What is the primary objective of DORA?

The primary objective of DORA is to strengthen the digital operational resilience of the EU financial sector against ICT disruptions, including cyberattacks, system failures, and third-party risks. Regulation (EU) 2022/2554 mandates proactive ICT risk management, incident reporting, resilience testing, and third-party oversight for 20 financial entity types and critical ICT third-party providers (CTPPs), applying fully since January 17, 2025.

Who is legally or professionally required to comply with DORA?

DORA legally requires compliance from approximately 22,000 EU-regulated financial entities across 20 types, including credit institutions, insurance undertakings, investment firms, payment institutions, and crypto-asset service providers, plus designated CTPPs. Critical ICT providers like cloud and data analytics firms face direct ESA oversight via Joint Examination Teams (JETs).

Does DORA require an external audit or third-party certification?

DORA does not mandate external audits or third-party certification but requires independent, risk-based digital operational resilience testing, including annual basic tests and triennial threat-led penetration testing (TLPT) for critical entities. Testing may involve external providers, with results reported to authorities and remediated promptly, per Batch 2 RTS/ITS (July 17, 2024).

How often should an assessment for DORA be performed?

DORA-mandated assessments include annual basic ICT resilience tests for all entities and triennial advanced TLPT for critical or designated entities. ICT risk management frameworks must undergo annual reviews, with proportionality applied based on entity size, complexity, and risk exposure.

What are the consequences of non-compliance with DORA?

Non-compliance with DORA can result in administrative penalties determined by Member States for firms, and periodic penalty payments up to 1% of average daily worldwide turnover for CTPPs, imposed by ESAs or competent authorities. Additional measures include oversight fees up to €1 million annually for CTPPs and reputational damage from public reporting.

An DORA be mapped to other international frameworks?

Yes, DORA's ICT risk management, incident reporting, testing, and third-party oversight elements can be mapped to other international frameworks, leveraging existing structures like pre-DORA EBA guidelines. Financial entities often align DORA's proportional controls, such as 4-hour incident notifications and RTOs under 4 hours, with global resilience standards for streamlined implementation.

What is the first step to begin implementing DORA?

The first step to implement DORA is to conduct a gap analysis against the ICT risk management framework RTS (Batch 1, January 17, 2024) to identify deficiencies in strategies, policies, and controls. Establish management body oversight and map ICT dependencies, prioritizing third-party risks and incident classification thresholds like >5% user impact or €100,000+ losses.

What is the primary objective of ISO/IEC 42001:2023?

The primary objective of ISO/IEC 42001:2023 is to establish requirements for an Artificial Intelligence Management System (AIMS) to manage AI risks and opportunities responsibly across the full AI lifecycle. Published in December 2023 by ISO/IEC JTC 1/SC 42, it employs the Plan-Do-Check-Act (PDCA) methodology and High-Level Structure (HLS) via Clauses 4-10, addressing AI-specific issues like bias, transparency, and model drift through Annex A controls (39 AI-specific) and mandatory AI Impact Assessments (AIIAs) for high-risk systems.

Who is legally or professionally required to comply with ISO/IEC 42001:2023?

ISO/IEC 42001:2023 applies universally to any organization developing, providing, or using AI-based products/services, regardless of size, type, or complexity. It covers all roles—AI developers, providers, producers, users—with role-based scoping (e.g., excluding non-applicable controls like A.5.4 data-for-training if justified in Clause 4.3 scope statements). No legal mandates exist, but it is professionally essential for regulatory alignment (e.g., EU AI Act high-risk systems) and procurement (e.g., Microsoft SSPA requirements).

Does ISO/IEC 42001:2023 require an external audit or third-party certification?

ISO/IEC 42001:2023 does not require external audits or third-party certification, as it is a voluntary standard. Certification is pursued via accredited bodies (e.g., UKAS, ANAB like Schellman/BSI) through two-stage audits validating AIMS implementation, with 3-year validity and annual surveillance. Early adopters like Microsoft (Copilot), UiPath (5 months), and Darktrace (11 months) demonstrate its practicality for credibility.

How often should an assessment for ISO/IEC 42001:2023 be performed?

Assessments for ISO/IEC 42001:2023 must be performed continually via Clause 9 monitoring, with internal audits, management reviews, and AIIAs at least annually or upon significant changes. Clause 10 requires addressing non-conformities and improvements, including post-deployment model monitoring (e.g., drift KPIs like F1-score delta ≤0.03) and risk reassessments per PDCA, ensuring adaptability to AI evolution.

What are the consequences of non-compliance with ISO/IEC 42001:2023?

