What is the primary objective of DORA?

The primary objective of DORA is to strengthen the digital operational resilience of the EU financial sector against ICT disruptions, including cyberattacks, system failures, and third-party risks. Regulation (EU) 2022/2554 mandates proactive ICT risk management, incident reporting, resilience testing, and third-party oversight for 20 types of financial entities and critical ICT third-party providers (CTPPs), which entered full application on January 17, 2025.

Who is legally or professionally required to comply with DORA?

DORA applies to approximately 22,000 EU-regulated financial entities across 20 types, including credit institutions, insurance undertakings, investment firms, payment institutions, and crypto-asset service providers, plus critical ICT third-party providers (CTPPs). Critical providers like cloud and data analytics firms face direct ESA oversight, with designations established by end-2025.

Does DORA require an external audit or third-party certification?

DORA does not mandate external audits or third-party certification but requires independent digital operational resilience testing, including annual basic tests and triennial threat-led penetration testing (TLPT) for critical entities. Testing must be risk-based, with results reported to authorities; third-party oversight includes contractual audit rights for CTPPs.

How often should an assessment for DORA be performed?

DORA requires annual basic ICT resilience tests for all in-scope entities and triennial advanced threat-led penetration testing (TLPT) for critical or designated entities. ICT risk management frameworks must undergo annual reviews, with testing tailored proportionally to size, complexity, and risk exposure per ESAs' RTS.

What are the consequences of non-compliance with DORA?

Non-compliance with DORA can result in administrative fines up to 2% of total global annual turnover for firms or €5 million (or 10% of annual salary) for individuals, imposed by ESAs or competent authorities. Additional penalties include oversight fees up to €1 million annually for CTPPs and reputational damage from public reporting.

Can DORA be mapped to other international frameworks?

Yes, DORA's ICT risk management, incident reporting, testing, and third-party oversight elements can be mapped to other international frameworks, leveraging existing compliance for efficiency. Financial entities often align DORA's proportional controls and reporting timelines with prior EBA guidelines or sector-specific rules like Solvency II.

What is the first step to begin implementing DORA?

The first step to implement DORA is to conduct a gap analysis against the ESAs' Regulatory Technical Standards (RTS) on ICT risk frameworks, published January 17, 2024. This identifies deficiencies in ICT strategies, incident classification, third-party dependencies, and testing plans to align with the requirements enforced since January 17, 2025.

What is the primary objective of TOGAF?

TOGAF's primary objective is to provide a vendor-neutral methodology and framework for designing, planning, implementing, and governing enterprise architecture to improve business efficiency. The Architecture Development Method (ADM) enables iterative development across business, data, application, and technology domains, supported by the Content Framework, Enterprise Continuum, and Architecture Capability Framework for consistent standards, reuse, and alignment of strategy with IT execution.

Who is legally or professionally required to comply with TOGAF?

No organizations are legally required to comply with TOGAF, as it is a voluntary, vendor-neutral standard developed by The Open Group. Professionally, large enterprises, government agencies, and regulated sectors (e.g., finance, defense) adopt it for enterprise architecture governance; leading organizations use it to standardize practices, with over 1 million certified practitioners ensuring consistent application.

Does TOGAF require an external audit or third-party certification?

TOGAF does not require external audits or third-party certification for framework compliance. Organizations establish internal Architecture Boards for governance and compliance reviews via the Architecture Capability Framework; The Open Group offers practitioner certifications (e.g., TOGAF 9.2, 10th Edition) to build skills, but these are optional for capability maturity.

How often should an assessment for TOGAF be performed?

TOGAF assessments, via the Architecture Capability Maturity Model (ACMM), should be performed initially during the Preliminary Phase and repeated quarterly or annually. Phase H (Architecture Change Management) mandates ongoing monitoring of change triggers, with iterative ADM cycles ensuring continual adaptation; maturity re-assessments track progress across nine elements like governance and business linkage.

What are the consequences of non-compliance with TOGAF?

