DORA Chapter II ICT Risk Management: 2026 Compliance Guide

Frequently Asked Questions

01.What does DORA Chapter II require financial entities to implement?

DORA Chapter II (Articles 5-16 of Regulation EU 2022/2554) requires financial entities to establish a documented ICT risk management framework covering governance, risk identification, protection, detection, response, recovery, backup, and business continuity. Management bodies must personally oversee implementation and maintain demonstrable ICT competency. The framework entered into application on 17 January 2025.

02.What are the Article 19 incident reporting deadlines under DORA?

Under DORA Article 19, financial entities must submit an initial notification to their competent authority within 4 hours of classifying an incident as major, and no later than 24 hours after first becoming aware of it. An intermediate report follows within 72 hours, and a final report is due no later than one month after the intermediate report. Incident classification criteria are defined in Commission Delegated Regulation (EU) 2024/1772.

03.What are the penalties for DORA Chapter II non-compliance?

Financial entities that fail to meet DORA Chapter II ICT risk management requirements face fines of up to 10% of total annual turnover or EUR 10 million, whichever is higher, for serious breaches (DORA Regulation EU 2022/2554, https://eur-lex.europa.eu/eli/reg/2022/2554/oj/eng). Individual senior managers can face personal fines of up to EUR 1 million. From Q4 2026, ICT risk non-compliance will also be reflected in SREP scores, affecting capital requirements and supervisory standing.