What is the primary objective of DORA?

DORA's primary objective is to strengthen the digital operational resilience of the EU financial sector against ICT disruptions, including cyberattacks, system failures, and third-party risks. Regulation (EU) 2022/2554 mandates proactive ICT risk management, incident reporting, resilience testing, and third-party oversight for 20 types of financial entities and critical ICT third-party providers (CTPPs), having entered full application on January 17, 2025.

Who is legally or professionally required to comply with DORA?

DORA applies to approximately 22,000 EU-regulated financial entities across 20 types, including credit institutions, insurance undertakings, investment firms, payment institutions, and crypto-asset service providers, plus critical ICT third-party providers (CTPPs). Critical providers like cloud and data analytics firms face direct ESA oversight, with designation finalized by end-2025.

Does DORA require an external audit or third-party certification?

DORA does not mandate external audits or third-party certification but requires independent digital operational resilience testing, including risk-based annual basic tests and triennial threat-led penetration testing (TLPT) for critical entities. Results must be reported to authorities, with TLPT scopes validated by ESAs per Batch 2 RTS (July 17, 2024).

How often should an assessment for DORA be performed?

DORA requires annual basic ICT resilience tests, such as vulnerability assessments, and triennial advanced TLPT for designated critical entities. ICT risk management frameworks must undergo annual reviews, with testing tailored proportionally to entity size, complexity, and risk exposure.

What are the consequences of non-compliance with DORA?

Non-compliance with DORA incurs administrative fines up to 2% of total global annual turnover for firms or €5 million (or 10% of annual salary) for individuals. ESAs and competent authorities enforce penalties, alongside oversight fees up to €1 million annually for CTPPs, with remediation mandates.

An DORA be mapped to other international frameworks?

Yes, DORA's ICT risk frameworks, incident reporting, and testing align with international resilience standards, facilitating gap analyses and integrated compliance programs. Its structured pillars—ICT risk management, incident classification (>5% user impact or €100,000+ losses), TLPT, and third-party oversight—support mapping while maintaining EU-specific mandates like 4-hour initial reporting.

What is the first step to begin implementing DORA?

The first step for DORA implementation is conducting a gap analysis against the ICT risk management framework RTS (Batch 1, January 17, 2024) to identify, assess, and prioritize ICT risks. Establish a comprehensive framework overseen by the management body, incorporating proportionality, recovery time objectives (<4 hours for critical services), and third-party dependency mapping.

What is the primary objective of AS9120B?

AS9120B's primary objective is to establish a quality management system (QMS) for stockists and distributors of aerospace parts, materials, and assemblies, ensuring traceability, counterfeit prevention, and product conformity without altering product characteristics. It builds on ISO 9001:2015's high-level structure, adding over 100 IAQG-specific requirements for procurement, storage, handling, preservation, and delivery in aviation, space, and defense supply chains.

Who is legally or professionally required to comply with AS9120B?

AS9120B applies professionally to parts distributors, stockists, brokers, and wholesalers procuring, storing, and reselling aerospace components without manufacturing or maintenance. It targets organizations in AS&D supply chains; OEMs and primes often mandate certification contractually for supplier lists and bids. It excludes MRO or conformity-altering activities, scaling from small independents to multi-site groups.

Oes AS9120B require an external audit or third-party certification?

Yes, AS9120B requires third-party certification through a two-stage external audit (Stage 1 documentation review, Stage 2 on-site) by an accredited registrar. Certification, valid for three years with annual surveillance audits and triennial recertification, lists organizations in the IAQG OASIS database, enabling market access.

How often should an assessment for AS9120B be performed?

AS9120B requires internal audits at planned intervals to cover all processes and clauses annually, plus management reviews at least quarterly. Gap analyses occur pre-implementation; post-certification, surveillance audits happen yearly, with full recertification every three years using AS9101 checklists.

What are the consequences of non-compliance with AS9120B?

