What is the primary objective of DORA?

The primary objective of DORA is to strengthen the digital operational resilience of the EU financial sector against ICT disruptions, including cyberattacks, system failures, and third-party risks. Regulation (EU) 2022/2554 mandates ICT risk management, incident reporting, resilience testing, and third-party oversight for 20 financial entity types and critical ICT third-party providers (CTPPs), which entered full application on January 17, 2025.

Who is legally or professionally required to comply with DORA?

DORA applies to approximately 22,000 EU-regulated financial entities across 20 types, including credit institutions, insurance undertakings, investment firms, payment institutions, and crypto-asset service providers, plus critical ICT third-party providers (CTPPs). It targets entities dependent on ICT like cloud and data analytics firms, with ESAs having designated CTPPs by end-2025 for direct oversight.

Does DORA require an external audit or third-party certification?

DORA does not mandate external audits or third-party certification but requires risk-based digital operational resilience testing, including independent annual basic tests and triennial threat-led penetration testing (TLPT) for critical entities. Testing may involve external providers, with results reported to authorities; third-party oversight includes contractual audit rights for CTPPs.

How often should an assessment for DORA be performed?

DORA requires annual basic ICT resilience tests, such as vulnerability assessments, and triennial advanced TLPT for critical or designated entities. ICT risk management frameworks must undergo annual reviews, with testing plans tailored proportionally to entity size, complexity, and risk exposure.

What are the consequences of non-compliance with DORA?

Non-compliance with DORA incurs administrative fines up to 2% of total global annual turnover for firms or €5 million (or 10% of annual salary) for individuals, imposed by ESAs or competent authorities. Additional measures include remedial orders, oversight fees up to €1 million annually for CTPPs, and reputational damage from public reporting.

An DORA be mapped to other international frameworks?

Yes, DORA's ICT risk management, incident reporting, testing, and third-party oversight elements align with established resilience practices, facilitating mapping to comparable frameworks. Its structured pillars—proportional controls, 4/72-hour reporting timelines, and TLPT—support integration while maintaining finance-specific harmonization.

What is the first step to begin implementing DORA?

The first step to implement DORA is conducting a gap analysis against the ICT risk management framework RTS published January 17, 2024. This identifies deficiencies in strategies, policies, and controls, enabling establishment of a comprehensive framework overseen by the management body, to meet the January 17, 2025 application requirements.

What is the primary objective of ISO 13485?

ISO 13485:2016 specifies requirements for a quality management system (QMS) where organizations demonstrate ability to consistently provide medical devices and related services that meet customer and applicable regulatory requirements. This standard applies to one or more stages of the medical device lifecycle, including design, production, distribution, installation, servicing, and decommissioning. It emphasizes documented processes, risk-based controls, validation, traceability, and post-market obligations across Clauses 4–8.

Who is legally or professionally required to comply with ISO 13485?

ISO 13485 applies to organizations involved in medical device lifecycle stages, including manufacturers, contract manufacturers, suppliers of sterile services, distributors, importers, and service providers. It targets entities whose activities affect device safety and performance, requiring identification of regulatory roles and incorporation of applicable requirements into the QMS. Certification serves as a proxy for regulatory maturity, especially under EU MDR and the active FDA QMSR alignment.

Does ISO 13485 require an external audit or third-party certification?

ISO 13485 certification is performed by accredited certification bodies through a two-stage process: Stage 1 (documentation review) and Stage 2 (implementation audit), followed by annual surveillance and triennial recertification. While the standard itself does not mandate certification, regulators and notified bodies expect ISO 13485-level QMS rigor, making third-party audits essential for market access and supply chain acceptance.

How often should an assessment for ISO 13485 be performed?

Internal audits for ISO 13485 must be conducted at planned intervals per Clause 8.2.4, with frequency determined by process risk, prior findings, and regulatory changes. Management reviews occur at planned intervals (Clause 5.6), typically annually, reviewing inputs like audits, complaints, CAPA, and performance data. Certification involves annual surveillance audits and full recertification every three years.

What are the consequences of non-compliance with ISO 13485?

