The Digital Operational Resilience Act
The Digital Operational Resilience Act (DORA), Regulation (EU) 2022/2554, is an EU regulation that establishes a comprehensive, binding framework for ICT risk management in the financial sector. It became applicable on 17 January 2025 — replacing a patchwork of national guidelines and sector-specific rules with a single, harmonised standard across all EU member states.
DORA's core premise is that financial entities must be able to withstand, respond to, and recover from ICT-related disruptions and threats. This includes not just internal IT infrastructure but also — critically — the ICT services provided by third-party providers such as cloud platforms, data centres, software vendors, and outsourced service providers. The regulation recognises that the financial sector's increasing reliance on ICT creates systemic risk if those systems fail or are compromised.
Unlike NIS2, which is a directive requiring national transposition, DORA is a regulation — it applies directly and uniformly across all EU member states without national implementing legislation. Financial entities operating across multiple EU jurisdictions face a single, consistent set of requirements. Supervisory responsibility is shared between national competent authorities and European Supervisory Authorities (EBA, ESMA, EIOPA) which have direct oversight over the most critical ICT third-party providers.
20 types of financial entities — and their ICT providers
DORA applies to a broad range of financial entities across the EU, including:
- Credit institutions (banks), payment institutions, e-money institutions, investment firms, crypto-asset service providers, and central securities depositories.
- Insurance and reinsurance undertakings, insurance intermediaries, occupational pension funds, alternative investment fund managers, and UCITS management companies.
- ICT third-party service providers — cloud providers, data analytics firms, and other technology companies that provide ICT services to financial entities can be designated as "Critical Third-Party Providers" (CTPPs) and face direct supervision by EU-level authorities.
Microenterprises (fewer than 10 employees and annual turnover or balance sheet not exceeding €2 million) benefit from simplified requirements in certain areas, though they remain subject to the core DORA framework. The proportionality principle applies throughout — obligations are calibrated to the size, risk profile, and complexity of the entity.
DORA's five areas of ICT resilience
DORA organises its requirements around five interconnected pillars:
ICT Risk Management
Financial entities must maintain a comprehensive ICT risk management framework — including governance, strategy, policies, procedures, and tools — that identifies, classifies, and protects against ICT risks. The management body (board) is responsible for approving and overseeing this framework and bears ultimate accountability for ICT resilience.
ICT-Related Incident Management & Reporting
Entities must implement processes to detect, manage, and report ICT-related incidents. Major incidents must be reported to competent authorities within strict timeframes (initial notification within 4 hours, intermediate report within 72 hours, final report within 1 month). Customer notifications are also required for incidents affecting financial interests.
Digital Operational Resilience Testing
DORA requires regular testing of ICT tools and systems. All in-scope entities must conduct basic resilience testing (vulnerability assessments, penetration testing). Significant financial entities must additionally conduct Threat-Led Penetration Testing (TLPT) — advanced red-team exercises carried out at least every three years.
ICT Third-Party Risk Management
Entities must manage ICT risks arising from third-party providers. This includes due diligence before engagement, mandatory contractual provisions (exit strategies, audit rights, incident reporting obligations, data location requirements), and ongoing monitoring. Critical functions cannot be outsourced in a way that impairs resilience.
Information Sharing
DORA encourages — and in some cases requires — financial entities to share cyber threat intelligence and information about vulnerabilities with peers and with competent authorities. Participation in information sharing arrangements is voluntary but strongly encouraged as part of a sector-wide resilience approach.
What your organisation must implement
ICT Asset Register
Maintain an up-to-date register of all ICT assets, including hardware, software, and data. Map dependencies between assets and business functions to understand which systems are critical.
Business Impact Analysis
Conduct business impact analysis (BIA) to identify critical ICT-supported business functions, assess the impact of ICT disruptions, and define recovery time and recovery point objectives.
Incident Classification
Establish criteria for classifying ICT-related incidents as "major" (triggering regulatory reporting obligations) based on number of clients affected, duration, geographic spread, and financial impact.
Register of ICT Contracts
Maintain a register of all contractual arrangements with ICT third-party providers, including which functions are supported, whether they are critical, and which providers are concentrated across the sector.
Exit Strategies
Develop and maintain documented exit strategies for all critical ICT third-party arrangements, covering how functions would be transitioned if a provider fails, is terminated, or becomes unavailable.
Management Body Accountability
The management body must approve the ICT risk management framework, receive regular reporting on ICT risks and incidents, and ensure adequate resources are allocated to ICT resilience activities.
Primary EU Legislation
DORA entered full application on 17 January 2025. Financial entities are subject to DORA; NIS2 applies to their ICT third-party providers.