EU Regulation · Financial sector
DORA compliance, continuously monitored
The Digital Operational Resilience Act has applied since 17 January 2025 — but the obligations keep moving as the ESAs publish new technical standards. Kalipso tracks every change, maps it to your ICT risk framework, and shows you exactly what still needs to be done.
What is DORA?
The Digital Operational Resilience Act (Regulation (EU) 2022/2554, “DORA”) is the EU’s single rulebook for the digital operational resilience of the financial sector. It harmonises requirements that were previously scattered across national regimes and sector guidelines into one directly-applicable regulation.
DORA has applied since 17 January 2025. It is not a one-off implementation project: the European Supervisory Authorities (EBA, ESMA and EIOPA) continue to issue Regulatory and Implementing Technical Standards (RTS/ITS) that refine what compliance means in practice, and supervisors are now actively examining firms against it.
What DORA requires
ICT risk management framework
A documented, board-owned framework covering identification, protection, detection, response and recovery for all ICT-supported functions.
ICT incident management & reporting
Classify ICT-related incidents against the regulatory criteria and report major incidents to your competent authority within the mandated windows.
Digital operational resilience testing
A risk-based testing programme, including threat-led penetration testing (TLPT) for significant entities.
ICT third-party risk management
Maintain the register of information, assess concentration risk, and ensure contracts contain the mandatory DORA clauses.
Information sharing
Arrangements for sharing cyber threat intelligence with other financial entities, where appropriate.
How Kalipso helps with DORA
Never miss a standard
Kalipso’s Regulatory Radar tracks DORA itself plus every RTS, ITS, guideline and Q&A from the ESAs and your national competent authority — the moment it publishes.
From text to obligation
Each update is parsed into the concrete obligations it creates or changes, ranked by how much it affects your firm — not a raw feed you have to read end to end.
Gap analysis against your controls
Map DORA’s requirements to your existing ICT risk framework and policies, and surface exactly where documentation or controls fall short.
Audit-ready evidence
Every decision, owner and remediation step is logged, so you can show supervisors a defensible trail rather than reconstructing it under pressure.
DORA by sector
“Kalipso replaced days of manual horizon scanning with a prioritised list of what actually affects us — and the evidence trail our auditors ask for.”
Frequently asked questions
When did DORA come into force?
DORA entered into force on 16 January 2023 and has applied since 17 January 2025. Compliance is now actively supervised, and the technical standards underpinning it continue to evolve.
Does DORA apply to my ICT providers?
Yes. DORA extends to ICT third-party service providers, and those designated as “critical” are subject to direct EU oversight. Financial entities remain responsible for the third-party risk management requirements, including the register of information and mandatory contractual clauses.
How does Kalipso keep DORA compliance current?
Kalipso continuously monitors the regulation and all related technical standards, guidelines and Q&As, converts each change into the obligations it affects, and flags the gaps against your framework — so your programme stays current without manual horizon scanning.
See Kalipso on your obligations
Request a walkthrough and we will show you how Kalipso monitors regulatory change, maps it to your obligations and tracks every gap to closure — on your own regulatory scope.