Non-compliance with TOGAF results in no legal penalties, as it is not a mandated regulation. Internally, it leads to fragmented architectures, duplicated efforts, vendor lock-in, failed transformations, increased technical debt, and poor ROI; without ADM governance and reuse via Enterprise Continuum, organizations face higher costs, integration risks, and misaligned IT investments.

Can TOGAF be mapped to other international frameworks?

Yes, TOGAF can be mapped to other frameworks through its modular structure and integration guidance in the 10th Edition. The ADM and Content Metamodel align with complementary standards via tailored phases and Enterprise Continuum, enabling consistent governance while avoiding proprietary lock-in.

What is the first step to begin implementing TOGAF?

The first step to implement TOGAF is the Preliminary Phase to establish architecture capability. Define architecture principles, tailor the framework, set up the Architecture Repository, form the Architecture Board, and produce a Request for Architecture Work to scope and prepare the organization.

Standards Comparison

DORA vs TOGAF

DORA

Mandatory

2023

EU regulation for digital operational resilience in financial sector

TOGAF

Voluntary

2022

Vendor-neutral standard for enterprise architecture methodology

Quick Verdict

DORA mandates ICT resilience for EU finance firms with testing and fines, while TOGAF provides voluntary EA methodology for global enterprises to align business and IT. Firms adopt DORA for regulatory compliance, TOGAF for strategic efficiency.

Digital Operational Resilience

DORA

Digital Operational Resilience Act (Regulation (EU) 2022/2554)

Cost

€€€€

Complexity

High

Implementation Time

18-24 months

Key Features

Harmonized EU-wide ICT risk management frameworks
4-hour initial reporting for major ICT incidents
Mandatory triennial threat-led penetration testing
Oversight of critical third-party ICT providers
Proportionality principle by entity size and risk

Enterprise Architecture

TOGAF

The Open Group Architecture Framework (TOGAF)

Cost

€€€€

Complexity

High

Implementation Time

12-18 months

Key Features

Iterative Architecture Development Method (ADM) lifecycle
Content Framework and Metamodel for artifacts
Enterprise Continuum for asset classification and reuse
Reference models like TRM, SIB, and III-RM
Architecture Capability Framework with governance board

Detailed Analysis

A comprehensive look at the specific requirements, scope, and impact of each standard.

DORA Details

What It Is

Digital Operational Resilience Act (DORA), formally Regulation (EU) 2022/2554, is an EU regulation enhancing digital operational resilience of the financial sector against ICT risks like cyberattacks and failures. It targets 20 financial entity types and critical third-party providers (CTPPs) across 27 member states. Employs a risk-based, proportional approach with comprehensive ICT strategies.

Key Components

**ICT Risk Management FrameworksStrategies for risk identification, mitigation, and annual reviews.
**Incident Reporting4-hour initial, 72-hour intermediate, 1-month root-cause reports.
**Resilience TestingAnnual basic tests, triennial threat-led penetration testing (TLPT).
**Third-Party OversightDue diligence, monitoring, and ESAs supervision of CTPPs. Compliance enforced via RTS/ITS, penalties up to 2% global turnover.

Why Organizations Use It

Mandated for ~22,000 entities to avoid fines, bolster resilience amid 74% ransomware exposure. Enhances continuity, stakeholder trust, and integrates with EBA/NIS2 rules. Drives cybersecurity innovation and systemic risk mitigation.

Implementation Overview

Conduct gap analyses, develop frameworks, implement testing/vendor management. Applies EU-wide proportionally by size/complexity; fully enforced since January 17, 2025. Authority audits and ongoing reviews required.

TOGAF Details

What It Is

TOGAF® Standard (The Open Group Architecture Framework) is a vendor-neutral enterprise architecture framework and methodology. It provides a proven, iterative approach for designing, planning, implementing, and governing enterprise-wide change across business and IT. At its core is the Architecture Development Method (ADM), a cyclical lifecycle.

Key Components

**ADM phases10 phases from Preliminary to Change Management, spanning business, information systems, and technology domains.
**Content FrameworkDeliverables, artifacts, building blocks, and metamodel for structured outputs.
Enterprise Continuum and reference models (TRM, SIB, III-RM) for reuse.
Architecture Capability Framework for governance. Practitioner certification available, no organizational certification.

