Risk & Regulation 360°
EU Operational Resilience
Post-DORA compliance, CTPP oversight readiness, and integrated resilience frameworks for regulated financial services.
- ✓ DORA-compliant ICT risk management and CTPP concentration risk
- ✓ Register of Information accuracy and incident reporting readiness
- ✓ Board-ready attestation and 2026 supervision readiness
⚠ REGULATORY ALERT — 18 NOVEMBER 2025
ESAs Publish First Official List of Critical ICT Third Party Providers
This triggers direct oversight of designated CTPPs and fundamentally changes how firms must manage concentration risk, contractual provisions, and exit planning.
Integrated Operational Resilience Framework & Assurance
In an era marked by compounding systemic shocks, regulatory complexity, and increasing digital interdependence, operational resilience must evolve from a siloed compliance exercise into an integrated, strategic discipline.
At T3, we approach Integrated Operational Resilience (IOR) as the connective tissue between risk domains—blending cyber preparedness, third-party oversight, AI risk governance, and capital impact forecasting into a unified framework.
BOOK A FREE CONSULTATIONCross-Jurisdictional Regulatory Alignment
Regulators have converged on the same core ask: map critical services, set & test impact tolerances, and evidence board-level assurance annually.
Our approach builds resilience into the DNA of your critical business services—anchored in regulatory precision, driven by impact tolerance, and designed for boardroom assurance.
Key DORA Regulatory Developments
What You Need to Know Now
18 NOVEMBER 2025
ESAs Publish First Official List of Critical ICT Third Party Providers (CTPPs)
This is a major step because it triggers direct oversight of those providers and fundamentally changes how firms need to manage concentration risk, contractual provisions, and exit planning. If your organisation relies on designated CTPPs, your third-party risk management programme requires immediate review.
JULY 2025
Oversight Mechanics Are Now Clearer
The ESAs published guidance on how they will run oversight of designated CTPPs. Firms should use this to anticipate information requests, inspection-style activity, and follow-up expectations. This is the playbook supervisors will use—align your internal processes accordingly.
COMPLIANCE ANCHOR
DORA Level 2 Rules Are the Practical Compliance Anchor
Supervisors are leaning heavily on the RTS and ITS package, especially around the Register of Information and how firms classify and report incidents. If your programme is fuzzy here, it is a quick way to get challenged. This is where supervisory scrutiny will focus first.
DUE 17 JANUARY 2026
Formal DORA Scope Review Point
A review clause requires the Commission to assess whether statutory auditors and audit firms should fall under DORA or under the Audit Directive framework, with input requested from the ESAs and audit oversight bodies. Watch this space for potential scope expansion.
2026 Supervision Readiness
Current "Hot List" for EU OpRes Work
Based on regulatory signals and supervisory priorities, these are the areas where firms should focus their immediate attention.
ICT Risk Management Controls
Evidence that ICT risk management controls are operating, not just designed. Supervisors will test effectiveness, not just existence.
Incident Classification & Reporting
Incident classification and reporting runbooks that can be executed fast, with complete data. Speed and accuracy under pressure are the test.
Register of Information
Register of Information accuracy and governance, because it feeds oversight and CTPP designation inputs. Data quality here is non-negotiable.
Third Party & CTPP Exposure
Third party contract remediation, exit plans, and concentration risk narrative, especially where services touch designated CTPPs.
Sector-Specific Compliance
2026 Supervision Readiness by Entity Type
We translate DORA requirements into tight, actionable checklists tailored to your sector's specific supervisory expectations.
Banks
Insurers
Asset Managers
Payments
Crypto-Asset Providers
EU Regulatory Milestones
Key Compliance Dates & Obligations
17 JANUARY 2025
EU DORA — In Force
Annual ICT risk management reviews and testing with calibrated TLPT requirements. Digital operational resilience obligations now fully applicable.
31 MARCH 2025
UK FCA/PRA — Full Regime
Annual board-approved self-assessment. Full regime moved out of transition and is now a recurring obligation.
JULY 2025
ESA CTPP Oversight Guidance Published
Guidance on how ESAs will run oversight of designated CTPPs—the basis for anticipating information requests and inspections.
18 NOVEMBER 2025
First Official CTPP List Published ⚠
ESAs publish first list of designated Critical ICT Third Party Providers. Triggers direct oversight and contract/exit plan review requirements.