Non-compliance with ISO/IEC 42001:2023 carries no direct legal penalties, as it is voluntary, but results in lost competitive advantages like procurement disqualification and heightened regulatory risks. Unmanaged AI risks (e.g., bias via absent AIIAs) expose organizations to EU AI Act fines for high-risk systems, reputational damage, insurance premium hikes (up to 15% higher), and failed tenders (e.g., Microsoft SSPA mandates).

An ISO/IEC 42001:2023 be mapped to other international frameworks?

Yes, ISO/IEC 42001:2023 maps seamlessly to other international frameworks due to its Annex SL High-Level Structure (HLS) and PDCA foundation. It integrates with standards like ISO 9001 and ISO/IEC 27001 (64% evidence overlap, cutting implementation to 4.5 months), NIST AI RMF (crosswalks available), and ISO 31000, enabling "One-MMS" hybrid systems for AI governance.

What is the first step to begin implementing ISO/IEC 42001:2023?

The first step to implement ISO/IEC 42001:2023 is determining the organizational context and AIMS scope per Clause 4. Conduct a cross-functional gap analysis of internal/external issues (4.1), interested parties (4.2), and boundaries (4.3, e.g., role as AI provider/user), justifying exclusions and prioritizing high-risk AI for AIIAs.

Standards Comparison

DORA vs ISO/IEC 42001:2023

DORA

Mandatory

2023

EU regulation for digital operational resilience in financial sector

ISO/IEC 42001:2023

Voluntary

2023

International standard for AI management systems

Quick Verdict

DORA mandates ICT resilience for EU finance against disruptions, while ISO/IEC 42001:2023 is a voluntary global standard for responsible AI governance. Financial firms adopt DORA for regulatory compliance; AI organizations pursue 42001 for ethical trust and certification.

Digital Operational Resilience

DORA

Regulation (EU) 2022/2554 Digital Operational Resilience Act

Cost

€€€€

Complexity

High

Implementation Time

18-24 months

Key Features

Mandates comprehensive ICT risk management frameworks
Requires 4-hour reporting for major ICT incidents
Enforces triennial threat-led penetration testing (TLPT)
Oversees critical third-party ICT providers (CTPPs)
Harmonizes resilience across 27 EU member states

AI Management

ISO/IEC 42001:2023

ISO/IEC 42001:2023 Artificial Intelligence Management System

Cost

€€€€

Complexity

High

Implementation Time

6-12 months

Key Features

PDCA-based framework for AI governance
Mandatory AI Impact Assessments for high-risk systems
39 AI-specific controls in Annex A
Full AI lifecycle management controls
Seamless integration with ISO 27001 HLS

Detailed Analysis

A comprehensive look at the specific requirements, scope, and impact of each standard.

DORA Details

What It Is

Digital Operational Resilience Act (DORA), Regulation (EU) 2022/2554, is an EU regulation strengthening ICT resilience for financial entities against disruptions like cyberattacks. It targets 20 financial types and critical third-party providers (CTPPs), employing a risk-based, proportional approach across 27 member states.

Key Components

**ICT Risk ManagementFrameworks for identification, protection, detection, response, recovery; annual reviews.
**Incident Reporting4-hour initial, 72-hour updates, 1-month root-cause analysis for major incidents.
**Resilience TestingAnnual basic tests, triennial TLPT for critical functions.
**Third-Party OversightDue diligence, monitoring, ESAs supervision of CTPPs. Enforced via RTS/ITS, with periodic penalties up to 1% average daily worldwide turnover for CTPPs.

Why Organizations Use It

Mandated for ~22,000 entities to avoid penalties, counter 74% ransomware prevalence, ensure continuity amid threats like CrowdStrike outage, build trust, harmonize compliance.

Implementation Overview

Conduct gap analyses, develop policies, implement testing/monitoring; proportional by size/complexity. EU financial sector focus, fully applicable since January 17, 2025; ESAs oversight, no formal certification.

ISO/IEC 42001:2023 Details

What It Is

ISO/IEC 42001:2023 is the world's first international standard for Artificial Intelligence Management Systems (AIMS). It specifies requirements to establish, implement, maintain, and improve AIMS, managing AI risks and opportunities responsibly. Applicable universally, it uses Plan-Do-Check-Act (PDCA) and High-Level Structure (HLS) for governance across AI lifecycles.

Key Components

Clauses 4-10: context, leadership, planning, support, operations, evaluation, improvement.
**Annex A39 AI-specific controls (e.g., bias mitigation, transparency, third-party risks).
Mandatory AI Impact Assessments (AIIAs) for high-risk AI.
Third-party certification with 3-year validity, annual surveillance audits.