Non-compliance with AS9120B results in contractual exclusion from OEM bids, audit findings, penalties, recalls, and liabilities from nonconforming or counterfeit parts. It leads to revenue loss, reputational damage, operational disruptions like aircraft groundings, and legal exposure under aviation regulations.

An AS9120B be mapped to other international frameworks?

No, AS9120B FAQs must stand alone without mapping references per guidelines.

What is the first step to begin implementing AS9120B?

The first step for AS9120B implementation is executive alignment via a project charter, appointing a Management Representative, and conducting a formal gap analysis against clauses using AS9101 checklists. This baseline assessment (Weeks 2–8) identifies high-risk gaps in traceability, counterfeit prevention, and supplier controls.

Standards Comparison

DORA vs AS9120B

DORA

Mandatory

2023

EU regulation for digital operational resilience in financial sector

AS9120B

Mandatory

2016

Aerospace QMS standard for distributors and stockists.

Quick Verdict

DORA mandates ICT resilience for EU financial firms against cyber threats, while AS9120B certifies quality systems for aerospace distributors ensuring traceability and counterfeit prevention. Financial entities comply to avoid fines; distributors certify for market access.

Digital Operational Resilience

DORA

Regulation (EU) 2022/2554 Digital Operational Resilience Act

Cost

€€€€

Complexity

High

Implementation Time

18-24 months

Key Features

Mandates comprehensive ICT risk management frameworks
Requires 4-hour notification for major incidents
Enforces triennial threat-led penetration testing
Oversees critical third-party ICT providers
Harmonizes resilience across EU financial entities

Quality Management

AS9120B

AS9120B Quality Management Systems for Distributors

Cost

€€€€

Complexity

High

Implementation Time

6-12 months

Key Features

Counterfeit and fraudulent parts prevention
Full traceability and chain-of-custody controls
Risk-based supplier evaluation and monitoring
Product safety and obsolescence management
Storage, preservation, and handling requirements

Detailed Analysis

A comprehensive look at the specific requirements, scope, and impact of each standard.

DORA Details

What It Is

Digital Operational Resilience Act (DORA), formally Regulation (EU) 2022/2554, is an EU-wide regulation strengthening digital operational resilience of financial entities against ICT risks like cyberattacks and outages. Applicable since January 17, 2025, it targets 20 financial entity types and critical third-party providers (CTPPs), employing a proactive, risk-based, proportional approach.

Key Components

**ICT Risk ManagementFrameworks for identification, mitigation, and annual reviews overseen by management.
**Incident ReportingClassification and reporting (4 hours initial, 72 hours intermediate, 1-month root cause).
**Resilience TestingAnnual basic tests; triennial threat-led penetration testing (TLPT) for critical functions.
**Third-Party OversightDue diligence, contractual clauses, and ESA supervision of CTPPs. Compliance emphasizes harmonization without formal certification, but requires audits and reporting.

Why Organizations Use It

Mandatory for ~22,000 EU financial entities to avert fines up to 2% global turnover. Bolsters resilience amid rising threats (74% ransomware hit rate), ensures continuity, fosters trust, and aligns with business strategies like Solvency II.

Implementation Overview

Conduct gap analyses, develop frameworks, implement testing/vendor management. Tailored by size/complexity via proportionality; key for EU finance sector. Preparation involves tools/training; full rollout was required by the 2025 deadline.

AS9120B Details

What It Is

AS9120B is the quality management system (QMS) standard for aviation, space, and defense (AS&D) distributors, building on ISO 9001:2015 with distributor-specific requirements. It focuses on procurement, storage, traceability, and resale without altering products, using a risk-based process approach.

Key Components

10-clause high-level structure with 100+ aerospace additions.
Core areas: counterfeit prevention, traceability/chain-of-custody, supplier controls, product safety, obsolescence management.
Built on PDCA cycle; requires documented information, internal audits, management reviews.
Third-party certification via accredited registrars, OASIS listing.

Why Organizations Use It

Enables market access to OEMs/primes via contractual mandates.
Mitigates risks of nonconforming/counterfeit parts, liabilities.
Drives efficiency, trust, competitive differentiation.
Enhances resiliency, data-driven decisions.

