What is the primary objective of **DORA**?

**The primary objective of DORA is to strengthen the digital operational resilience of the EU financial sector against ICT disruptions, including cyberattacks, system failures, and third-party risks.** Regulation (EU) 2022/2554 mandates ICT risk management, incident reporting, resilience testing, and third-party oversight for 20 types of financial entities and critical ICT third-party providers (CTPPs), entering full application on January 17, 2025.

Who is legally or professionally required to comply with **DORA**?

**DORA applies to 20 types of financial entities, including credit institutions, insurance undertakings, investment firms, payment institutions, and crypto-asset service providers, plus critical ICT third-party providers (CTPPs).** Approximately 22,000 EU-regulated entities must comply, with CTPPs like cloud providers subject to ESA oversight; proportionality tailors requirements to size, complexity, and risk exposure.

Does **DORA** require an external audit or third-party certification?

**DORA does not mandate external audits or third-party certification but requires independent digital operational resilience testing, including annual basic tests and triennial threat-led penetration testing (TLPT) for critical entities.** Testing may involve external providers, with results reported to authorities; third-party oversight includes contractual audit rights for CTPPs.

How often should an assessment for **DORA** be performed?

**DORA requires annual basic ICT resilience tests, such as vulnerability assessments, and triennial advanced TLPT for critical or designated entities.** ICT risk management frameworks must undergo annual reviews, with ongoing monitoring of third-party risks and incident response simulations aligned to evolving threats.

What are the consequences of non-compliance with **DORA**?

**Non-compliance with DORA can result in administrative fines up to 2% of total global annual turnover for firms or €5 million (or 10% of annual salary) for individuals.** Competent authorities and ESAs impose penalties, alongside reputational damage, remediation orders, and potential restrictions on operations for ~22,000 entities post-January 17, 2025.

An **DORA** be mapped to other international frameworks?

**Yes, DORA's ICT risk management, incident reporting, testing, and third-party oversight elements can be mapped to other international frameworks, though it stands as a sector-specific EU regulation.** Financial entities often align it with pre-existing guidelines like EBA ICT rules, leveraging overlaps in resilience practices for efficiency.

What is the first step to begin implementing **DORA**?

**The first step to implement DORA is conducting a gap analysis against the ICT risk management framework RTS published January 17, 2024.** This identifies deficiencies in strategies, policies, incident classification, third-party dependencies, and testing plans, enabling prioritization ahead of the January 17, 2025 deadline.

What is the primary objective of **WELL**?

**The primary objective of WELL is to design, operate, and verify buildings that advance human health and well-being through evidence-based performance outcomes.** Administered by the International WELL Building Institute (IWBI), WELL v2 organizes requirements across **10 concepts**—**Air, Water, Nourishment, Light, Movement, Thermal Comfort, Sound, Materials, Mind, and Community**—plus **Innovation**. It mandates **24 Preconditions** (pass/fail minimums) and enables points from **102 Optimizations** for certification tiers: **Bronze (40 points)**, **Silver (50 points, min 1 per concept)**, **Gold (60 points, min 2 per concept)**, **Platinum (80 points, min 3 per concept)**.

Who is legally or professionally required to comply with **WELL**?

**WELL is voluntary with no legal mandates, but professionally required for organizations pursuing certification or tenant-specified health performance.** Applicable to owners, developers, and operators of new/existing buildings via pathways like **WELL Certification** (owner-controlled), **WELL Core** (base buildings, ≥75% leased), and **WELL for Residential**. Corporate real estate, facilities, HR, and ESG teams in offices, hospitality, education, and healthcare adopt it for occupant health, productivity, and ESG metrics.

Does **WELL** require an external audit or third-party certification?

**Yes, WELL mandates third-party documentation review and on-site performance verification (PV) by authorized WELL Performance Testing Agents.** PV tests air (e.g., **CO₂ ≤900 ppm**), water, light, sound, and thermal comfort at ≥50% occupancy. Includes two review rounds (preliminary/final) via IWBI platform, ensuring measured outcomes over documentation alone.

How often should an assessment for **WELL** be performed?

**WELL requires recertification every three years, with annual reporting for monitored features like air quality.** Ongoing assessments via continuous monitoring (e.g., **CO₂, PM2.5**) support compliance; pre-testing recommended for high-risk Preconditions (e.g., Air near highways).

What are the consequences of non-compliance with **WELL**?

