Skip to main content
search
DORA

DORA’s Incident Reporting for Lithuania

By December 9, 2025No Comments8 min read
Illustration depicting digital operational resilience for the financial sector in Lithuania
DORA aims to strengthen the digital operational resilience of the EU financial sector.

The Digital Operational Resilience Act (DORA) is a pivotal European Union regulation designed to significantly enhance the digital operational resilience of the financial sector across all member states, including Lithuania. DORA became directly applicable on January 17, 2025, with no extensions granted. A key deadline was the submission of a comprehensive register of contractual arrangements with ICT service providers to national competent authorities by April 30, 2025.

1. Why DORA?

DORA was necessitated by the financial sector’s increasing reliance on digital technologies, the rise in sophisticated cyber threats, and the fragmentation of existing EU regulations. Policymakers recognised that capital adequacy alone was insufficient; institutions needed to actively withstand, respond to, and recover from digital disruptions. Incidents affecting critical third-party providers, such as the July 2024 CrowdStrike outage, highlighted systemic risks stemming from dependencies on external ICT services.

DORA’s Core Mission:

  • Harmonise ICT Risk Management: Standardise ICT risk management across the EU financial services sector.
  • Bolster Operational Resilience: Ensure financial entities can endure and recover quickly from ICT disruptions.
  • Oversight of Critical Third Parties: Extend EU supervision to crucial third-party ICT service providers for the first time.
  • Protect Customers and Markets: Improve how organisations manage, document, and react to cyber threats.
Infographic showing DORA's core mission pillars for financial resilience
The foundational objectives of DORA for strengthening the financial ecosystem.

2. The Bank of Lithuania’s Role

The Bank of Lithuania (Lietuvos bankas) is Lithuania’s integrated financial supervisor, responsible for driving DORA implementation. It provides guidance on interpreting EU regulations within the Lithuanian market. The Bank of Lithuania emphasises that the management body of a financial entity holds ultimate responsibility for its ICT risk management framework.

Pre-DORA Foundations in Lithuania:

Lithuania had existing robust national regulations for ICT risk management, including Resolution No. 03-174 (2020), which approved the “Description of Requirements for Information and Communication Technology and Security Risk Management” effective January 1, 2021. This resolution aligned with EBA Guidelines and covered ICT and security risk management, logical and physical security, operations, monitoring, assessment, testing, and training. Non-compliance could lead to penalties like license revocation.

Bank of Lithuania’s Technological Infrastructure:

The Bank of Lithuania utilises advanced digital infrastructure, including the REGATA system for DORA compliance, incident reporting, and data collection. It also participates in a National Cyber Incident Management Platform, coordinated by the National Cyber Security Centre (NCSC), enabling automatic data exchange on cyber incidents for rapid response. This platform serves as a “one-stop shop” for financial ICT incident reporting.

3. Who’s In Scope for DORA?

DORA’s scope is broad, encompassing:

  • Financial Entities: Credit institutions (banks), payment institutions (including those previously exempted under PSD2), electronic money institutions, investment firms, central securities depositories (CSDs), central counterparties (CCPs), trading venues, trade repositories, crypto-asset service providers (CASPs) authorized under MiCA, issuers of asset-referenced tokens (ARTs), insurance and reinsurance undertakings, intermediaries, institutions for occupational retirement provision, credit rating agencies, crowdfunding service providers, securitisation repositories, and managers of alternative investment funds (AIFMs).
  • Critical Third Parties: Providers of ICT-related services to financial entities, such as cloud platforms, data analytics, and software-as-a-service providers. This marks the first time these providers are under EU financial services supervision.

Proportionality Principle:

DORA applies a proportionality principle, allowing entities to tailor implementation based on their size, risk profile, and the nature, scale, and complexity of their services. Limited exemptions exist for certain smaller entities (e.g., sub-threshold AIFMs, small insurance undertakings).

4. DORA’s Incident Reporting for Lithuania

DORA mandates strict reporting of major ICT incidents to the Bank of Lithuania.

Materiality Thresholds for Major Incidents:

An incident is considered major if it:

  • Impacts ICT services supporting critical or important functions.
  • Involves successful malicious and unauthorised access.
  • Affects over 10% of clients using a service or over 100,000 clients.
  • Impacts over 10% of the daily average transactions or value.
  • Generates media attention or repeated client complaints.
  • Results in critical service downtime exceeding 2 hours or total downtime over 24 hours.
  • Affects two or more EU Member States.
  • Adversely impacts data availability, authenticity, integrity, or confidentiality.
  • Likely incurs costs or losses exceeding €100,000 (or potentially €500,000).
  • Involves individually minor incidents occurring at least twice within six months with the same root cause.

