FRAMEWORK · DORA

DORA — Digital operational resilience.
EU Regulation 2022/2554.

In force since January 17, 2025. Applies to 22,000+ European financial entities and their critical ICT providers. Itamite covers ICT risk management, incident management, and resilience testing pillars with signed evidence for national supervisory authorities.

See pricing DORA demo

Who does DORA apply to?

Financial entities: banks, savings banks, EMI/PI, insurers and reinsurers, asset managers (UCITS, AIFM), investment firms, market infrastructures (CCP, CSD), crypto-asset providers (CASPs), payment service providers (PSPs), rating agencies, pension funds, alternative managers, PEPP providers.

And particularly important: critical ICT providers serving financial entities (cloud, data centers, MSPs, regulated software). If your company provides IT services to banking/finance, DORA may apply to you directly.

Fines: up to €10M or 5% of worldwide annual revenue, whichever is greater. For serious infringements, possible exclusion from authorized ICT providers registry → provider bankruptcy.

FIVE DORA PILLARS

What Itamite covers

Pillar 1: ICT risk management (Art. 5-15)

Itamite provides complete ICT asset inventory (Art. 8), critical function identification, continuous risk analysis via measured posture (Art. 9), protection and prevention (encryption, patches, AV — Art. 9), continuous detection (Art. 10), continuity management (Art. 11), data-driven learning and evolution.

Pillar 2: ICT incident management (Art. 17-23)

Hash-chain immutable audit as incident evidence. Automatic severity classification. Initial notification 4h after detection, intermediate 72h, final 1 month — Itamite provides verifiable technical timeline. SIEM integration for authority reports.

Pillar 3: Resilience testing (Art. 24-27)

Annual basic tests (vulnerability assessment, scenario testing). For significant entities: TLPT (Threat-Led Penetration Testing) every 3 years. Itamite provides inventory and data to define testing scope and verify subsequent remediation.

Pillar 4: Third-party ICT risk (Art. 28-44)

Information register on all contractual agreements with ICT providers. Itamite is an ICT provider: we deliver standard DORA-ready contractual documentation (Art. 30 clauses, exit strategy, audit rights, sub-contracting).

Pillar 5: Information sharing (Art. 45)

Optional capabilities for threat intelligence sharing with other entities. Itamite exposes API + webhooks for integration with sharing platforms (FS-ISAC, EU-FSF).

Itrion as DORA-ready ICT provider

For financial customers: specific contracts compliant with Art. 30: critical functions description, EU processing location, on-site audit rights, quantitative service levels (SLA), orderly exit with assisted migration, pre-approved sub-contractors.

FAQ

DORA questions

Who supervises DORA compliance?
In Spain: Bank of Spain (banking and credit), CNMV (markets and managers), DGSFP (insurance). EU level: EBA, ESMA, EIOPA. For critical ICT providers: specific EU-wide supervision framework under ESAs coordination.
When am I declared a critical ICT provider?
The first designation exercise was done by ESAs in 2024. Annual public list. If you're designated as critical, direct European supervision + reinforced obligations. Most ICT providers are NOT critical in formal sense but must comply with DORA contractually due to client requirements.
Is Itrion Software a DORA critical ICT provider?
Not designated as EU-wide critical. We comply with DORA contractually for our financial customers: Art. 30 documentation, on-site audit capability, written exit strategy, EU hosting, declared sub-contractors. Financial customer list: under NDA.
How long does DORA compliance take?
For financial entity with modern IT platform: 6-12 months. From scratch: 12-18 months. Itamite accelerates inventory, ICT risk management and monitoring parts (3-4 months saved). Rest (BCP, governance, TLPT testing) requires specialized consultancy.

Financial sector subject to DORA

Enterprise demo with real banking/insurance case + access to DORA-ready contracts.

See pricing Request demo