EU Regulation 2022/2554

DORA compliance before the deadline

The Digital Operational Resilience Act is in force. Enforcement started January 2025. Supervisory bodies are reviewing financial entities right now. If your ICT risk management framework is not operational, you are already behind. MANTIS helps you close the gap with continuous validation -- not a last-minute scramble.

Start Free
Regulatory Timeline

Where we are now.

Jan 2023

DORA entered into force

Jan 2025

Enforcement begins

2025-2026

First supervisory reviews

Ongoing

Continuous compliance required

DORA Pillars

What DORA requires.

ICT Risk Management

Articles 5-16

A comprehensive framework for identifying, classifying, and mitigating ICT risks. Not just a policy document -- operational procedures, governance structures, and continuous monitoring.

MANTIS coverage

MANTIS Control continuously scans your cloud infrastructure against ICT risk baselines. Misconfigurations, exposed services, and drift from approved architectures are flagged in real-time.

Incident Reporting

Articles 17-23

Major ICT-related incidents must be classified, reported to competent authorities, and disclosed to clients when their interests are affected. Tight timelines: initial notification within hours.

MANTIS coverage

MANTIS findings include severity classification, affected scope, and evidence chains that accelerate incident triage. Pre-structured reports reduce the scramble when regulators come calling.

Resilience Testing

Articles 24-27

Vulnerability assessments, penetration testing, and for critical entities: threat-led penetration testing (TLPT) following frameworks like TIBER-EU. Not optional. Not annual. Ongoing.

MANTIS coverage

MANTIS Agent performs continuous penetration testing against your applications and APIs. Methodology-driven testing that satisfies DORA's resilience testing requirements without scheduling quarterly engagements.

Third-Party Risk

Articles 28-44

ICT third-party service providers must be assessed, monitored, and contractually bound to resilience standards. Concentration risk -- depending too heavily on one provider -- must be actively managed.

MANTIS coverage

MANTIS inventories cloud provider configurations and validates that your infrastructure does not create single points of failure. Multi-cloud and multi-region posture monitoring built in.

Who must comply.

DORA applies to virtually all EU-regulated financial entities:

Banks & credit institutions
Insurance & reinsurance
Investment firms
Payment institutions
Crypto-asset providers
ICT third-party providers

Supervisors are reviewing now. Are you ready?

Continuous DORA compliance for banks, insurers, and financial service providers.

Start Free