Digital Operational Resilience Act (DORA)
The EU regulation establishing a comprehensive framework for digital operational resilience in the financial sector, covering ICT risk management, incident reporting, testing, and third-party risk.
Overview
The Digital Operational Resilience Act (Regulation 2022/2554) — known as DORA — entered into force on 16 January 2023 and has been applicable since 17 January 2025. It creates a unified regulatory framework for digital operational resilience across the EU financial sector, replacing a patchwork of national rules.
DORA applies to virtually all regulated financial entities: credit institutions, payment institutions, electronic money institutions, investment firms, crypto-asset service providers, central securities depositories, trading venues, central counterparties, insurance and reinsurance undertakings, insurance intermediaries, institutions for occupational retirement provision, credit rating agencies, statutory auditors, and crowdfunding service providers. Critically, it also brings ICT third-party service providers (including cloud providers) under direct regulatory oversight.
The regulation establishes five core pillars. First, ICT risk management: financial entities must maintain a comprehensive and well-documented ICT risk management framework covering identification, protection, detection, response, recovery, and learning from ICT-related incidents.
Second, ICT-related incident management: entities must classify and report major ICT-related incidents to their competent authority using standardised templates. Initial notification must be submitted within 4 hours of classification, an intermediate report within 72 hours, and a final report within one month.
Third, digital operational resilience testing: all entities must conduct regular testing of ICT systems, including vulnerability assessments, open-source analysis, network security assessments, and gap analyses. Large, systemically important entities must also conduct advanced threat-led penetration testing (TLPT) at least every three years using the TIBER-EU framework.
Fourth, ICT third-party risk management: entities must manage risks from ICT service providers throughout the lifecycle — from selection and contracting through monitoring and exit. All contracts with ICT providers must include specific clauses on performance, data location, audit rights, and exit strategies.
Fifth, information sharing: the regulation encourages voluntary sharing of cyber threat intelligence among financial entities to enhance collective situational awareness.
The European Supervisory Authorities (EBA, ESMA, EIOPA) are empowered to develop Regulatory Technical Standards (RTS) and to directly oversee critical ICT third-party service providers designated by the ESAs.
Key Articles & Provisions
ICT risk management framework
Requires a comprehensive, documented ICT risk management framework with governance, identification, protection, detection, response, recovery, and learning components approved by the management body.
ICT-related incident management and reporting
Establishes classification criteria and reporting timelines: initial notification within 4 hours, intermediate report within 72 hours, final report within one month.
Digital operational resilience testing
Mandates proportionate testing including vulnerability assessments for all entities and advanced TLPT (threat-led penetration testing) every 3 years for systemically important entities.
Managing of ICT third-party risk
Requires contractual provisions, risk assessments, and ongoing monitoring of ICT providers. Critical ICT third-party providers face direct ESA oversight with potential penalties.
Information-sharing arrangements
Encourages voluntary sharing of cyber threat intelligence and vulnerability information among financial entities to improve collective defence and situational awareness.
Penalties & Enforcement
€5,000,000 for entities; €500,000 for individuals
2% of total annual worldwide turnover for critical ICT third-party providers
Enforcement Examples
- •Financial entities face administrative penalties determined by national competent authorities proportionate to the severity and duration of the breach
- •Critical ICT third-party service providers face fines up to €5M or, for natural persons, up to €500,000 from the Lead Overseer
- •Periodic penalty payments of up to 1% of average daily worldwide turnover for ongoing non-compliance until remediation
Check Your Compliance Status
Take our free assessment to evaluate your organisation's compliance posture. Get a personalised report with actionable recommendations in minutes — no sign-up required.
Start Free AssessmentDisclaimer: The information on this page is for educational purposes and does not constitute legal advice. For specific compliance guidance, consult a qualified legal professional in your jurisdiction.
Digital Operational Resilience Act (DORA) by Country
Explore how Digital Operational Resilience Act is implemented and enforced in each EU member state.
Digital Operational Resilience Act (DORA) by Industry
See industry-specific requirements and guidance for Digital Operational Resilience Act.