Why Organizations Use It

Aligns strategy with execution for efficiency, ROI, and reduced duplication.
Enables risk management, agility, and vendor neutrality.
Voluntary adoption drives competitive advantages like faster transformations and stakeholder trust.

Implementation Overview

Phased rollout with maturity assessment, tailoring, governance setup, pilots. Ideal for large enterprises across industries; requires training, tools, iterative ADM application.

Key Differences

Aspect	DORA	TOGAF
Scope	Digital operational resilience in finance	Enterprise architecture across business/IT
Industry	EU financial sector only	All industries worldwide
Nature	Mandatory EU regulation	Voluntary methodology/framework
Testing	Annual basic, triennial TLPT	Iterative ADM maturity assessments
Penalties	Up to 2% global turnover fines	No legal penalties

Scope

DORA

Digital operational resilience in finance

TOGAF

Enterprise architecture across business/IT

Industry

DORA

EU financial sector only

TOGAF

All industries worldwide

Nature

DORA

Mandatory EU regulation

TOGAF

Voluntary methodology/framework

Testing

DORA

Annual basic, triennial TLPT

TOGAF

Iterative ADM maturity assessments

Penalties

DORA

Up to 2% global turnover fines

TOGAF

No legal penalties

Frequently Asked Questions

Common questions about DORA and TOGAF

DORA FAQ

TOGAF FAQ

You Might also be Interested in These Articles...

Measuring CIS Controls v8.1 in the Real World: KPIs, Dashboards, and Automated Evidence for Continuous Assurance

Master CIS Controls v8.1 measurement with essential KPIs, executive-ready dashboards, and automated evidence collection for continuous assurance. Make complianc

NIST CSF 2.0 Govern Function Deep Dive: Building Executive Cybersecurity Governance from Scratch

Step-by-step blueprint for NIST CSF 2.0 Govern function: templates, RACI matrices, metrics to elevate cybersecurity governance to boardroom level. Reduce breach

From Hygiene to Governance: How to Scale Cyber Essentials into a Full ISO 27001 ISMS in 2026

Discover how to scale Cyber Essentials into a full ISO 27001 ISMS in 2026. Reuse evidence, map controls, meet DORA & NIS2 rules and win enterprise contracts.

Run Maturity Assessments with GRADUM

Transform your compliance journey with our AI-powered assessment platform

Assess your organization's maturity across multiple standards and regulations including ISO 27001, DORA, NIS2, NIST, GDPR, and hundreds more. Get actionable insights and track your progress with collaborative, AI-powered evaluations.

100+ Standards & Regulations

AI-Powered Insights

Collaborative Assessments

Actionable Recommendations

Explore More Comparisons

See how DORA and TOGAF compare against other standards

Other DORA Comparisons

Other TOGAF Comparisons

What It Is

Key Components

**ICT Risk Management FrameworksStrategies for risk identification, mitigation, and annual reviews.

**Incident Reporting4-hour initial, 72-hour intermediate, 1-month root-cause reports.

**Resilience TestingAnnual basic tests, triennial threat-led penetration testing (TLPT).

**Third-Party OversightDue diligence, monitoring, and ESAs supervision of CTPPs. Compliance enforced via RTS/ITS, penalties up to 2% global turnover.

What It Is

Key Components

**ADM phases10 phases from Preliminary to Change Management, spanning business, information systems, and technology domains.

**Content FrameworkDeliverables, artifacts, building blocks, and metamodel for structured outputs.

Enterprise Continuum and reference models (TRM, SIB, III-RM) for reuse.

Architecture Capability Framework for governance. Practitioner certification available, no organizational certification.

Aspect

DORA

TOGAF

Scope

Digital operational resilience in finance

Enterprise architecture across business/IT

Industry

EU financial sector only

All industries worldwide

Nature

Mandatory EU regulation

Voluntary methodology/framework

Testing

Annual basic, triennial TLPT

Iterative ADM maturity assessments

Penalties

Up to 2% global turnover fines

No legal penalties