17 JANUARY 2026
DORA Scope Review Due
Commission review on whether statutory auditors and audit firms should fall under DORA or Audit Directive framework.
1 SEPTEMBER 2026
Canada OSFI E-21 — Full Operationalisation
Phased operationalisation complete. Board accountability and resilience outcomes central to the framework.
Post-DORA Services
Operational Resilience 2026: Regulation, Control & AI Governance
Master compliance across ISO, Basel, FSB, DORA, and national frameworks. Integrate AI risk governance into your control environment.
CTPP Exposure Assessment
Map your dependencies on designated CTPPs, assess concentration risk, and develop compliant contractual provisions and exit strategies.
Register of Information Review
Accuracy audit, governance framework design, and alignment with RTS/ITS requirements for supervisory reporting.
Incident Reporting Readiness
Classification frameworks, runbook development, and tabletop exercises to ensure fast, complete incident reporting.
ICT Control Effectiveness Testing
Move beyond design documentation to evidence that your ICT risk management controls are operating effectively.
Timeline: 6–8 weeks
Emerging Regulation Compatibility
Three Pillars of Operational Resilience 2026
PILLAR 1: REGULATION
(Compliance Framework)
- • ISO 22301
- • Basel III/IV
- • FSB Principles
- • DORA + RTS/ITS
- • PRA/FCA/ECB/Fed
- • National Rules
PILLAR 2: CONTROL
(Governance Framework)
- • COSO Framework
- • COBIT 2019
- • Control Mapping
- • Risk Assessment
- • Attestation
- • Board Governance
PILLAR 3: AI GOVERNANCE
(AI Risk Framework)
- • AI model risk registry
- • AI testing & validation
- • AI failure scenarios
- • Model monitoring
- • EU AI Act alignment
- • AI vendor oversight
INTEGRATION POINT
Annual OpRes Attestation & Audit
Supporting your annual operational resilience cycle with independent assurance and board-ready reporting.
Identify & Review
Update IBS and CTPP dependencies annually
Validate Controls
Evidence operating effectiveness, not just design
Scenario Testing
Including CTPP failure and cyber scenarios
Board Approval
Self-assessment ready for supervisory scrutiny
Independent Assurance
External validation for board attestation
Comprehensive Table of Controls
| Dimension | Regulation | Control Framework | AI Governance |
|---|---|---|---|
| TOIL | Control Objectives & Activities | AI Impact Tolerance (ATOIL) | Integrated impact tolerance covering AI failures |
| Third Parties | DORA Art 28 + CTPP Designation | Vendor Management (COSO) | AI Vendors including Cloud, LLM, GenAI |
| Register of Info | RTS/ITS Requirements | Data Governance & Accuracy | Feeds CTPP designation inputs |
| Incident Response | Classification & Reporting (24-72 hrs) | Runbooks & Root Cause Analysis | AI Model Anomaly Detection & Rollback |
| Testing | TLPT + Scenario Testing | Operating Effectiveness Evidence | AI Model Validation & Adversarial Testing |
| Board Governance | Annual Attestation & TOIL Certification | Control Effectiveness Reports | AI Model Performance & Governance Metrics |
Frequently Asked Questions
What does the CTPP designation mean for my firm?
If you rely on a designated Critical ICT Third Party Provider, you face new requirements around concentration risk assessment, contractual provisions (including audit rights and exit clauses), and exit planning. The ESAs will directly oversee these providers, and firms must demonstrate they can manage the associated risks.
What is the Register of Information and why does accuracy matter?
The Register of Information is a mandatory record of all ICT third-party arrangements. It feeds directly into supervisory oversight and CTPP designation processes. Poor data quality here is a quick way to attract regulatory challenge—accuracy and governance are non-negotiable.
How do the Level 2 RTS/ITS requirements affect incident reporting?
The RTS and ITS package specifies exactly how incidents must be classified and reported. Supervisors are leaning heavily on these rules. Your incident classification framework and reporting runbooks must align precisely with these requirements—and be executable fast with complete data.
What should we prioritise for 2026 supervision readiness?
Focus on four areas: (1) ICT risk management controls that are operating, not just designed; (2) incident classification and reporting runbooks that work under pressure; (3) Register of Information accuracy and governance; and (4) third-party contract remediation and exit plans, especially for CTPP dependencies.
Ready to strengthen your DORA compliance?
Get your sector-specific 2026 supervision readiness checklist and CTPP exposure assessment.
