TD;DR: The Digital Operational Resilience Act (DORA) has been mandatory for all EU financial institutions and their ICT service providers since Jan. 17, 2025. It establishes five pillars: ICT risk management, incident reporting, resilience testing, third-party risk management and information sharing. Belgian SMEs that provide ICT services to banks or insurers are also indirectly covered by DORA.
Your bank, insurer or investment firm must comply with DORA since January 2025. But did you know that your ICT supplier will also be affected? The Digital Operational Resilience Act changes the rules of the game for the entire chain around the financial sector, including the thousands of Belgian SMEs that provide software, hosting or cloud solutions to financial institutions. In this article you can read what the DORA legislation means in concrete terms, who is affected and how to prepare.
What is DORA?
DORA (Regulation EU 2022/2554) is a European regulation that strengthens the digital operational resilience of the financial sector. Unlike the NIS2 Directive, DORA is a regulation: it applies directly in all EU member states without national transposition. As of Jan. 17, 2025, all financial entities and their critical ICT service providers must be fully compliant.
The goal? Transform cybersecurity from a purely technical issue to a core part of financial supervision. As regulators, the National Bank of Belgium (NBB) and the FSMA monitor compliance.
The 5 pillars of DORA
DORA is built around five pillars that together should ensure the digital resilience of financial institutions. Each pillar imposes concrete obligations, from governance to technical testing.
1. ICT risk management and governance
Financial institutions must establish a complete ICT risk management framework that is reviewed annually. The management body (the Board of Directors) is directly accountable. Directors can no longer delegate responsibility to the CTO or CISO: they themselves must attend regular training on ICT risks. Specifically, this includes a complete asset inventory, strict access management, real-time monitoring and tested cyber incident recovery plans.
2. Incident management and reporting
DORA replaces the fragmented notification requirements (as under PSD2) with one harmonized process. The notification deadlines are particularly short:
- Initial notification: within 4 hours of detection
- Interim report: within 72 hours
- Final report: within 1 month, including root-cause analysis
For Belgian banks and insurers, reporting is done through the NBB’s OneGate platform.
3. Digital operational resilience testing.
Institutions must prove that their defenses are working. That goes beyond an annual cybersecurity audit. DORA requires at least annual vulnerability scans and penetration tests for systems that support critical functions. For systemically important institutions (such as the eight Belgian O-SII banks, including BNP Paribas Fortis, KBC and Belfius), a Threat-Led Penetration Test (TLPT) is added every three years.
4. ICT third-party risk management
This is the pillar that also affects SMEs. Financial institutions remain fully responsible for their compliance even if they outsource ICT services. They must submit an annual register of all ICT service providers to the regulator and pre-screen each supplier for solvency, security standards and reputation. The first submission of this register to European regulators was on April 30, 2025.
5. Information exchange
DORA encourages financial institutions to share threat information among themselves through trusted communities (ISACs). Think Indicators of Compromise, attack techniques and lessons learned from incidents. This pillar is largely voluntary, but strongly encouraged by the NBB and FSMA.
Who is covered by DORA in Belgium?
DORA applies to 21 types of financial entities: banks, insurers, investment firms, payment institutions, pension funds, crowdfunding platforms and more. In Belgium, more than 300 direct entities are estimated to be covered by the regulation.
But the impact extends further. Any IT service provider that supports a critical or important function for a financial institution falls indirectly under DORA. Think software providers, cloud hosting providers, payment platform providers or custom software providers.
At the European level, in November 2025, the first 19 critical ICT service providers (CTPPs) were designated to come under direct EU supervision. For Belgium, SWIFT and Euroclear are on that list, in addition to hyperscalers such as AWS and Microsoft Azure.
What is the difference between DORA and NIS2?
