What is the Digital Operational Resilience Act (DORA)?

DORA (Regulation EU 2022/2554) is an EU regulation that establishes uniform requirements for the digital operational resilience of financial entities. In force since January 17, 2025, it requires banks, insurers, investment firms, payment institutions, and their critical ICT third-party providers to manage ICT risks, report major incidents, test resilience, and monitor third-party dependencies.

Who is subject to DORA compliance?

DORA applies to a broad range of financial entities in the EU, including credit institutions, payment institutions, electronic money institutions, investment firms, insurance companies, crypto-asset service providers, and critical ICT third-party service providers that supply services to these entities.

What are the main DORA requirements?

DORA has five pillars: (1) ICT risk management - a comprehensive framework to identify and manage ICT risks; (2) ICT incident reporting - classification and notification of significant incidents to supervisory authorities; (3) Digital operational resilience testing - regular testing including threat-led penetration testing; (4) ICT third-party risk management - oversight of critical third-party providers; (5) Information sharing - voluntary sharing of cyber threat intelligence.

How does ROOTKey help with DORA compliance?

ROOTKey provides verifiable ICT integrity evidence that financial entities need for DORA compliance. Specifically: cryptographic audit trails prove the integrity of ICT logs and operational data; immutable incident records provide tamper-proof evidence for regulatory reporting; post-incident recovery validation confirms data was restored to a trusted state; and the ROOTKey API integrates with existing ICT systems to produce continuous compliance evidence without disrupting operations.

What are the DORA incident reporting timelines?

Under DORA, financial entities must report major ICT incidents to their competent supervisory authority: an initial notification within 4 hours of classifying an incident as major (and no later than 24 hours after becoming aware); an intermediate report within 72 hours; and a final report within one month of the intermediate report. ROOTKey provides the audit-ready incident evidence needed for these reports.

What are the penalties for DORA non-compliance?

DORA enforcement is handled by national supervisory authorities. Penalties vary by member state and entity type, but can include public notices, temporary bans on ICT services, and significant fines. For critical ICT third-party providers, supervisory authorities have enhanced oversight powers including on-site inspections and binding recommendations.

EU 2022/2554 · DORA Regulation

Digital resilience
DORA without
disruption

ROOTKey maps DORA requirements directly onto your existing infrastructure - ICT risk management, incident reporting, resilience testing - with verifiable cryptographic proofs.

BankingInsuranceAsset ManagementMarket InfrastructurePaymentsAudit

Talk to an expert →See plans

Compliance Overview

Covered articles · DORAActive

Art. 5–16ICT risk managementCovered

Art. 17–23Incident classification & reportingCovered

Art. 24–27Operational resilience testingCovered

Art. 28–44ICT third-party riskCovered

Art. 45–49Information sharingCovered

Art. 19–20Notification to authoritiesCovered

Art. 26Advanced penetration testingPartial

€5M

Maximum fine

or 1% of global annual turnover

Initial notification

after classification of a major incident

20+

Entity types

financial entities covered by the regulation

Jan'25

Mandatory application

in force across the European Union

01 / Mapping

ROOTKey covers the articles that matter

Each platform feature addresses specific regulation requirements. Auditable cryptographic evidence - not reports, proofs.

Articles 5–16

ICT risk management

Financial entities must implement a robust ICT risk management framework with documented policies, controls, and business continuity mechanisms.

ROOTKey

Immutable ICT policy registry with verifiable hash per version and blockchain history - retroactive tampering cryptographically impossible.

Articles 17–23

Incident classification

Classification, monitoring, and reporting of major ICT incidents with defined criteria and stipulated notification deadlines.

ROOTKey

Cryptographically signed timestamps for every event. Irrefutable chain of custody with structured export to regulators in seconds.

Articles 24–27

Resilience testing

Regular digital operational resilience testing programme, including vulnerability assessments and threat-led penetration testing.

ROOTKey

Recovery Points with ZK integrity proofs - verifiable evidence that recovery systems have not been compromised before being tested.

Articles 28–44

ICT third-party risk

Rigorous management of ICT third-party vendor risk, including due diligence, contractual arrangements, and audit rights.

ROOTKey

Zero-trust by design: every third-party access is authenticated with a cryptographic proof and recorded immutably, with no implicit trust.

Articles 45–49

Information sharing

Participation in information-sharing arrangements on cyber threats and vulnerabilities between financial entities.

ROOTKey

Structured and exportable logs with cryptographic evidence - ready for secure sharing with authorities and sector peers.

Articles 19–20

Notification to authorities

Initial notification to the competent authority within 4 hours of classifying a major incident; final report within 1 month.

ROOTKey

Logs with immutable timestamps and structured export - verifiable evidence of detection and classification time, ready in minutes.

02 / Platform

On top of your infrastructure. Not instead of it.

ROOTKey does not replace existing systems. It adds a cryptographic verification layer via API - no migrations, no vendor lock-in.

Auditable cryptographic evidence

Every critical action generates an independent proof, verifiable by external auditors without accessing the original data. Compliance that is proven - not described.

Verifiable recovery points

Backups with blockchain-guaranteed integrity. The regulator asks for evidence; ROOTKey delivers proof - date, content, integrity, all verifiable.

ICT risk management

Robust framework with versioned policies and immutable hash per version. Auditable at any time, with no possible tampering.

Incident reporting

Chain of custody for every ICT event with cryptographic timestamp. Notification to authorities with irrefutable evidence in minutes.

Operational resilience

Recovery Points verified by ZK proofs before any restore. Guaranteed integrity of recovery systems.

Third-party risk

Every ICT vendor access is authenticated and recorded with immutable cryptographic proof. Native zero-trust by design.

03 / Integration

Live in days, not months

Documented REST API, available SDKs, dedicated enterprise support. ROOTKey adapts to your stack - not the other way around.

API integration

Documented REST API, SDKs for major languages. Live in days. Without replacing existing infrastructure.

Automatic proofs

Every critical event automatically generates an immutable, auditable cryptographic proof. Zero additional operational effort.

Instant reporting

Real-time compliance dashboard. Export evidence to regulators in seconds - not weeks of audit work.

Partner

Incubator

Your DORA resilience
starts today

Talk to our team. In 30 minutes you'll know exactly where you stand on DORA and what ROOTKey resolves - without operational disruption.

Schedule a demo →Download DORA one-pager

EU 2022/2554 · DORA Regulation

Digital resilience
DORA without
disruption

ROOTKey maps DORA requirements directly onto your existing infrastructure - ICT risk management, incident reporting, resilience testing - with verifiable cryptographic proofs.

BankingInsuranceAsset ManagementMarket InfrastructurePaymentsAudit

Talk to an expert →See plans

Compliance Overview

Covered articles · DORAActive

Art. 5–16ICT risk managementCovered

Art. 17–23Incident classification & reportingCovered

Art. 24–27Operational resilience testingCovered

Art. 28–44ICT third-party riskCovered

Art. 45–49Information sharingCovered

Art. 19–20Notification to authoritiesCovered

Art. 26Advanced penetration testingPartial

€5M

Maximum fine

or 1% of global annual turnover

Initial notification

after classification of a major incident

20+

Entity types

financial entities covered by the regulation

Jan'25

Mandatory application

in force across the European Union

01 / Mapping