2026 Supervision Readiness
Get Your Sector Checklist
Receive a tailored DORA compliance checklist specific to your entity type and supervisory expectations.
Your checklist will be delivered to your inbox within 24 hours.
Operational Resilience
DORA
What is DORA?
Digital Operational Resilience (DORA) in the financial sector is the name of EU regulation to enhance operational resilience of the provision of financial services in the EU in face of a potentially broad range of ICT risk related disruptions. DORA prescribes to banks, insurance undertakings, investment firms and other financial institutions to: To define and manage e robust governance and ICT risk management framework, To report significant incidents to the authorities, Test their resilience against various ICT risk scenarios, Govern ICT risk of third parties, and participate in the development of the cyber resilience report. The regulation also applies to the most critical ICT third-parties in terms of ICT services provided to the financial sector (e.g. cloud providers). The European Parliament and Council authorities and the European Banking Authority (EBA) have the official resources on DORA.
DOWNLOAD DORA GUIDELINE
Get your free copy of DORA Guideline
DORA Enforcement and Applicability: Key Dates for Financial Sector Resilience
DORA came into effect on 16 January 2023 and will be effective from 17 January 2025 onwards. The key aim is to strengthen the cyber resilience of financial institutions to protect the financial system against severe disruptions.
This regulation is expected to “align operational resilience requirements for the financial sector, while expanding their scope to cover 20 different types of financial institutions and ICT third-party service providers.”
What are ICTs?
ICTs broadly refer to the technologies, systems, and processes that enable the creation, processing, storage, transmission, and exchange of information. This includes:
- Algorithmic Trading Platforms: Systems executing trades based on pre-defined algorithms and high-frequency strategies.
- Anti-Money Laundering (AML) Solutions: Systems to screen customers, identify high-risk clients, and flag potential money laundering activities.
- Enterprise Resource Planning (ERP): Integrated systems managing supply chain, HR, finance, and other back-office functions.
- Data: The raw information, structured databases, and the analytics tools to extract insights from data.
Why are ICTs Important?
ICTs have revolutionized virtually every aspect of modern life and business, leading to:
- Enhanced Productivity: Automation, streamlining workflows, and enabling real-time collaboration.
- Innovation: Fueling new products, services, and business models across industries.
- Global Connectivity: Facilitating communication, commerce, and knowledge sharing beyond geographic borders.
- Improved Decision-Making: Providing access to vast amounts of data and analytical tools.
- Social Change: Empowering individuals and fostering new forms of community and social action.
DORA establishes a binding, comprehensive ICT risk management framework specifically for the EU financial sector. This framework is aimed at creating a single regulatory environment at the European level to manage risks stemming from ICT and suppliers.
It’s designed to improve cybersecurity and operational resiliency in the financial services sector, complementing existing laws like the Network and Information Security Directive (NISD) and the General Data Protection Regulation (GDPR).
The regulation also seeks to harmonize existing rules on managing ICT governance, risks, and incident reporting for all financial institutions, ensuring operational resilience against cyber-attacks. This applies to all EU and non-EU companies operating in mainland Europe.
Why do you need to comply with DORA?
There are several compelling reasons why financial institutions need to comply with DORA:
Regulatory Mandate and Penalties: The most immediate reason is that DORA is a legally binding EU regulation. Failure to comply by the implementation deadlines can result in significant fines, reputational damage, and potential restrictions on operating within the EU.
Strengthening Operational Resilience: DORA’s core aim is to build a more robust financial sector capable of withstanding ICT-related disruptions. By implementing the required frameworks, testing, and risk management, you reduce the likelihood and impact of outages or cyberattacks compromising your services.
Improved Cybersecurity Posture: DORA includes specific requirements around ICT security. Complying builds stronger defenses against cyber threats, protecting sensitive customer data and financial assets.
Harmonization of ICT Risk Management: Previously, ICT risk rules varied across EU member states. DORA provides a unified framework, streamlining compliance for institutions operating in multiple countries and creating a level playing field across the sector.
Building Customer & Stakeholder Trust: Demonstrating DORA compliance signals to clients, investors, and regulators that you take operational resilience and the security of their assets seriously. This can be a competitive advantage, foster stronger relationships, and reduce reputational risk.
Aligning with Evolving Risks: The threat landscape is constantly changing. DORA helps you stay ahead of the curve by requiring regular testing and reassessment of your resilience posture against new and emerging threats.
