Who it applies to
DORA applies to banks, investment firms, insurance and reinsurance undertakings, payment institutions, electronic money institutions, crypto-asset service providers, central counterparties, trading venues, central securities depositories and a long tail of other financial entities, plus their critical ICT third-party providers.
What it requires
- Article 9: ICT risk management framework with continuous identification, protection, detection, response and recovery
- Article 13: digital operational resilience testing — including threat-led penetration testing (TLPT) for significant entities
- Article 17: ICT-related incident management and reporting
- Article 28: oversight of critical third-party ICT providers
How Sandline helps
- TLPT exercises run by senior red-team engineers with EU TIBER-aligned methodology
- ICT risk register and continuous vulnerability management built on Centraleyezer
- Incident response retainer with DORA-aligned reporting templates
- Third-party security assessment programme for critical ICT providers