Implementation Overview

Phased: gap analysis, process design, training, audits (6-12 months).
Cross-functional teams; IT for traceability.
Applies globally to distributors of all sizes; certification audits required.

Key Differences

Aspect	DORA	AS9120B
Scope	Digital operational resilience, ICT risk management	Aerospace distributor quality management, traceability
Industry	EU financial sector, 20 entity types	Global aerospace parts distributors
Nature	Mandatory EU regulation, enforced by ESAs	Voluntary certification standard, IAQG/SAE
Testing	Annual basic, triennial TLPT by independents	Internal audits, certification audits
Penalties	Up to 2% global turnover fines	Loss of certification, market exclusion

Scope

DORA

Digital operational resilience, ICT risk management

AS9120B

Aerospace distributor quality management, traceability

Industry

DORA

EU financial sector, 20 entity types

AS9120B

Global aerospace parts distributors

Nature

DORA

Mandatory EU regulation, enforced by ESAs

AS9120B

Voluntary certification standard, IAQG/SAE

Testing

DORA

Annual basic, triennial TLPT by independents

AS9120B

Internal audits, certification audits

Penalties

DORA

Up to 2% global turnover fines

AS9120B

Loss of certification, market exclusion

Frequently Asked Questions

Common questions about DORA and AS9120B

DORA FAQ

AS9120B FAQ

You Might also be Interested in These Articles...

Why the SEC Stepped In: The Investor-Driven Push for Cybersecurity Transparency

Discover why the SEC's 2023 cybersecurity rules treat cyber risks as material financial threats. Explore the 'stick and carrot' approach for standardized disclo

ISO 27701 Standalone Certification in 2025: Debunking Myths and Navigating the New Reality

Debunk myths on ISO 27701 standalone certification post-2025. Clarify viability, accreditation bodies, ISO 27001 audit differences & procurement benefits. Guide

SEC Cybersecurity Rules Materiality Determination Framework: Step-by-Step Guide with Checklists and Real-World Examples

Master SEC Form 8-K Item 1.05 materiality determinations with our step-by-step framework, checklists, case law factors, and real-world examples. Avoid enforceme

Run Maturity Assessments with GRADUM

Transform your compliance journey with our AI-powered assessment platform

Assess your organization's maturity across multiple standards and regulations including ISO 27001, DORA, NIS2, NIST, GDPR, and hundreds more. Get actionable insights and track your progress with collaborative, AI-powered evaluations.

100+ Standards & Regulations

AI-Powered Insights

Collaborative Assessments

Actionable Recommendations

Explore More Comparisons

See how DORA and AS9120B compare against other standards

Other DORA Comparisons

Other AS9120B Comparisons

What It Is

Key Components

**ICT Risk ManagementFrameworks for identification, mitigation, and annual reviews overseen by management.

**Incident ReportingClassification and reporting (4 hours initial, 72 hours intermediate, 1-month root cause).

**Resilience TestingAnnual basic tests; triennial threat-led penetration testing (TLPT) for critical functions.

**Third-Party OversightDue diligence, contractual clauses, and ESA supervision of CTPPs. Compliance emphasizes harmonization without formal certification, but requires audits and reporting.

What It Is

Key Components

10-clause high-level structure with 100+ aerospace additions.

Core areas: counterfeit prevention, traceability/chain-of-custody, supplier controls, product safety, obsolescence management.

Built on PDCA cycle; requires documented information, internal audits, management reviews.

Third-party certification via accredited registrars, OASIS listing.

Aspect

DORA

AS9120B

Scope

Digital operational resilience, ICT risk management

Aerospace distributor quality management, traceability

Industry

EU financial sector, 20 entity types

Global aerospace parts distributors

Nature

Mandatory EU regulation, enforced by ESAs

Voluntary certification standard, IAQG/SAE

Testing

Annual basic, triennial TLPT by independents

Internal audits, certification audits

Penalties

Up to 2% global turnover fines

Loss of certification, market exclusion