DORA ICT risk and third-party compliance
how financial entities meet Articles 5-30 on resilience, testing and ICT supplier risk
The Digital Operational Resilience Act (Regulation (EU) 2022/2554) has applied to EU financial entities since 17 January 2025. It mandates a documented ICT risk-management framework (Articles 5-6), continuous vulnerability identification (Article 8), digital operational resilience testing including threat-led penetration testing (Articles 24-27), and ICT third-party risk management with a register of information and mandatory contractual provisions (Articles 28-30).
This page explains, article by article, what DORA actually requires and how to build the technical evidence to satisfy supervisors. Governance and contract clauses are the entity's responsibility; this guide stays vendor-neutral and flags where automated application and supply-chain tooling genuinely reduces the work.
A single rulebook for financial-sector operational resilience
DORA replaces a patchwork of national ICT-risk expectations with one directly applicable EU regulation. It covers roughly 20 categories of financial entity, from banks, insurers and investment firms to payment institutions and crypto-asset service providers, plus the critical ICT third-party providers they depend on. National implementations such as Germany's BAIT have largely been folded into DORA, so the same framework now drives supervisory expectations across the bloc.
The regulation is built on five pillars: ICT risk management (Art 5-16), incident reporting (Art 17-23), digital operational resilience testing (Art 24-27), ICT third-party risk (Art 28-44), and information sharing (Art 45). Much of the detail lives in Regulatory and Implementing Technical Standards adopted by the ESAs, which set out the register of information template, TLPT methodology and incident classification thresholds.
Most of DORA is governance and oversight, which sits with the management body and cannot be bought from a vendor. But several articles demand concrete technical evidence: that vulnerabilities are continuously identified, that systems are tested for resilience, and that the components and suppliers behind ICT services are understood. Those are the points where security tooling does real work.
Find it before attackers do. Catch it if they try. Fix it fast.
Across these requirements, O3 runs one continuous loop on your own software so issues surface, get caught, and get fixed before they become an incident.
Test like an AI-assisted attacker
An agentic pentest probes your app across 50+ vulnerability classes the way a real attacker chains them, so exploitable flaws surface in your build before someone outside finds them.
Detect and block exploitation at runtime
A kernel-level eBPF agent watches process trees and syscalls, recognises an attack sequence as it unfolds, and restricts the offending process on the spot rather than taking down the host.
Auto-patch what is reachable
Reachability ranks what genuinely matters, then autofix opens a pull request with the change, so remediation starts inside tight fix windows instead of sitting in a queue.
How to build a DORA ICT risk-management framework
Articles 5 and 6 require a sound, comprehensive and well-documented ICT risk-management framework, owned and approved by the management body and reviewed at least annually. It must cover strategies, policies, procedures and tools to protect all information and ICT assets.
How to continuously identify ICT vulnerabilities under DORA
Article 8 requires entities to identify, classify and document all ICT-supported business functions, the assets behind them, and the sources of ICT risk, including vulnerabilities and threats. Risk assessment must be performed regularly and on any major change.
O3 maps directly here: SAST with source-to-sink taint analysis, SCA against OSV, and function-level reachability identify and rank which vulnerabilities are actually exploitable, while EPSS and KEV signals prioritise the findings that matter for material business functions.
How to meet DORA protection and detection requirements
Article 9 covers protection and prevention, and Article 10 covers detection. Together they require continuous monitoring of ICT systems, mechanisms to detect anomalous activity, and controls that minimise the impact of ICT risk.
O3's eBPF runtime agent (kayo) builds kernel-level process trees and detects attack chains with no sidecars, and its L7 deep packet inspection (ecapture) baselines egress to flag exfiltration and DNS-tunnel activity, supporting the continuous detection duty in Article 10.
How to run DORA digital operational resilience testing and TLPT
Articles 24-27 require a risk-based testing programme. Every entity must test ICT tools and systems regularly; significant entities must additionally undergo threat-led penetration testing (TLPT) at least every three years, following the TIBER-EU-aligned methodology in the regulatory technical standards.
O3's agentic DAST and pentest engine covers 50+ vulnerability classes and supports the vulnerability assessment, scanning and penetration-testing components of the Article 25 baseline; full TLPT remains a scoped engagement led by qualified red-team testers.
How to manage DORA ICT third-party risk
Articles 28-30 govern ICT third-party risk. Entities must only contract with providers meeting appropriate information-security standards, maintain a register of information on all contractual arrangements (Art 28), assess concentration risk (Art 29), and ensure contracts contain the mandatory provisions (Art 30).
O3 generates CycloneDX xBOMs (SBOM with deps.dev and VEX, plus CBOM, QBOM, AIBOM and HBOM) and detects malicious dependencies such as typosquats and compromised maintainers, giving evidence of the components inside third-party and self-built ICT services that feeds supplier risk assessment.
How to meet DORA ICT incident management and reporting
Articles 17-23 require a process to detect, manage, classify and report ICT-related incidents. Major incidents must be reported to the competent authority following the classification criteria and timelines set in the technical standards.
O3's eBPF runtime agent and L7 egress monitoring help detect intrusions and exfiltration early and reconstruct the attack chain, supporting the detection and root-cause analysis that incident classification under Article 18 depends on.
How to satisfy DORA backup, response and recovery duties
Articles 11 and 12 require ICT business continuity policies, response and recovery plans, and backup and restoration procedures with defined recovery objectives, regularly tested.
Every DORA duty, mapped to how you meet it
All 23 requirement areas, each with the reference and a vendor-neutral note on how teams meet it.
Build the technical evidence DORA supervisors ask for
O3 Security covers the testable, technical side of DORA: continuous vulnerability identification with reachability ranking for Article 8, agentic DAST and pentesting for the Article 25 baseline, CycloneDX xBOMs and malicious-dependency detection for ICT third-party assurance under Articles 28-30, and eBPF runtime detection for continuous monitoring under Article 10. Governance and contracts stay yours; we make the evidence defensible.
Read it on EUR-LexSee O3 Security in Action
See why security and engineering leaders trust O3
to secure their entire software supply chain.