What DORA Means for Your vCISO: The 5 Obligations Every Financial Entity Must Fulfil by 2025

DORA Is Not Optional — And It Is Already In Force

As of January 17, 2025, the Digital Operational Resilience Act (DORA) applies to over 22,000 financial entities and ICT service providers across the EU. Unlike GDPR, which gave organisations years of runway, DORA arrived with full supervisory authority from day one. Competent authorities — the ECB, ESMA, national regulators — can and will examine your ICT risk management framework.

If you are operating a vCISO function at a bank, investment firm, fintech, or insurance company, these are the five obligations you own.

Obligation 1 — ICT Risk Management Framework (Article 6)

DORA requires a comprehensive, documented ICT risk management framework approved by senior management. This is not a policy document — it is an operational framework that covers: risk identification and classification, protection and prevention measures, detection, response and recovery, and communication. Your vCISO must ensure this framework is reviewed at least annually and after every major ICT incident.

What HorizonShield does: We build DORA-compliant ICT risk management frameworks from scratch or retrofit your existing ISO 27001 ISMS to meet the new requirements — including the mandatory mapping of ICT assets to business processes.

Obligation 2 — ICT-Related Incident Management (Articles 17–23)

DORA introduces strict incident classification and reporting timelines. Major incidents must be reported to your competent authority within: 4 hours of classification (initial notification), 72 hours (intermediate report), and 1 month (final report). Your vCISO must own the incident classification matrix, the reporting escalation chain, and the post-incident review process.

HorizonShield SLA: Our incident response retainer includes DORA-formatted initial, intermediate, and final reports — drafted and submitted on your behalf within the statutory deadlines.

Obligation 3 — Digital Operational Resilience Testing (Article 26)

Significant financial entities must conduct Threat-Led Penetration Testing (TLPT) at least every three years. TLPT is not a standard penetration test — it is an intelligence-led, red-team exercise based on real threat actor TTPs specific to your organisation. The testing team must be certified, and the scope must cover production systems.

What this means in practice: If you are a Tier-1 bank, this is a multi-month engagement involving threat intelligence gathering, red team execution, and a formal attestation to your regulator. HorizonShield conducts TLPT-aligned engagements for financial institutions across the Greater New York Financial District and EU-regulated entities.

Obligation 4 — ICT Third-Party Risk Management (Chapter V)

DORA Chapter V is arguably the most operationally demanding part of the regulation. You must maintain a register of all contractual arrangements with ICT service providers, classify them by criticality, conduct annual assessments of critical providers, and manage concentration risk (i.e., if too many of your critical functions depend on a single cloud provider).

The DORA TPRM checklist your vCISO needs:

• Complete register of ICT service providers with criticality ratings
• Contractual clauses meeting DORA's minimum requirements (audit rights, exit strategies, sub-outsourcing controls)
• Annual security assessments of critical providers
• Concentration risk analysis and documented mitigation
• Exit strategy for each critical provider

Obligation 5 — Information Sharing (Article 45)

DORA encourages — and in some jurisdictions requires — participation in threat intelligence sharing arrangements with sector peers and competent authorities. Your vCISO should establish a formal process for contributing to and consuming threat intelligence from ISAC (Information Sharing and Analysis Center) networks relevant to your sector.

The Bottom Line

DORA is the most operationally demanding cybersecurity regulation the financial sector has ever faced. But it is also an opportunity: organisations that build genuine ICT operational resilience — not just paper compliance — will have a competitive advantage in regulatory examinations, client due diligence, and incident response speed.

HorizonShield offers a DORA readiness assessment that scores your organisation against all five obligations and delivers a board-ready gap register within 10 business days.