Digital Operational Resilience Act (DORA)
The EU regulation establishing a comprehensive framework for digital operational resilience in the financial sector, covering ICT risk management, incident reporting, testing, and third-party risk.
Aperçu
The Digital Operational Resilience Act (Regulation 2022/2554) — known as DORA — entered into force on 16 January 2023 and has been applicable since 17 January 2025. It creates a unified regulatory framework for digital operational resilience across the EU financial sector, replacing a patchwork of national rules.
DORA applies to virtually all regulated financial entities: credit institutions, payment institutions, electronic money institutions, investment firms, crypto-asset service providers, central securities depositories, trading venues, central counterparties, insurance and reinsurance undertakings, insurance intermediaries, institutions for occupational retirement provision, credit rating agencies, statutory auditors, and crowdfunding service providers. Critically, it also brings ICT third-party service providers (including cloud providers) under direct regulatory oversight.
The regulation establishes five core pillars. First, ICT risk management: financial entities must maintain a comprehensive and well-documented ICT risk management framework covering identification, protection, detection, response, recovery, and learning from ICT-related incidents.
Second, ICT-related incident management: entities must classify and report major ICT-related incidents to their competent authority using standardised templates. Initial notification must be submitted within 4 hours of classification, an intermediate report within 72 hours, and a final report within one month.
Third, digital operational resilience testing: all entities must conduct regular testing of ICT systems, including vulnerability assessments, open-source analysis, network security assessments, and gap analyses. Large, systemically important entities must also conduct advanced threat-led penetration testing (TLPT) at least every three years using the TIBER-EU framework.
Fourth, ICT third-party risk management: entities must manage risks from ICT service providers throughout the lifecycle — from selection and contracting through monitoring and exit. All contracts with ICT providers must include specific clauses on performance, data location, audit rights, and exit strategies.
Fifth, information sharing: the regulation encourages voluntary sharing of cyber threat intelligence among financial entities to enhance collective situational awareness.
The European Supervisory Authorities (EBA, ESMA, EIOPA) are empowered to develop Regulatory Technical Standards (RTS) and to directly oversee critical ICT third-party service providers designated by the ESAs.
Articles et dispositions clés
ICT risk management framework
Requires a comprehensive, documented ICT risk management framework with governance, identification, protection, detection, response, recovery, and learning components approved by the management body.
ICT-related incident management and reporting
Establishes classification criteria and reporting timelines: initial notification within 4 hours, intermediate report within 72 hours, final report within one month.
Digital operational resilience testing
Mandates proportionate testing including vulnerability assessments for all entities and advanced TLPT (threat-led penetration testing) every 3 years for systemically important entities.
Managing of ICT third-party risk
Requires contractual provisions, risk assessments, and ongoing monitoring of ICT providers. Critical ICT third-party providers face direct ESA oversight with potential penalties.
Information-sharing arrangements
Encourages voluntary sharing of cyber threat intelligence and vulnerability information among financial entities to improve collective defence and situational awareness.
Sanctions et application
€5,000,000 for entities; €500,000 for individuals
2% of total annual worldwide turnover for critical ICT third-party providers
Exemples de sanctions
- •Financial entities face administrative penalties determined by national competent authorities proportionate to the severity and duration of the breach
- •Critical ICT third-party service providers face fines up to €5M or, for natural persons, up to €500,000 from the Lead Overseer
- •Periodic penalty payments of up to 1% of average daily worldwide turnover for ongoing non-compliance until remediation
Vérifiez votre statut de conformité
Faites notre évaluation gratuite pour analyser la situation de votre organisation en matière de conformité. Obtenez en quelques minutes un rapport personnalisé avec des recommandations concrètes — sans inscription.
Lancer l’évaluation gratuiteAvertissement : les informations de cette page sont fournies à titre d’information et ne constituent pas un conseil juridique. Pour une assistance conformité spécifique, consultez un professionnel du droit qualifié dans votre juridiction.
Digital Operational Resilience Act (DORA) par pays
Découvrez comment DORA est mis en œuvre et appliqué dans chaque État membre de l’UE.
Digital Operational Resilience Act (DORA) par secteur
Découvrez les exigences sectorielles et les recommandations relatives à DORA.