**Non-compliance prevents certification award and incurs fees for curative reviews or appeals.** Failed PV leads to remediation delays, added testing costs, and no WELL designation, risking reputational harm, lost ESG value, tenant churn, and missed premiums (e.g., 4-6% higher rents for certified spaces).

An **WELL** be mapped to other international frameworks?

**No, these FAQs address WELL independently per standalone requirements.**

What is the first step to begin implementing **WELL**?

**The first step is project enrollment in the IWBI digital platform and scorecard development targeting Preconditions and certification tier.** Conduct gap analysis/pre-testing for risks like Air (A01/A03) and Water, assembling cross-functional team (facilities, HR, design).

DORA vs WELL | GRADUM

Standards Comparison

DORA

Mandatory

2023

EU regulation for digital operational resilience in finance

WELL

Voluntary

2014

Performance-based certification for occupant health in buildings

Quick Verdict

DORA mandates ICT resilience for EU financial firms via risk management and testing, while WELL voluntarily certifies buildings for occupant health through performance verification. Finance adopts DORA for compliance; real estate pursues WELL for ESG differentiation and productivity gains.

Digital Operational Resilience

DORA

Regulation (EU) 2022/2554 Digital Operational Resilience Act

Cost

€€€€

Complexity

High

Implementation Time

12-18 months

Key Features

Mandates comprehensive ICT risk management frameworks
Standardizes 4-hour incident reporting for disruptions
Requires triennial threat-led penetration testing (TLPT)
Oversees critical third-party ICT providers (CTPPs)
Applies proportionality to entity size and risk

Building Health & Wellness

WELL

WELL Building Standard v2

Cost

€€€€

Complexity

High

Implementation Time

12-18 months

Key Features

10 core concepts for comprehensive occupant health
Mandatory preconditions and point-based optimizations
On-site performance verification testing required
Certification tiers from Bronze to Platinum
Continuous monitoring and annual reporting pathways

Detailed Analysis

A comprehensive look at the specific requirements, scope, and impact of each standard.

DORA Details

What It Is

DORA, formally Regulation (EU) 2022/2554, is a transformative EU regulation strengthening digital operational resilience of the financial sector against ICT risks like cyberattacks and outages. Applicable to 20 financial entity types and critical third-party providers (~22,000 entities), it employs a risk-based, proportional approach for harmonized resilience.

Key Components

**ICT Risk ManagementComprehensive frameworks with identification, mitigation, and annual reviews.
**Incident Reporting4-hour notifications, 72-hour updates for major incidents (>5% users or €100k loss).
**Resilience TestingAnnual basic tests, triennial TLPT for critical functions.
**Third-Party OversightDue diligence, monitoring, ESAs supervision of CTPPs. Built on proactive principles; compliance via authority oversight, no certification.

Why Organizations Use It

Mandated by law with fines up to 2% global turnover. Mitigates systemic cyber risks (74% firms hit by ransomware), enhances third-party controls, boosts stakeholder trust amid threats like CrowdStrike outage. Drives cybersecurity investments (€10-15B EU-wide).

Implementation Overview

Conduct gap analyses against RTS/ITS (2024 batches), develop policies, train staff, integrate testing/vendor management. Tailored to size/complexity, EU financial sector focus; involves reporting to authorities, JET audits for CTPPs.

WELL Details

What It Is

The WELL Building Standard (WELL v2) is a performance-based certification framework administered by the International WELL Building Institute (IWBI). It focuses on designing, operating, and verifying buildings to advance human health and well-being through evidence-based strategies. Its people-first approach emphasizes indoor environmental quality, policies, and measurable outcomes across new and existing structures.

Key Components

**10 core conceptsAir, Water, Nourishment, Light, Movement, Thermal Comfort, Sound, Materials, Mind, Community (plus Innovation).
24 Preconditions (mandatory) and 102 Optimizations (point-based).
Built on public health and building science research.
Certification tiers: Bronze (40 points), Silver (50), Gold (60), Platinum (80), with concept minimums at higher levels.

Why Organizations Use It

Enhances occupant productivity, retention, and ESG reporting.
Voluntary but drives competitive leasing premiums and risk mitigation.
Builds stakeholder trust via verified health metrics.
Complements LEED for holistic sustainability.

Implementation Overview

Phased: gap analysis, design integration, verification, operations.
Involves documentation, on-site testing, continuous monitoring.
Applicable to all building types, sizes, globally.
Requires third-party review and performance verification.

