DORA
Digital Operational Resilience Act (Regulation (EU) 2022/2554). EU-wide regulation on digital operational resilience in the financial sector. Governs ICT risk management, incidents, testing, third-party risk, and information register.
Knowledge
The most important terms from DORA, MaRisk, ISO 27001, and regulatory practice - concise, practical, and action-oriented.
Note: These definitions are independently formulated implementation aids. They do not replace binding regulatory interpretation. For binding definitions, consult the respective original sources (DORA Regulation, MaRisk, ISO 27001).
Digital Operational Resilience Act (Regulation (EU) 2022/2554). EU-wide regulation on digital operational resilience in the financial sector. Governs ICT risk management, incidents, testing, third-party risk, and information register.
Critical or important function. Business functions whose disruption or failure would have significant negative impacts on the financial institution, customers, or financial stability.
ICT third-party service provider. Providers of ICT services to a financial institution. Subject to strict contractual, due diligence, and registration obligations under DORA Art. 28.
Annual reporting of all ICT third-party relationships to the supervisory authority (DORA Art. 28). Contains contract information, protection needs classifications, and subcontractors.
Critical ICT Third-Party Provider. Designated by the ESAs (EBA, EIOPA, ESMA). Subject to oversight by Joint Examination Teams (JET).
ICT incident. Any event compromising the availability, authenticity, integrity, or confidentiality of networks and information systems. Reporting obligations by severity level.
Threat-Led Penetration Testing. Threat-based penetration testing for significant institutions and CTPPs under DORA Art. 26. Simulates APTs using threat intelligence. First deadline: 17 January 2028.
Systematic testing of digital operational resilience under DORA Chapter IV. Encompasses 12 test types with protection-level-based frequencies.
DORA Art. 24(2): All relevant test types must be conducted at least once within a rolling 3-year period (36 months). No exceptions.
page.dora_glossar.term_kf_schutzbedarf_desc
page.dora_glossar.term_red_team_blue_team_purple_team_desc
Threat Intelligence-Based Ethical Red Teaming. EU-wide framework by the ECB for TLPT tests. Methodology reference for DORA-compliant tests.
Minimum Requirements for Risk Management. Central supervisory framework for German financial institutions. 9th amendment final (Circular 06/2026, 30 June 2026).
MaRisk for securities institutions. Proportional requirements for small and medium-sized securities institutions.
page.dora_glossar.term_10_marisk_desc
page.dora_glossar.term_at_bt_desc
Information Security Management System under ISO/IEC 27001:2022. Core for systematic risk management, controls, evidence, and continuous improvement.
93 controls in 4 categories (Organisational, People, Physical, Technological) as a reference framework. Mapped with DORA articles and MaRisk.
PDCA-Zyklus (Plan-Do-Check-Act) als Grundprinzip des ISMS. Management-Reviews, interne Audits und Korrekturmaßnahmen führen zu ständiger Anpassung und Optimierung der Informationssicherheit.
German Federal Financial Supervisory Authority. Responsible for DORA implementation, information register acceptance, and ICT incident reporting hub.
European Banking Authority. Develops technical regulatory standards (RTS) and guidelines for DORA, particularly on testing, ICT risk management, and CTPP oversight.
European Supervisory Authorities (EBA, EIOPA, ESMA). Jointly responsible for CTPP designation, oversight, and guidelines under DORA.
Joint Examination Team. Joint inspection team of the ESAs for the oversight of critical ICT third-party providers.
Network and Information Security Directive 2. EU-wide directive for cybersecurity. Financial institutions fall under DORA, not NIS2.
Cyber Resilience Act. EU regulation on cybersecurity of products with digital elements. Affects software manufacturers and supply chains.
page.dora_glossar.term_sast_dast_iast_desc
Common Vulnerabilities and Exposures. Standardised identifier for publicly known security vulnerabilities.
Rules of Engagement. Formal document defining the scope, methods, and boundaries of a penetration test or TLPT exercise.
page.dora_glossar.term_aptt_apt_desc