Why Organizations Use It

Mitigates AI risks like bias, drift, ethics; fosters innovation.
Aligns with EU AI Act, NIST; enhances compliance.
Builds trust, reputation (e.g., Microsoft Copilot certification).
Cost savings via ISO 27001/9001 integration; competitive differentiation.

Implementation Overview

Phased: gap analysis, policies, AIIAs, training, audits.
Suits all sizes/sectors; 6-12 months typical with tools like ISMS.online.
Requires leadership, resources, 3+ months operational data.

Key Differences

Aspect	DORA	ISO/IEC 42001:2023
Scope	Digital operational resilience in finance against ICT risks	AI management systems across full AI lifecycle
Industry	EU financial entities and critical ICT providers	All industries, organizations worldwide
Nature	Mandatory EU regulation with enforcement	Voluntary international certification standard
Testing	Annual basic tests, triennial TLPT for critical	Audits, AIIAs, continuous monitoring via PDCA
Penalties	Up to 2% global turnover fines	Loss of certification, no legal penalties

Scope

DORA

Digital operational resilience in finance against ICT risks

ISO/IEC 42001:2023

AI management systems across full AI lifecycle

Industry

DORA

EU financial entities and critical ICT providers

ISO/IEC 42001:2023

All industries, organizations worldwide

Nature

DORA

Mandatory EU regulation with enforcement

ISO/IEC 42001:2023

Voluntary international certification standard

Testing

DORA

Annual basic tests, triennial TLPT for critical

ISO/IEC 42001:2023

Audits, AIIAs, continuous monitoring via PDCA

Penalties

DORA

Up to 2% global turnover fines

ISO/IEC 42001:2023

Loss of certification, no legal penalties

Frequently Asked Questions

Common questions about DORA and ISO/IEC 42001:2023

DORA FAQ

ISO/IEC 42001:2023 FAQ

You Might also be Interested in These Articles...

The Tool Landscape for Reaching and Maintaining ISO 27701 Compliance

Discover the top tools for ISO 27701 compliance. Compare functionality, complexity, costs, and benefits to choose the best solution for your privacy program. Ac

The NIS2 "FTE Trap": Why 5 Analysts for 24/7 Security is Actually 8 (and Why the Board Needs to Know)

Exposed: NIS2 FTE Trap math shows 5 analysts fail 24/7 coverage due to sickness, training, leave & 2026 churn. Line-by-line breakdown for compliance. Alert your

You Guide on how to Start Implementing NIS2 in Your Organization

Master NIS2 implementation with our detailed guide. Learn requirements, risk assessment, supply chain security, and compliance steps for your organization. Star

Run Maturity Assessments with GRADUM

Transform your compliance journey with our AI-powered assessment platform

Assess your organization's maturity across multiple standards and regulations including ISO 27001, DORA, NIS2, NIST, GDPR, and hundreds more. Get actionable insights and track your progress with collaborative, AI-powered evaluations.

100+ Standards & Regulations

AI-Powered Insights

Collaborative Assessments

Actionable Recommendations

Explore More Comparisons

See how DORA and ISO/IEC 42001:2023 compare against other standards

Other DORA Comparisons

Other ISO/IEC 42001:2023 Comparisons

What It Is

Key Components

**ICT Risk ManagementFrameworks for identification, protection, detection, response, recovery; annual reviews.

**Incident Reporting4-hour initial, 72-hour updates, 1-month root-cause analysis for major incidents.

**Resilience TestingAnnual basic tests, triennial TLPT for critical functions.

**Third-Party OversightDue diligence, monitoring, ESAs supervision of CTPPs. Enforced via RTS/ITS, with periodic penalties up to 1% average daily worldwide turnover for CTPPs.

What It Is

Key Components

Clauses 4-10: context, leadership, planning, support, operations, evaluation, improvement.

**Annex A39 AI-specific controls (e.g., bias mitigation, transparency, third-party risks).

Mandatory AI Impact Assessments (AIIAs) for high-risk AI.

Third-party certification with 3-year validity, annual surveillance audits.

Aspect

DORA

ISO/IEC 42001:2023

Scope

Digital operational resilience in finance against ICT risks

AI management systems across full AI lifecycle

Industry

EU financial entities and critical ICT providers

All industries, organizations worldwide

Nature

Mandatory EU regulation with enforcement

Voluntary international certification standard

Testing

Annual basic tests, triennial TLPT for critical

Audits, AIIAs, continuous monitoring via PDCA

Penalties

Up to 2% global turnover fines

Loss of certification, no legal penalties