What is DORA?
The Digital Operational Resilience Act (DORA) is an EU regulation that establishes a comprehensive framework for digital operational resilience in the financial sector. Formally known as Regulation (EU) 2022/2554, DORA entered into force in January 2023 and became fully applicable on January 17, 2025. It represents the most significant piece of EU financial sector cybersecurity legislation ever enacted — creating a single, harmonised framework replacing the patchwork of national guidelines and sectoral rules that previously applied across member states.
DORA’s central premise is that financial institutions must be able to withstand, respond to and recover from all types of ICT-related disruptions and threats. It explicitly recognises that operational resilience is as important as financial resilience — a bank with strong capital ratios but fragile IT systems poses systemic risk to the broader financial ecosystem.
Why Was DORA Created?
Before DORA, ICT risk requirements for EU financial institutions were fragmented — different rules applied to banks, insurers, investment firms and payment institutions, creating inconsistency and regulatory arbitrage. The European Supervisory Authorities (ESAs) — the EBA, EIOPA and ESMA — had issued various guidelines on ICT risk and operational resilience, but these lacked the binding force of regulation and varied across sectors.
The COVID-19 pandemic accelerated digital transformation across financial services, dramatically increasing dependence on technology and third-party service providers — particularly cloud computing. Major ICT incidents at financial institutions, including the TSB IT migration disaster and numerous cloud outages affecting banking services, demonstrated the systemic risk posed by technology failures. DORA was designed to address these vulnerabilities comprehensively and consistently across the entire EU financial sector.
| Enacted by | European Union |
| Regulation reference | Regulation (EU) 2022/2554 |
| Entry into force | January 16, 2023 |
| Fully applicable | January 17, 2025 |
| Mandatory or Voluntary | Mandatory — directly applicable EU regulation |
| Supervisory authorities | EBA · EIOPA · ESMA (Joint Committee) |
| Official Resource | eba.europa.eu |
Who Does DORA Apply To?
DORA applies to a broad range of financial entities and — uniquely — also to their critical ICT third-party service providers. This is the first time EU legislation has directly regulated technology providers serving the financial sector.
| Entity type | Examples |
|---|---|
| Credit institutions | Banks, building societies, credit unions |
| Investment firms | Brokerage firms, asset managers, portfolio managers |
| Insurance and reinsurance | Insurance undertakings and reinsurers |
| Payment and e-money institutions | Payment processors, e-money issuers, card schemes |
| Crypto asset service providers | CASPs authorised under MiCA regulation |
| Trading venues and CCPs | Stock exchanges, central counterparties, trade repositories |
| Credit rating agencies | Moody’s, S&P, Fitch and EU-registered agencies |
| Critical ICT third-party providers | Cloud providers, data centres, software vendors designated as critical by ESAs |
The Five DORA Pillars
DORA is structured around five pillars, each addressing a different dimension of digital operational resilience.
| # | Pillar | Key requirements |
|---|---|---|
| 1 | ICT Risk Management | Comprehensive ICT risk management framework — governance, strategy, policies, business continuity. Management body directly responsible and accountable. Annual ICT risk review. Protection, detection, response and recovery capabilities. |
| 2 | ICT Incident Management | Incident classification process distinguishing major from minor incidents. Major incident notifications to the competent authority within 4 hours of classification, and 24 hours of discovery. Intermediate reports and final reports required. Voluntary peer sharing of cyber threat information. |
| 3 | Digital Operational Resilience Testing | Basic testing for all entities — vulnerability assessments, network security testing, gap analyses. Advanced Threat-Led Penetration Testing (TLPT) required for significant entities every 3 years. TLPT must follow the TIBER-EU framework. Results shared with competent authority. |
| 4 | ICT Third-party Risk Management | Register of all ICT third-party arrangements maintained. Mandatory contractual provisions for all ICT contracts. Concentration risk assessment. Exit strategies for critical providers. Critical ICT third-party providers directly supervised by ESAs — the most novel aspect of DORA. |
| 5 | Information Sharing | Voluntary arrangements for sharing cyber threat intelligence and information among financial entities. Sharing trusted community arrangements. Competent authorities to be informed of participation. |
ICT Incident Classification and Reporting
One of DORA’s most operationally significant requirements is the mandatory reporting of major ICT-related incidents. The classification criteria and reporting timelines are prescriptive.
| Report type | Deadline | Content required |
|---|---|---|
| Initial notification | Within 4 hours of classification as major, max 24 hours from awareness | Basic incident details — nature, initial impact assessment, mitigation measures taken |
| Intermediate report | Within 72 hours of initial notification | Updated impact assessment, root cause analysis if available, containment measures |
| Final report | Within 1 month of incident resolution | Full root cause analysis, impact assessment, lessons learned, permanent fixes implemented |
DORA and ICT Third-party Oversight
The ICT third-party risk management pillar is the most novel aspect of DORA. For the first time, the EU can directly supervise and sanction technology providers that are designated as critical to the financial sector — even if those providers are not themselves financial institutions.
The Joint Committee of the ESAs will designate Critical ICT Third-Party Service Providers (CTPPs) — expected to include major cloud providers (AWS, Azure, Google Cloud), major data analytics providers and other systemically important technology vendors. Designated CTPPs are subject to direct oversight, including information requests, inspections and fines of up to 1% of global annual turnover per day for non-compliance.
Securitora Assessment
DORA is the most important new compliance requirement for EU financial institutions and their technology providers since GDPR. Its direct regulation of technology vendors — particularly cloud providers — is genuinely novel and will reshape how the financial sector contracts with and manages its technology supply chain. For financial institutions, DORA is not an incremental update — it requires a fundamental review of ICT governance, third-party contracts, testing programmes and incident response capabilities. Organisations that have already invested in ISO 27001, NIST CSF and SOC 2 will find significant overlap but will still need to address DORA-specific requirements around TLPT, contractual provisions and the ICT register.
| Recommended for | All EU financial institutions and their critical ICT third-party providers |
| Difficulty to implement | High — comprehensive requirements with tight timelines and direct board accountability |
| Best used with | ISO 27001 · NIST CSF 2.0 · NIS2 Directive · TIBER-EU |
| Official resource | eba.europa.eu → |