Reporting Timelines:

  • Initial Notification: As soon as possible, but no later than 4 hours after classifying as major, and within 24 hours of becoming aware.
  • Intermediate Report: Within 72 hours of initial notification.
  • Final Report: Within one month after the intermediate report, including root cause analysis and impact assessment.
  • Ongoing Updates: Required if new information emerges.
  • Client Notification: Without undue delay, if financial interests are impacted.

Reporting Infrastructure in Lithuania:

The Bank of Lithuania provides a dedicated framework via the REGATA system, supporting formats like JSON, CSV, XBRL, and API integration. Integration with the NCSC’s National Cyber Incident Management Platform ensures coordinated response. Official templates and guides are available from the Bank of Lithuania. Voluntary notification of significant cyber threats is also encouraged.

Flowchart illustrating DORA incident reporting timelines and requirements
Understanding DORA’s incident reporting timelines is crucial for compliance.

5. DORA’s Third-Party Risk Management in Lithuania

Financial entities remain ultimately responsible for DORA compliance, even when outsourcing ICT services. Oversight extends to the entire ICT service provider supply chain, including subcontractors.

Contractual Requirements (Article 30(2)):

Contracts with ICT third-party service providers must include:

  • Clear service descriptions.
  • Conditions for subcontracting critical/important functions.
  • Provisions for timely incident notification and assistance.
  • Audit rights for the financial entity, appointed third parties, and competent authorities.
  • Detailed data handling requirements (location, notification, availability, authenticity, integrity, confidentiality, access, recovery, return).
  • Clear termination clauses for significant breaches.

Register of Information (RoI):

Financial entities must maintain a comprehensive, up-to-date RoI detailing all contractual arrangements with ICT third-party service providers. This register is crucial for managing ICT third-party risk and supervisory oversight. It must include service details, critical provider information, identification of parties, and service classification. The RoI must be maintained at the entity, sub-consolidated, and consolidated levels and submitted annually to the Bank of Lithuania. Lithuanian financial entities had an April 30, 2025, deadline for RoI submission.

6. DORA’s Resilience Testing

DORA mandates rigorous digital operational resilience testing.

  • Annual ICT System Tests: All ICT systems supporting critical or important functions must be tested at least annually by independent parties.
  • Advanced Threat-Led Penetration Testing (TLPT): Mandatory at least once every three years for critical infrastructure and services, using realistic threat scenarios and up-to-date threat intelligence. The TIBER-EU framework, updated to align with DORA’s RTS on TLPT, provides guidance.
  • Purple-Teaming: Mandatory during TLPT.
  • External Expertise: At least one out of every three TLPT sessions must be conducted by an independent third party, and threat intelligence for internal TLPT must be external and independent.

Reporting Test Results:

The Bank of Lithuania oversees these testing programs. Identified vulnerabilities or major incidents during TLPT trigger standard DORA incident reporting. Entities must issue attestation reports and remediation plans to competent authorities, with full remediation required.

7. DORA’s Regulatory Burden and Pitfalls

DORA compliance presents significant challenges for Lithuanian financial institutions, especially FinTech SMBs.

  • Key Challenges: Extensive obligations, documentation overhaul, third-party oversight complexity, mandatory TLPT, and the need for a cultural shift towards proactive resilience. Harmonising DORA with other cybersecurity laws (e.g., Lithuania’s updated Cyber Security Law) can also create ambiguities.
  • Costly Blunders to Avoid: Inadequate third-party risk management, missed reporting deadlines, lack of executive buy-in, poor operational integration, and resource strain for FinTech SMBs.
  • Penalties: Violations can result in financial penalties up to 2% of total annual worldwide turnover (or 1% of average daily turnover), and individual penalties up to €1,000,000. Reputational damage is also a significant consequence.

8. Looking Ahead

DORA is a dynamic regulation that will evolve.

  • Scheduled Reviews: An earlier review (January 17, 2026) will assess requirements for statutory auditors. A comprehensive review (January 17, 2028) will cover critical ICT third-party providers and oversight of third-country providers.
  • ESAs’ Role: The European Supervisory Authorities (EBA, ESMA, EIOPA) will continue developing Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS) to keep DORA agile.
  • Broader Regulatory Ecosystem: DORA acts as “lex specialis” for finance, generally taking precedence over NIS2 where sector-specific rules apply. It complements GDPR (focusing on operational resilience vs. personal data protection) and industry standards like SWIFT CSP and PCI DSS. DORA focuses on financial entities’ operational resilience, while the Cyber Resilience Act (CRA) targets manufacturers of digital products for security by design. Financial entities must ensure products they use comply with CRA standards.
  • Lithuania’s Gains: DORA will enhance Lithuania’s financial sector resilience and security, strengthen investor confidence, improve third-party control, and foster a proactive regulatory environment, leveraging the country’s existing FinTech strengths and the Bank of Lithuania’s approach.
Close Menu