Key Differences

Aspect	DORA	WELL
Scope	Digital operational resilience in finance	Human health and well-being in buildings
Industry	EU financial sector only	All building types worldwide
Nature	Mandatory EU regulation	Voluntary performance certification
Testing	Annual basic, triennial TLPT	On-site performance verification
Penalties	Up to 2% global turnover fines	Loss of certification only

Scope

DORA

Digital operational resilience in finance

WELL

Human health and well-being in buildings

Industry

DORA

EU financial sector only

WELL

All building types worldwide

Nature

DORA

Mandatory EU regulation

WELL

Voluntary performance certification

Testing

DORA

Annual basic, triennial TLPT

WELL

On-site performance verification

Penalties

DORA

Up to 2% global turnover fines

WELL

Loss of certification only

Frequently Asked Questions

Common questions about DORA and WELL

DORA FAQ

WELL FAQ

You Might also be Interested in These Articles...

SEC Cybersecurity Rules Implementation Guide: Mastering Form 8-K Item 1.05 Materiality Determination and 4-Business-Day Reporting Workflow

Master SEC Form 8-K Item 1.05 compliance with step-by-step materiality assessment, incident workflows & Inline XBRL tagging. Beat the 4-business-day clock. Esse

ISO 27701 2025 Update: Navigating Standalone Certification Myths, Audit Realities, and a 90-Day PIMS Launch Plan

Debunk ISO 27701 2025 standalone certification myths vs ISO 27001. Get a 90-day PIMS launch roadmap, checklists & audit prep to certify faster amid global priva

The CIS Controls v8.1 Evidence Pack: What Auditors Ask For (and How to Produce Proof Fast)

Fail CIS Controls v8.1 audits due to missing evidence? Get the blueprint: exact artifacts auditors want, repository structure, and automation from security tool

Run Maturity Assessments with GRADUM

Transform your compliance journey with our AI-powered assessment platform

Assess your organization's maturity across multiple standards and regulations including ISO 27001, DORA, NIS2, NIST, GDPR, and hundreds more. Get actionable insights and track your progress with collaborative, AI-powered evaluations.

100+ Standards & Regulations

AI-Powered Insights

Collaborative Assessments

Actionable Recommendations

Check out these other Gradum.io Standards Comparison Pages

ISO 27001 vs FISMA

ISO 27001 vs FISMA: Global ISMS standard meets US federal cybersecurity law. Uncover key differences, implementation strategies, compliance benefits & resilience gains. Choose right now!

ISO 14001 vs PMBOK

ISO 14001 vs PMBOK: Compare EMS standard for env compliance with project mgmt guide for risk, lifecycle & integration. Boost strategy & efficiency—explore now!

NIST CSF vs CE Marking

Compare NIST CSF vs CE Marking: Cyber risk framework meets EU product safety rules. Uncover key differences, benefits & pick the best for compliance success now.

DORA

WELL

Quick Verdict

DORA

Key Features

WELL

Key Features

Detailed Analysis

DORA Details

What It Is

Key Components

Why Organizations Use It

Implementation Overview

WELL Details

What It Is

Key Components

Why Organizations Use It

Implementation Overview

Key Differences

Scope

Industry

Nature

Testing

Penalties

Frequently Asked Questions

DORA FAQ

What is the primary objective of DORA?

Who is legally or professionally required to comply with DORA?

Does DORA require an external audit or third-party certification?

How often should an assessment for DORA be performed?

What are the consequences of non-compliance with DORA?

An DORA be mapped to other international frameworks?

What is the first step to begin implementing DORA?

WELL FAQ

What is the primary objective of WELL?

Who is legally or professionally required to comply with WELL?

Does WELL require an external audit or third-party certification?

How often should an assessment for WELL be performed?

What are the consequences of non-compliance with WELL?

An WELL be mapped to other international frameworks?

What is the first step to begin implementing WELL?

You Might also be Interested in These Articles...

SEC Cybersecurity Rules Implementation Guide: Mastering Form 8-K Item 1.05 Materiality Determination and 4-Business-Day Reporting Workflow

ISO 27701 2025 Update: Navigating Standalone Certification Myths, Audit Realities, and a 90-Day PIMS Launch Plan

The CIS Controls v8.1 Evidence Pack: What Auditors Ask For (and How to Produce Proof Fast)

Run Maturity Assessments with GRADUM

Check out these other Gradum.io Standards Comparison Pages

ISO 27001 vs FISMA

ISO 14001 vs PMBOK

NIST CSF vs CE Marking