Many Belgian companies are wondering how DORA relates to NIS2. The core principle: DORA is the specific law for the financial sector and takes precedence over the general NIS2 law when it comes to ICT risks.
| Criterion | DORA | NIS2 |
|---|---|---|
| Type of legislation | Regulation (directly binding) | Directive (Belgian law of April 26, 2024) |
| Focus | Operational resilience financial sector | General cybersecurity critical infrastructure |
| Target Group | 21 types of financial entities + ICT providers | Essential and important entities in 18 sectors |
| Incident reporting time | Initial within 4 hours | Early warning within 24 hours |
| Testing Requirements | Annual pen tests + 3-yearly TLPT | Regular risk assessments |
| Regulator (BE). | NBB and FSMA | CCB (Center for Cybersecurity Belgium) |
| Provider oversight | Direct EU supervision of critical providers | Chain security mandatory, no direct oversight |
Can a company fall under both? Yes, but for ICT risk aspects, only DORA for financial institutions applies. Are you an ICT service provider that supplies both financial and non-financial clients? If so, you may fall under both regulations. Read more about NIS2 in our complete NIS2 guide for Flemish companies.
Threat-Led Penetration Testing as a DORA Commitment
One of the most technically challenging parts of DORA is the mandatory Threat-Led Penetration Test (TLPT). This is not a standard pen test: it is a simulated attack by a specialized Red Team based on actual threat information, testing the organization’s detection and response capabilities.
In Belgium, this framework is managed by the TIBER-BE team at the National Bank of Belgium. A test performed according to TIBER-BE generally meets the DORA TLPT requirements. Whereas TIBER-BE was previously voluntary, DORA makes it mandatory for systemically important institutions, with the first test cycle no later than Jan. 17, 2028.
For non-system-relevant entities, a regular penetration test is sufficient to meet the general testing requirement. Wondering what that costs? Read our article on pen test costs in Belgium.
Does your SME fall under DORA as an ICT service provider?
If your SME provides software, hosting, cloud solutions or other IT services to a bank, insurer or payment institution, DORA affects you directly. Financial institutions are required by law to amend their contracts (“repapering”) and you must comply with strict requirements.
The eight mandatory contractual clauses that your financial client must include include full transparency about your services, unlimited audit and regulatory access rights, strict incident reporting requirements and a tested exit strategy.
That exit strategy in particular weighs heavily for SMEs. You must demonstrate that your customer can transition to another vendor within a reasonable period of time, without vendor lock-in, and with guaranteed continuity during the transition.
Specifically, what can you do?
- Map which of your customers are covered by DORA
- Make sure your contracts contain the eight mandatory clauses
- Have a gap analysis performed to check your technical compliance
- Provide documented incident management and reporting procedure
- Prepare an exit strategy based on open standards
Fines for non-compliance: for financial institutions, fines range up to 2% of annual global turnover. For ICT service providers designated as critical (CTPPs), there is a penalty of up to 1% of average daily turnover per day of non-compliance. No large-scale DORA fines have yet been imposed in the EU until early 2026, but regulators are in a phase of intensive supervision.
Frequently asked questions about DORA
Does DORA apply to my SME?
If you provide IT services to a financial institution and that service supports a critical or important function, you are indirectly subject to DORA. Your customer is required to communicate contractual DORA requirements to you.
What if I provide ICT services to a bank?
If so, your contract must comply with the eight clauses in Article 30 of DORA. Your customer will ask you to provide audit access, incident reporting and an exit strategy.
What are the penalties for non-compliance with DORA?
Financial institutions risk fines of up to 2% of their global annual turnover. Critical ICT service providers (CTPPs) risk penalties of up to 1% of their average daily turnover per day.
How does DORA compare to NIS2?
DORA applies as a specific law for the financial sector and precedes NIS2 in terms of ICT risk management. If you provide services to both financial and non-financial clients, you may fall under both.
When should my organization be DORA compliant?
DORA has been fully enforceable since Jan. 17, 2025. All financial entities and their critical ICT service providers were required to be compliant by that date.
Next steps: how Cyberplan supports you
Whether you are a financial institution that needs to complete the testing requirement, or an ICT service provider that needs to become DORA compliant: Cyberplan helps you with the technical side. From penetration testing and cybersecurity audits to gap analysis and incident response plans.
Would you like to know where your organization stands in relation to DORA? Book a no-obligation introductory meeting and find out how we support you concretely.
