Focus 1
ICT risk management
Articles 5-15 cover governance, risk controls, protection, detection, and recovery.
Framework hub
DORA
DORA applies to EU financial entities and their ICT third-party providers, including cloud, SaaS, data analytics, and security vendors.
EU baseline
If you are established in the EU, operate in the EU, or place this product or service on the EU market, treat this as a first-order compliance check. Non-EU reach language means outsiders can also be covered, not that EU companies are outside scope.
Review scopeFocus 2
Incident reporting
Articles 17-23 cover ICT-related incident classification and reporting.
Focus 3
Resilience testing
Articles 24-27 cover testing and threat-led penetration testing.
Focus 4
Third-party ICT risk
Articles 28-44 cover provider oversight and contractual controls.
Focus 5
Luxembourg CSSF layer
CSSF circulars are tracked for Luxembourg financial entities.
Open related page