Are banks covered by DORA?

Yes. Credit institutions (banks) are among the core entities under DORA and must meet its requirements for ICT risk management, incident reporting, resilience testing and third-party risk. Requirements are scaled to the bank's size and risk profile through the proportionality principle.

What is the biggest DORA challenge for banks?

For many banks it is ICT third-party risk and a complete asset overview. Banks depend heavily on suppliers and often have large, complex IT estates where it is hard to produce a complete, current register of assets — including certificates.

DORA for Banks: What Compliance Requires in Practice

Banks are among the most digitalised organisations there are — and among the most obvious targets. That is a large part of why they sit at the centre of DORA. For a bank, the question is not whether the regulation applies, but what compliance looks like in practice. For the overarching framework, see our DORA page.

Why banks sit at the centre of DORA

Credit institutions are core entities under DORA. They run critical infrastructure for society's payments and depend on complex IT estates and many suppliers. DORA therefore imposes requirements on the whole chain: from internal ICT risk management to managing the third parties the bank relies on. The proportionality principle means requirements are scaled to the bank's size and risk profile — but the core obligations apply broadly.

The biggest DORA tasks for a bank

In practice, these areas tend to dominate:

A complete ICT asset overview. Large IT estates make it hard to produce a complete, current register — but it is the foundation for everything else.
Third-party risk. Banks depend on many suppliers. DORA requires a register of arrangements, risk assessment and ongoing monitoring.
Incident reporting. Major ICT incidents must be classified and reported within set deadlines — which assumes the bank can quickly establish what happened.
Resilience testing. For the most significant entities, also advanced threat-led penetration testing (TLPT).

The certificate part in a bank

A bank typically has certificates spread across online and mobile banking back ends, open banking APIs, internal business systems, payment infrastructure and a long list of supplier systems. Each is an ICT asset and a cryptographic control — and therefore part of the DORA picture. The certificates that cause problems most often are the ones nobody had an overview of. A complete inventory that also covers suppliers' certificates on the bank's domains is therefore an obvious, concrete place to strengthen compliance. See DORA and NIS2 in financial services for how the two frameworks interact.

How CertControl helps banks with the certificate part

CertControl covers the part of DORA work that concerns certificates and TLS — in a way that fits a bank's security requirements. It finds certificates automatically across every domain, including suppliers' and acquired entities'; covers internal business systems and payment infrastructure through an on-premise agent with no inbound connections; documents the cryptographic controls with TLS grading and catches expiry early; and produces an audit log and reports for internal audit, external auditors and supervisors.

DORA: requirements, pillars and certificate management → DORA implementation: how to get started → DORA audit requirements: what auditors expect →

See the DORA overview Book a walkthrough