beyond it: resilience testing, a register of ICT third parties, and staged incident reporting.

Prove resilience before the supervisor asks.

Ground the five pillars in your real systems and ICT providers, and walk into a supervisory review with a live programme — not a binder.

Five pillars mappedOwner-routed on real assetsMajor-incident reporting on tap

DORA questions, answered