Digital Operational Resilience Act (DORA)
The EU regulation establishing a comprehensive framework for digital operational resilience in the financial sector, covering ICT risk management, incident reporting, testing, and third-party risk.
Resumen
The Digital Operational Resilience Act (Regulation 2022/2554) — known as DORA — entered into force on 16 January 2023 and has been applicable since 17 January 2025. It creates a unified regulatory framework for digital operational resilience across the EU financial sector, replacing a patchwork of national rules.
DORA applies to virtually all regulated financial entities: credit institutions, payment institutions, electronic money institutions, investment firms, crypto-asset service providers, central securities depositories, trading venues, central counterparties, insurance and reinsurance undertakings, insurance intermediaries, institutions for occupational retirement provision, credit rating agencies, statutory auditors, and crowdfunding service providers. Critically, it also brings ICT third-party service providers (including cloud providers) under direct regulatory oversight.
The regulation establishes five core pillars. First, ICT risk management: financial entities must maintain a comprehensive and well-documented ICT risk management framework covering identification, protection, detection, response, recovery, and learning from ICT-related incidents.
Second, ICT-related incident management: entities must classify and report major ICT-related incidents to their competent authority using standardised templates. Initial notification must be submitted within 4 hours of classification, an intermediate report within 72 hours, and a final report within one month.
Third, digital operational resilience testing: all entities must conduct regular testing of ICT systems, including vulnerability assessments, open-source analysis, network security assessments, and gap analyses. Large, systemically important entities must also conduct advanced threat-led penetration testing (TLPT) at least every three years using the TIBER-EU framework.
Fourth, ICT third-party risk management: entities must manage risks from ICT service providers throughout the lifecycle — from selection and contracting through monitoring and exit. All contracts with ICT providers must include specific clauses on performance, data location, audit rights, and exit strategies.
Fifth, information sharing: the regulation encourages voluntary sharing of cyber threat intelligence among financial entities to enhance collective situational awareness.
The European Supervisory Authorities (EBA, ESMA, EIOPA) are empowered to develop Regulatory Technical Standards (RTS) and to directly oversee critical ICT third-party service providers designated by the ESAs.
Artículos y disposiciones clave
ICT risk management framework
Requires a comprehensive, documented ICT risk management framework with governance, identification, protection, detection, response, recovery, and learning components approved by the management body.
ICT-related incident management and reporting
Establishes classification criteria and reporting timelines: initial notification within 4 hours, intermediate report within 72 hours, final report within one month.
Digital operational resilience testing
Mandates proportionate testing including vulnerability assessments for all entities and advanced TLPT (threat-led penetration testing) every 3 years for systemically important entities.
Managing of ICT third-party risk
Requires contractual provisions, risk assessments, and ongoing monitoring of ICT providers. Critical ICT third-party providers face direct ESA oversight with potential penalties.
Information-sharing arrangements
Encourages voluntary sharing of cyber threat intelligence and vulnerability information among financial entities to improve collective defence and situational awareness.
Sanciones y aplicación
€5,000,000 for entities; €500,000 for individuals
2% of total annual worldwide turnover for critical ICT third-party providers
Ejemplos de aplicación
- •Financial entities face administrative penalties determined by national competent authorities proportionate to the severity and duration of the breach
- •Critical ICT third-party service providers face fines up to €5M or, for natural persons, up to €500,000 from the Lead Overseer
- •Periodic penalty payments of up to 1% of average daily worldwide turnover for ongoing non-compliance until remediation
Compruebe su estado de cumplimiento
Realice nuestra evaluación gratuita para analizar la situación de cumplimiento de su organización. Obtenga en minutos un informe personalizado con recomendaciones prácticas — sin necesidad de registrarse.
Iniciar evaluación gratuitaAviso: la información de esta página tiene fines informativos y no constituye asesoramiento jurídico. Para una orientación específica de cumplimiento, consulte a un profesional jurídico cualificado en su jurisdicción.
Digital Operational Resilience Act (DORA) por país
Descubra cómo se implementa y aplica DORA en cada Estado miembro de la UE.
Digital Operational Resilience Act (DORA) por sector
Consulte los requisitos sectoriales y las orientaciones sobre DORA.