DORA
Digital Operational Resilience Act — EU Regulation (EU) 2022/2554
Standard Introduction
The Digital Operational Resilience Act (DORA) is an EU regulation that strengthens the IT security and operational resilience of financial entities. Fully applicable since January 17, 2025, DORA establishes uniform requirements for ICT risk management, incident reporting, resilience testing, and third-party risk management across the entire EU financial sector.
DORA represents a paradigm shift in EU financial regulation by directly overseeing critical ICT service providers and mandating harmonized resilience standards. It covers over 22,000 financial entities and their technology suppliers, ensuring the financial system can withstand, respond to, and recover from severe operational disruptions and cyber threats.
Five Pillars of Resilience
Establishes a harmonized framework across five pillars: ICT risk management, incident reporting, digital operational resilience testing, third-party risk management, and information sharing.
Third-Party Oversight
Introduces a direct oversight framework for critical ICT third-party service providers (including cloud providers) by European Supervisory Authorities — a first in EU financial regulation.
Incident Reporting
Mandates classification and reporting of major ICT-related incidents to competent authorities, with initial notification within 4 hours and detailed reports within 72 hours.
list_alt Five Key Pillars
- ICT Risk Management — comprehensive framework and governance
- ICT Incident Reporting — classification, notification, and analysis
- Digital Operational Resilience Testing — threat-led penetration testing (TLPT)
- ICT Third-Party Risk Management — due diligence and exit strategies
- Information Sharing — voluntary threat intelligence exchange
- Oversight of critical third-party ICT providers by ESAs
- Proportionality principle based on entity size and risk profile
- Annual review and board-level accountability
Who Needs to Comply?
All EU-regulated financial entities including banks, insurance companies, investment firms, payment institutions, crypto-asset service providers, and their critical ICT service providers. Applies to over 22,000 financial entities and ICT providers in the EU.
Key Requirements
ICT Risk Management Framework
Implement a comprehensive ICT risk management framework including identification, protection, detection, response, and recovery capabilities. Board of directors bears ultimate responsibility.
Incident Classification & Reporting
Classify ICT incidents using defined criteria (data loss, duration, geographic spread, etc.). Report major incidents to competent authorities with initial notification, intermediate, and final reports.
Resilience Testing
Conduct regular digital operational resilience testing including vulnerability assessments, network security reviews, and — for significant entities — threat-led penetration testing (TLPT) at least every three years.
Third-Party Risk Management
Maintain a register of all ICT third-party arrangements. Conduct due diligence, include mandatory contract clauses, and establish exit strategies for critical service providers.
Information Sharing
Participate in voluntary arrangements for sharing cyber threat intelligence and vulnerability information with other financial entities and authorities to strengthen collective resilience.
Penalties & Enforcement
Financial entities face fines up to 2% of total annual worldwide turnover or 1% of average daily global turnover. Critical third-party ICT providers face fines up to EUR 5 million (EUR 500,000 for individuals). Member States may impose criminal penalties for severe violations.