Non-compliance with ISO 13485 risks regulatory enforcement, including product holds, recalls, market withdrawal, fines, and loss of authorization. Weaknesses in QMS elements like design controls, validation, or post-market surveillance lead to audit nonconformities, FDA Form 483 observations, or EU notified body findings, escalating to certification suspension and supply chain exclusion.

An ISO 13485 be mapped to other international frameworks?

ISO 13485 provides Annex B correspondence to ISO 9001:2015 but excludes certain requirements, preventing dual claims without full adherence. It aligns with ISO 14971 for risk management, IEC 62366-1 for usability, and supports regulatory mappings like EU MDR/IVDR annexes, serving as a backbone for harmonized compliance.

What is the first step to begin implementing ISO 13485?

The first step for ISO 13485 implementation is defining QMS scope per Clause 4.1, including organizational roles, applicable regulatory requirements, processes, exclusions with justifications, and outsourced process controls. Document this in the quality manual alongside a gap analysis against Clauses 4–8 to prioritize risk-based remediation.

Standards Comparison

DORA vs ISO 13485

DORA

Mandatory

2023

EU regulation for digital operational resilience in financial sector

ISO 13485

Mandatory

2016

International standard for medical device quality management systems

Quick Verdict

DORA mandates ICT resilience for EU financial entities against cyber threats, while ISO 13485 provides voluntary QMS certification for medical device makers ensuring safety and regulatory compliance. Firms adopt DORA for legal compliance, ISO 13485 for market access and quality assurance.

Digital Operational Resilience

DORA

Regulation (EU) 2022/2554 Digital Operational Resilience Act

Cost

€€€€

Complexity

High

Implementation Time

18-24 months

Key Features

Mandates comprehensive ICT risk management frameworks overseen by management body
Enforces 4-hour initial reporting for major ICT incidents
Requires triennial threat-led penetration testing for critical functions
Establishes direct ESAs oversight of critical ICT third-party providers
Harmonizes digital resilience standards across 27 EU member states

Quality Management

ISO 13485

ISO 13485:2016 Medical devices Quality management systems

Cost

€€€€

Complexity

High

Implementation Time

12-18 months

Key Features

Risk-based controls for QMS processes
Design and development controls with validation
Post-market surveillance and complaint handling
Supplier evaluation and purchasing controls
Traceability via medical device files

Detailed Analysis

A comprehensive look at the specific requirements, scope, and impact of each standard.

DORA Details

What It Is

The Digital Operational Resilience Act (DORA), formally Regulation (EU) 2022/2554, is an EU-wide regulatory framework enhancing digital operational resilience against ICT disruptions like cyberattacks and third-party failures. It applies to 20 financial entity types and critical ICT providers (~22,000 entities), using a risk-based, proportional methodology integrated with business strategies.

Key Components

**ICT Risk ManagementFrameworks for risk identification, mitigation, and annual reviews.
**Incident Reporting4-hour notifications, 72-hour updates for major incidents (>5% impact or €100k+ losses).
**Resilience TestingAnnual vulnerability scans; triennial TLPT for critical operations.
**Third-Party OversightContractual controls, monitoring, ESAs supervision of CTPPs. Compliance via RTS/ITS standards, reporting, no certification but mandatory audits.

Why Organizations Use It

Mandatory for EU finance to avert 2% turnover fines, amid 74% ransomware exposure. Builds resilience, harmonizes rules, boosts trust, spurs €10-15B cybersecurity investments.

Implementation Overview

Gap analysis, framework/policy development, testing/vendor programs. Targets EU financial sector; proportionality for SMEs. Fully applicable since January 17, 2025; ongoing ESAs oversight.

ISO 13485 Details

What It Is

ISO 13485:2016 is the international standard titled Medical devices — Quality management systems — Requirements for regulatory purposes. It provides a certifiable framework for risk-based QMS tailored to medical devices across their lifecycle, from design to post-market surveillance.

Key Components

Organized into Clauses 4–8 covering QMS, management responsibility, resources, product realization, and measurement/improvement.
Emphasizes documented processes, validation, traceability, supplier controls, and ISO 14971 risk integration.
Requires quality manual, medical device files, and certification via accredited bodies.

Why Organizations Use It

Enables market access (EU MDR, FDA QMSR alignment as of 2026) and reduces regulatory risks.
Drives patient safety, cost savings via fewer recalls, and supply chain resilience.
Builds stakeholder trust and competitive edge in partnerships.

