DORA simply explained: Glossary & Abbreviations from the EU Regulation
DORA simply explained: Terms, Abbreviations & Context
The DORA Regulation (EU 2022/2554) – officially the Digital Operational Resilience Act – is a milestone from the EU aiming for more digital stability in the financial sector. But the regulation is not only long and technical, it is filled with abbreviations, English buzzwords, and legal jargon.
This article helps make sense of it: What does TLPT, ICT, or RPO mean? Who or what is ENISA? And why does it matter?
We don’t just list terms alphabetically but put them into the real-life context of DORA compliance duties.
Why a glossary?
Regulatory texts like DORA use precise and legalistic language – often written from the perspective of legislators and supervisory bodies. For professionals in IT, risk, or procurement, many terms can feel abstract.
Example: The term “critical third-party provider” is legally defined in DORA – its designation by European authorities has legal implications. But the key question for an IT buyer is: “Does this apply to my cloud provider?”
The goal of this post is to deliver not only definitions but also to create a sense of relevance, meaning, and consequences.
Key DORA Terms & Abbreviations
| Abbr. | Term | Explanation & Context |
|---|---|---|
| DORA | Digital Operational Resilience Act | EU regulation for digital resilience in the financial sector. Enforceable from 2025. |
| ICT | Information and Communication Technology | General term for IT systems, networks, cloud services, communications infrastructure. |
| BCP | Business Continuity Plan | Plan for restoring business operations during outages. Mandatory under DORA. |
| RTO | Recovery Time Objective | Maximum tolerated downtime after a disruption. |
| RPO | Recovery Point Objective | Maximum acceptable data loss measured in time. |
| TLPT | Threat-led Penetration Testing | Supervised cyberattack simulation. Mandatory for some DORA-regulated firms. |
| ESA | European Supervisory Authorities | Umbrella term for EBA, EIOPA, and ESMA. |
| EBA | European Banking Authority | EU authority for banks and credit institutions. |
| EIOPA | Insurance and Occupational Pensions Authority | EU oversight of insurers and pensions. |
| ESMA | European Securities and Markets Authority | Supervises capital markets and securities. |
| ENISA | European Union Agency for Cybersecurity | Provides risk assessments and methodology. No supervisory role. |
| CSIRT | Computer Security Incident Response Team | Handles security incidents and reporting. |
| TIBER-EU | Threat Intelligence-Based Ethical Red Teaming | EU testing framework for supervised TLPT assessments. |
| NIS2 | Network and Information Security Directive 2 | New cybersecurity directive for critical infrastructure. |
| GDPR | General Data Protection Regulation | Important: Data breaches may trigger GDPR and DORA reporting duties. |
| SLA | Service Level Agreement | Contractual service standards, e.g. availability and reporting times. |
| KPI | Key Performance Indicator | Metric for resilience, e.g. MTTD or MTTR. |
Terms with direct contractual or risk relevance
Some terms have immediate impact on contract negotiations and duties:
- Audit Rights: Must be contractually granted to IT providers. Without it, authorities cannot inspect.
- Exit Strategy: Financial firms must be able to terminate critical IT service contracts, technically and legally.
- Reporting Threshold: Defines when an incident is reportable. Complex criteria that must be known company-wide.
- System Relevance: Entities deemed “systemically relevant” must undergo TLPT and heightened reporting.
Real-world Examples
A cloud provider hosts customer data for an insurer:
- If the provider serves multiple EU countries and performs critical functions, it may be deemed critical by ESAs. This implies audit rights, exit plans, and its own obligations.
A payment provider relies on a third-party app platform:
- DORA requires evaluating the full technology supply chain – including subcontractors and fourth parties.
A bank suffers a cybersecurity incident:
- Must report it within 4 hours – even if the root cause or scope is not yet clear.
How often do these terms appear in real life?
Many of these terms are common in business – but used differently in DORA. Context is crucial:
| Term | Common Usage? | DORA-specific Definition? |
|---|---|---|
| Incident | Yes | Yes |
| Audit | Yes | Yes (with specific duties) |
| Service Level | Yes | Yes (contractually enforced) |
| Red Teaming | Rare | Yes |
| RTO / RPO | Known in IT | Yes (must be documented) |
Conclusion: Clarity builds resilience
DORA puts familiar terms into a binding legal framework. Understanding the acronyms means understanding the processes and duties behind them.
Companies benefit from building their own “DORA terminology” – as glossaries, in onboarding, or integrated into ITSM tools. Ultimately, resilience depends not just on technology or budgets, but on shared understanding and responsibility.
References & Further Reading
- Regulation (EU) 2022/2554 – EUR-Lex
- ENISA – EU Cybersecurity Agency
- TIBER-EU Framework – ECB
- EBA – European Banking Authority
Are you planning your DORA roadmap or are you a service provider to financial institutions? Let’s connect – I’d be happy to help.
