📄 Regulation (EU) 2022/2554

About the Digital Operational Resilience Act

A comprehensive EU regulation strengthening the ICT security and operational resilience of the financial sector, applicable from 17 January 2025.

Start Training View Resources

What is DORA?

The Digital Operational Resilience Act (DORA) is a landmark EU regulation that establishes a comprehensive framework for managing information and communication technology (ICT) risks in the financial sector. It addresses the growing digital transformation and increasing cyber threats facing financial institutions.

DORA aims to ensure that all participants in the financial system have the necessary safeguards in place to mitigate cyber attacks and ICT-related incidents, ensuring they can continue to provide critical services even under severe operational disruptions.

Unlike previous regulations that varied across EU member states, DORA creates a single, harmonized set of requirements that apply uniformly across the European Union, leveling the playing field and strengthening the overall resilience of the financial sector.

Key Objectives

DORA is designed to achieve multiple critical goals for the financial sector

🛡️

Enhance ICT Resilience

Ensure financial entities can withstand, respond to, and recover from ICT-related disruptions and threats

⚖️

Harmonize Requirements

Create uniform rules across the EU, replacing fragmented national approaches to digital resilience

🌐

Manage Third-Party Risk

Establish oversight framework for critical ICT service providers to the financial sector

👥

Enable Information Sharing

Facilitate exchange of cyber threat intelligence among financial entities

DORA Timeline

Key milestones in the implementation of the Digital Operational Resilience Act

December 2022 - Regulation Adopted

DORA formally adopted by EU Parliament and Council as Regulation (EU) 2022/2554

January 2023 - Entry into Force

DORA entered into force on 16 January 2023, beginning the transition period

Throughout 2024 - Technical Standards

ESAs developed and published regulatory and implementing technical standards

17 January 2025 - Application Date ⭐

DORA became fully applicable - financial entities must be compliant

April 2025 - First Reporting

Competent authorities submit first registers to ESAs for CTPP designation

July 2025 - CTPP Designation

ESAs notify critical ICT third-party service providers of their designation

Who Does DORA Apply To?

DORA applies to more than 21 types of financial entities and their critical ICT service providers

Covered Entities

  • ✓ Credit institutions (banks)
  • ✓ Payment institutions
  • ✓ Electronic money institutions
  • ✓ Investment firms
  • ✓ Crypto-asset service providers
  • ✓ Central securities depositories
  • ✓ Central counterparties
  • ✓ Trading venues
  • ✓ Trade repositories
  • ✓ Alternative investment funds
  • ✓ Management companies
  • ✓ Data reporting service providers
  • ✓ Insurance undertakings
  • ✓ Insurance intermediaries
  • ✓ Retirement provision institutions
  • ✓ Credit rating agencies
  • ✓ Critical benchmark administrators
  • ✓ Crowdfunding service providers
  • ✓ Securitisation repositories
  • ✓ Critical ICT service providers

Note: DORA also applies to ICT third-party service providers designated as critical by the European Supervisory Authorities (ESAs), even if they are located outside the EU.

Key Requirements

Financial entities must comply with comprehensive requirements across four main areas

ICT Risk Management Framework

  • Comprehensive governance and control framework
  • Identification and classification of ICT assets
  • Continuous monitoring and risk assessment
  • Business continuity and disaster recovery plans
  • Regular internal audits

Incident Reporting

  • Classification of ICT-related incidents
  • Notification to authorities without undue delay
  • Standardized reporting templates
  • Root cause analysis and lessons learned
  • Reporting of significant cyber threats

Resilience Testing

  • Regular vulnerability assessments
  • Scenario-based testing
  • Penetration testing for systems
  • Threat-led penetration testing (TLPT) for critical entities
  • Documentation and remediation of findings

Third-Party Management

  • Due diligence before contracting
  • Contractual arrangements with clear terms
  • Register of all ICT third-party providers
  • Continuous monitoring of providers
  • Exit strategies and contingency plans

The Five Pillars of DORA

DORA is structured around five interconnected pillars that work together to ensure digital operational resilience

📚 Learn more in our training section →
01

ICT Risk Management

02

Incident Reporting

03

Resilience Testing

04

Third-Party Risk

05

Information Sharing

Ready to Ensure DORA Compliance?

Start with our comprehensive training modules and test your knowledge

Start Training Take a Test