Implementation Overview

Phased approach: gap analysis, process design, validation, audits.
Suited for manufacturers, suppliers, all sizes; global applicability.
Culminates in Stage 1/2 certification audits, ongoing surveillance. (178 words)

Key Differences

Aspect	DORA	ISO 13485
Scope	Digital operational resilience against ICT disruptions	Quality management for medical device lifecycle
Industry	EU financial sector and critical ICT providers	Global medical device manufacturers and suppliers
Nature	Mandatory EU regulation with enforcement	Voluntary certification standard for compliance
Testing	Annual basic tests, triennial TLPT	Internal audits, process validation, certification audits
Penalties	Up to 2% global turnover fines	Loss of certification, no direct legal penalties

Scope

DORA

Digital operational resilience against ICT disruptions

ISO 13485

Quality management for medical device lifecycle

Industry

DORA

EU financial sector and critical ICT providers

ISO 13485

Global medical device manufacturers and suppliers

Nature

DORA

Mandatory EU regulation with enforcement

ISO 13485

Voluntary certification standard for compliance

Testing

DORA

Annual basic tests, triennial TLPT

ISO 13485

Internal audits, process validation, certification audits

Penalties

DORA

Up to 2% global turnover fines

ISO 13485

Loss of certification, no direct legal penalties

Frequently Asked Questions

Common questions about DORA and ISO 13485

DORA FAQ

ISO 13485 FAQ

You Might also be Interested in These Articles...

The 2026 Cyber Essentials Hybrid Audit Checklist: Gathering Unassailable Proof Across M365, AWS, and Azure

Build an evidence vault that passes Cyber Essentials Plus audits in 2026. Practical guidance on firewalls, secure configuration, and malware protection across M

HITRUST CSF MyCSF Platform Mastery: Infograph of Evidence Tagging Workflows and Top 5 Maturity Tier Acceleration Takeaways

Master MyCSF platform with infographics on evidence tagging for 1,400+ HITRUST controls across 19 domains. Cut documentation by 30%, boost Measured/Managed tier

Real-World ISO 27701 Success: Synthesized Case Studies, Metrics, and Lessons for Privacy Resilience

Real-world ISO 27701 success from Tribeca, Kocho: DSAR efficiency gains, risk score reductions, certification ROI. Synthesized metrics prove privacy resilience

Run Maturity Assessments with GRADUM

Transform your compliance journey with our AI-powered assessment platform

Assess your organization's maturity across multiple standards and regulations including ISO 27001, DORA, NIS2, NIST, GDPR, and hundreds more. Get actionable insights and track your progress with collaborative, AI-powered evaluations.

100+ Standards & Regulations

AI-Powered Insights

Collaborative Assessments

Actionable Recommendations

Explore More Comparisons

See how DORA and ISO 13485 compare against other standards

Other DORA Comparisons

Other ISO 13485 Comparisons

What It Is

Key Components

**ICT Risk ManagementFrameworks for risk identification, mitigation, and annual reviews.

**Incident Reporting4-hour notifications, 72-hour updates for major incidents (>5% impact or €100k+ losses).

**Resilience TestingAnnual vulnerability scans; triennial TLPT for critical operations.

**Third-Party OversightContractual controls, monitoring, ESAs supervision of CTPPs. Compliance via RTS/ITS standards, reporting, no certification but mandatory audits.

Key Components

Organized into Clauses 4–8 covering QMS, management responsibility, resources, product realization, and measurement/improvement.

Emphasizes documented processes, validation, traceability, supplier controls, and ISO 14971 risk integration.

Requires quality manual, medical device files, and certification via accredited bodies.

Aspect

DORA

ISO 13485

Scope

Digital operational resilience against ICT disruptions

Quality management for medical device lifecycle

Industry

EU financial sector and critical ICT providers

Global medical device manufacturers and suppliers

Nature

Mandatory EU regulation with enforcement

Voluntary certification standard for compliance

Testing

Annual basic tests, triennial TLPT

Internal audits, process validation, certification audits

Penalties

Up to 2% global turnover fines

Loss of certification, no direct legal penalties