Beyond Compliance: Benefits of Proactive DORA Adoption
Enhanced decision-making: Data and insights gained through DORA compliance inform better risk management and investment decisions in ICT infrastructure and security.
Reduced operational costs: Proactive risk mitigation and prevention can reduce the cost of incidents and outages in the long run.
Innovation: A strong operational foundation enables confident exploration of new technologies and services, knowing you have the resilience to protect them.
How to comply with DORA?
1. Inventory and Mapping
Review your current:
- Inventory of ICT third-party service providers (TPPs).
- Contractual arrangements with TPPs.
- Map these details to the standardized templates provided by the Implementing Technical Standard (ITS)
2. Systems and Processes
Establish or improve systems and processes for:
- Collecting, validating, and updating information required for the register of information on TPPs.
- Reporting this information regularly.
- Monitoring changes in the risk profile and performance of TPPs
3. Collaboration with TPPs
Communicate with your TPPs about:
- Their reporting obligations and expectations.
- The need for their cooperation in providing information.
- The need for their cooperation in providing information.
- Consider amending contracts with TPPs to require their compliance with reporting requirements.
4. Policy and Procedures
Develop or update policies and procedures to govern the management of the register of information, including:
- Roles and responsibilities of personnel involved.
- Escalation and reporting mechanisms for identified issues.
- Audit and review activities to ensure ongoing compliance.
1
Gap Analysis and Assessment
Perform the first gap analysis to evaluate level of IT security and operational resilience in a financial institution under the scope of DORA regulation against DORA regulation requirementsIdentify gaps and non-compliance points, proposing solutions.
2
Strategic Advisory
Advise on how best to map out operational resilience strategies to the DORA standards assist with the prioritisation of resourcing to meet the deadlines for compliance and ongoing compliance.
3
Policy Development and Review
Contribute to the development, review and update of policies, procedures, and controls to ensure compliance with DORA requirements. Assist in the development of a comprehensive Information and Communication Technology (ICT) risk management framework.
4
Training and Awareness
Develop and provide training courses in order to raise awareness and knowledge about DORA obligations for employees and stakeholders alike; Continue providing knowledge of the changing DORA and other relevant EU Regulations;
5
Implementation Support
Provide hands-on assistance to make required changes to become DORA-compliant. Provide technical and operational support in establishing ICT governance frameworks, incident reporting and other necessary systems and processes.
6
Third-Party Vendor Assessment:
Assess third-party ICT service providers for compliance with DORA requirements.
Assist in managing relationships and contracts with third-party ICT service providers for continuous compliance.
7
Technology Advisory and Implementation
Recommendation and deployment of technology to enable monitoring and management of ICT risks in-line with DORA guidance.Support implementation of Artificial Intelligence (AI) and Machine Learning (ML) technology in accordance with DORA.
8
Monitoring and Reporting
Contribute to the establishment of systems to monitor and report to verify ongoing compliance with DORA requirements Prepare for (regulatory) authority audits and inspections.
9
Incident Response Planning
Assist in the development and testing of incident response plans to confirm that they are effective and meet DORA obligations.
10
Liaison with Regulatory Authorities
Serve as intermediary between financial entities and regulators for reporting and overseeing all regulatory-based communication to assure accurate, timely, and legally compliant information is disseminated.
11
Customized Solutions
Customize solutions based on individual requirements and difficulties of various financial institutions for fulfilling DORA.
DORA Readiness - How do you compare?
Organizations estimated completion rate for key milestones DORA
ICT Risk Management: Though IT risk management frameworks of most companies (about 65%) have been revised in recent times, continuous updating will be necessary.
Third-Party Risk Management: About 70% of firms actively monitor third parties for risk, however, ongoing, dynamic assessment is difficult.
Operational Resilience Testing: 60% already have a test framework in place, yet, only 40% are performing advanced testing at the right frequencies.
Information Sharing: Only 50% of firms utilize established mechanisms effectively to enhance collective defense.
Reporting Requirements: High readiness (around 75%) for meeting reporting requirements, though the detail and accuracy of incident reports can be improved.
Frequently Asked Questions
The DORA Operational Resilience Policy is part of the Digital Operational Resilience Act (DORA), an EU-wide regulatory framework designed to enhance the cyber resilience and operational stability of financial institutions. Enforced by the European Supervisory Authorities (ESAs), DORA mandates that firms establish robust mechanisms to detect, prevent, and respond to ICT-related disruptions. This includes strict guidelines on risk management, incident reporting, third-party oversight, and regular stress testing. The policy’s primary objective is to ensure that critical financial services remain resilient during cyber incidents, safeguarding market stability and consumer trust.
