What is DORA? Digital Operational Resilience Act Explained

DORA (Digital Operational Resilience Act)

DORA is an EU regulation that establishes a comprehensive framework for digital operational resilience in the financial sector. It requires financial entities to manage ICT risks, report incidents, test resilience, and oversee third-party ICT providers.

DORA

financial services

ICT risk

resilience

EU regulation

Why It Matters

Financial services depend heavily on technology — a single IT outage can freeze payments, trading, or customer access. DORA ensures the entire EU financial sector meets consistent standards for digital resilience. It's not optional guidance — it's a directly applicable regulation, effective January 17, 2025. Financial entities that haven't prepared face regulatory action.

The Five Pillars

1. ICT Risk Management

Comprehensive framework for identifying, protecting, detecting, responding to, and recovering from ICT risks
Board-level responsibility — management body defines, approves, and oversees the ICT risk strategy
Regular risk assessments and documentation

2. ICT Incident Management and Reporting

Classify incidents by severity using DORA criteria
Major incidents: report to competent authority within 4 hours (initial notification), 72 hours (intermediate), 1 month (final)
Voluntary reporting of significant cyber threats
Root cause analysis after resolution

3. Digital Operational Resilience Testing

Basic testing — vulnerability assessments, network security tests, gap analyses (all entities)
Advanced testing (TLPT) — Threat-Led Penetration Testing for significant financial entities (every 3 years)
Testing must cover critical functions and ICT systems

4. ICT Third-Party Risk Management

Register of all ICT third-party arrangements
Due diligence and risk assessment before contracting
Mandatory contractual provisions (security, audit rights, exit strategies)
Concentration risk monitoring — dependency on single providers
Critical ICT third-party providers (CTPPs) — directly overseen by EU financial regulators (ESAs)

5. Information Sharing

Voluntary arrangements to exchange cyber threat intelligence
Within trusted communities and with supervisory authorities
Anonymization of sensitive data in shared intelligence

Who Must Comply

DORA applies to virtually the entire EU financial ecosystem:

Banks and credit institutions
Investment firms and trading venues
Insurance and reinsurance companies
Payment and e-money institutions
Crypto-asset service providers
Central securities depositories
Fund managers (UCITS, AIFMs)
Credit rating agencies
Crowdfunding service providers
ICT third-party service providers serving financial entities

Key Regulation

Regulation (EU) 2022/2554 — DORA
Applicable from: January 17, 2025
Overseen by: European Supervisory Authorities (EBA, ESMA, EIOPA)
Related: NIS2 (broader cybersecurity), GDPR (data protection)

Why It Matters

The Five Pillars

1. ICT Risk Management

Comprehensive framework for identifying, protecting, detecting, responding to, and recovering from ICT risks
Board-level responsibility — management body defines, approves, and oversees the ICT risk strategy
Regular risk assessments and documentation

2. ICT Incident Management and Reporting

Classify incidents by severity using DORA criteria
Major incidents: report to competent authority within 4 hours (initial notification), 72 hours (intermediate), 1 month (final)
Voluntary reporting of significant cyber threats
Root cause analysis after resolution

3. Digital Operational Resilience Testing

Basic testing — vulnerability assessments, network security tests, gap analyses (all entities)
Advanced testing (TLPT) — Threat-Led Penetration Testing for significant financial entities (every 3 years)
Testing must cover critical functions and ICT systems

4. ICT Third-Party Risk Management

Register of all ICT third-party arrangements
Due diligence and risk assessment before contracting
Mandatory contractual provisions (security, audit rights, exit strategies)
Concentration risk monitoring — dependency on single providers
Critical ICT third-party providers (CTPPs) — directly overseen by EU financial regulators (ESAs)

5. Information Sharing

Voluntary arrangements to exchange cyber threat intelligence
Within trusted communities and with supervisory authorities
Anonymization of sensitive data in shared intelligence

Who Must Comply

DORA applies to virtually the entire EU financial ecosystem:

Banks and credit institutions
Investment firms and trading venues
Insurance and reinsurance companies
Payment and e-money institutions
Crypto-asset service providers
Central securities depositories
Fund managers (UCITS, AIFMs)
Credit rating agencies
Crowdfunding service providers
ICT third-party service providers serving financial entities

Key Regulation

Regulation (EU) 2022/2554 — DORA
Applicable from: January 17, 2025
Overseen by: European Supervisory Authorities (EBA, ESMA, EIOPA)
Related: NIS2 (broader cybersecurity), GDPR (data protection)

DORA (Digital Operational Resilience Act)

Why It Matters

The Five Pillars

1. ICT Risk Management

2. ICT Incident Management and Reporting

3. Digital Operational Resilience Testing

4. ICT Third-Party Risk Management

5. Information Sharing

Who Must Comply

Key Regulation

NIS2 Directive

Compliance

Business Continuity

Third-Party Risk Management

Incident Response

Want to learn more?

DORA (Digital Operational Resilience Act)

Why It Matters

The Five Pillars

1. ICT Risk Management

2. ICT Incident Management and Reporting

3. Digital Operational Resilience Testing

4. ICT Third-Party Risk Management

5. Information Sharing

Who Must Comply

Key Regulation

NIS2 Directive

Compliance

Business Continuity

Third-Party Risk Management

Incident Response

Want to learn more?