doralisted

# DORA Compliance > **Disclaimer**: not legal advice. This skill supports a technical gap analysis against DORA and the underlying Regulatory Technical Standards. Legal qualification (entity classification, contract clauses, sanctions risk) requires financial-law expertise, usually via a compliance department or external counsel. ## When to use The Digital Operational Resilience Act (EU regulation 2022/2554) has been in force since 17 January 2025. It harmonizes ICT risk management for financial entities in the EU and extends supervision to critical ICT third-party providers. As a regulation (not a directive), DORA applies directly in NL law without an implementation act, although with a national supervision structure (DNB + AFM + ESAs). Triggers on: - A question like "DORA gap analysis", "is our entity in scope of DORA", "how do we classify an incident under DORA", "what is a TLPT", "set up a DORA third-party register", "DNB reporting pipeline". - A financial entity (bank, insurer, investment firm, pension fund, payment institution, crypto-asset service provider, crowdfunding platform, trading venue, etc.) that needs to demonstrate compliance. - An ICT service provider serving EU financial entities and considering whether it will be designated a "critical ICT third-party provider" by the ESAs. - A handoff from `iso27001` or `nis2`: DORA replaces NIS2 for financial entities (lex specialis) on most points but not all. - A security incident where classification and reporti