The five key pillars of operational resilience are:
Governance and Accountability – Clear roles and responsibilities for overseeing resilience planning.
Business Continuity Planning – Preparing for disruptions with structured response plans.
Third-Party Risk Management – Ensuring service providers maintain resilience.
Incident Management – Effective response and recovery mechanisms.
Testing and Assurance – Regular testing of resilience measures to identify gaps.
T3’s expert team helps financial institutions strengthen each of these pillars, aligning with both regulatory expectations and industry best practices.
The seven principles of operational resilience are:
Preparation and Planning: Establishing risk tolerance and identifying critical services.
Risk Identification: Understanding internal and external threats to operations.
Incident Response and Recovery: Ensuring rapid and effective responses to disruptions.
Communication: Clear, timely communication during incidents.
Governance: Maintaining accountability for resilience measures.
Third-Party Management: Assessing the resilience of third-party partners.
Continuous Improvement: Regularly updating strategies to reflect evolving risks.
T3 consultants work closely with clients to embed these principles within their operational frameworks, enhancing resilience and compliance with CPS230.
While both operational resilience and business continuity focus on minimizing disruption, they are distinct in scope and approach. Operational resilience is a broader strategy that prepares organizations to adapt and continue critical operations during unexpected events, ensuring long-term sustainability. In contrast, business continuity is more focused on maintaining specific business functions during short-term disruptions. Operational resilience includes business continuity planning as a component but extends to crisis management, third-party risk, and overall organizational adaptability.
The primary ISO standard relevant to operational resilience is ISO 22316:2017 – Security and Resilience – Organizational Resilience, which provides guidance on building organizational resilience. It complements ISO 22301:2019 for business continuity management. Together, these standards help organizations develop robust frameworks to withstand disruptions, protect stakeholders, and recover swiftly. T3 can help your firm align with these standards to meet regulatory expectations and enhance resilience capabilities.
Crisis management and operational resilience serve different purposes in risk preparedness. Crisis management focuses on the immediate response to unexpected events to protect people, assets, and reputation. It is reactive by nature, dealing with communication, decision-making, and containment during a crisis. Operational resilience, however, is proactive and strategic, emphasizing the design of systems and processes that can absorb shocks and continue critical operations. Essentially, crisis management is a response mechanism within the broader framework of operational resilience.
Yes, Business Continuity Planning (BCP) is an integral part of operational resilience. BCP focuses on maintaining business operations during short-term disruptions, while operational resilience extends this by ensuring the firm can adapt and thrive despite long-term shocks. T3’s operational resilience solutions incorporate BCP as a key element, alongside risk assessments, scenario testing, and recovery strategies to ensure end-to-end continuity and regulatory compliance.
The 5 Pillars of DORA provide a structured framework for building digital operational resilience in financial institutions:
ICT Risk Management: Firms must implement robust risk assessment and mitigation strategies for information and communication technologies.
ICT Incident Reporting: Mandatory reporting of major ICT-related incidents to regulatory authorities for prompt action and transparency.
Digital Operational Resilience Testing: Regular stress testing and scenario analysis to identify vulnerabilities and improve response strategies.
Third-Party Risk Management: Enhanced due diligence and monitoring of third-party ICT service providers to mitigate outsourcing risks.
Information Sharing and Learning: Secure mechanisms for information sharing among financial entities to bolster collective resilience.
These pillars form the backbone of DORA’s regulatory approach, ensuring end-to-end resilience across digital operations.
The DORA Regulation (Digital Operational Resilience Act) is an EU regulation introduced to strengthen the digital resilience of financial institutions against cyber threats and IT disruptions. Enforced as part of the EU’s Digital Finance Strategy, DORA focuses on ensuring that all players in the financial ecosystem—banks, insurance companies, fintech firms, and ICT providers—are equipped to detect, withstand, and recover from operational disruptions.
In essence, DORA sets out stringent requirements for:
Risk management of ICT systems
Incident detection and reporting
Digital resilience testing
Third-party risk governance
Operational transparency and communication
By standardizing these requirements across the EU, DORA aims to harmonize digital resilience standards, protect consumers, and secure market stability.
Want to hire
Regulation Expert?
Book a call with our experts
