operational-resilience Published: Updated: By

What is DORA?

Quick answer

DORA is the Digital Operational Resilience Act, EU Regulation 2022/2554. It requires financial entities in the EU to manage ICT risks, report major incidents, test their digital systems, and oversee third-party technology providers. It has applied since January 17, 2025. ---

What is DORA?

DORA is the Digital Operational Resilience Act, formally EU Regulation 2022/2554. It's a directly applicable EU regulation: it entered into force on January 17, 2023, and has applied across all EU member states since January 17, 2025. No national transposition was required. The text is binding as written.

The regulation covers banks, investment firms, payment and e-money institutions, insurance undertakings, crypto-asset service providers, central counterparties, trade repositories, and most other regulated financial entities operating in the EU. It also brings critical ICT third-party providers under direct EU supervisory oversight for the first time. Cloud providers, core banking platform vendors, and data analytics firms that regulators designate as "critical" face formal oversight by the EBA, ESMA, or EIOPA, depending on the financial sector they primarily serve.

The five pillars

ICT Risk Management. Every in-scope firm must maintain a documented ICT risk management framework with defined governance roles, asset inventories, protection measures, detection capabilities, and recovery plans. The management body must approve the framework and is personally responsible for its implementation.

ICT Incident Reporting. Major ICT-related incidents follow a three-stage reporting timeline. Initial notification is due within 4 hours of classification, no later than 24 hours from detection. The intermediate report must follow within 72 hours. The final report is due within one month. The EBA's DORA regulatory page publishes the Regulatory Technical Standards that define what qualifies as a "major" incident, using criteria including number of clients affected, duration, geographic spread, and data loss.

Digital Operational Resilience Testing. Basic vulnerability testing is required annually for all in-scope firms. Significant institutions must also complete Threat-Led Penetration Testing (TLPT) every three years. TLPT follows the TIBER-EU framework published by the ECB, which means accredited external red teams test live production systems, not sandboxes.

Third-Party ICT Risk Management. Firms must maintain a full register of all ICT third-party providers, classify each by criticality, and include mandatory contractual provisions in agreements with critical providers covering audit rights, exit strategies, data location requirements, and security obligations. Providers designated as critical face direct oversight, including information requests, inspections, and binding recommendations.

Information Sharing. Firms may voluntarily share cyber threat intelligence with trusted communities of financial entities, subject to confidentiality safeguards.

Penalties

DORA delegates penalty-setting to member states for financial entities, requiring only that sanctions be effective, proportionate, and dissuasive. For critical ICT third-party providers under direct EU oversight, the regulation sets periodic penalty payments of up to 1% of average daily worldwide turnover, applied for up to six months. The full regulation is at EUR-Lex, Regulation 2022/2554.

Relationship to NIS2

DORA is lex specialis relative to the NIS2 Directive. Financial entities that comply with DORA satisfy NIS2 requirements for ICT risk management and incident reporting, as stated in Recital 16 of the regulation. Compliance teams can treat DORA as the single rulebook for ICT resilience in the financial sector, with no duplicate reporting obligation.

Why DORA matters to compliance teams

The incident reporting timelines are tight. A 4-hour window for initial notification requires pre-approved classification criteria, clear internal escalation paths, and someone with authority to file at any hour of the day. What triggers a regulatory exam is a question worth revisiting under DORA: supervisors can now use resilience test results as an exam trigger, not just traditional financial compliance failures.

Third-party risk is where most institutions underestimated the work. Many banks have hundreds of ICT contracts, and a significant share predate DORA's mandatory clause requirements. Renegotiating those contracts, classifying providers by criticality, and building the required register is multi-year work. Firms that hadn't completed this work by January 2025 are now in remediation mode, with supervisors increasingly aware of where the gaps are.

Board ownership is a real shift. DORA requires the management body to approve the ICT risk management framework and bear individual responsibility for its implementation. That creates personal accountability that was easier to diffuse under earlier guidance.

For institutions using AI in operations, including AI for AML transaction monitoring, DORA's ICT risk framework applies to those systems directly. The EU AI Act adds a parallel obligation for high-risk AI systems. Who needs to comply with the EU AI Act and when the EU AI Act takes effect are questions every financial institution CTO is now mapping against existing DORA work, since the two regimes overlap on AI-driven ICT systems.

Non-compliance has escalating consequences. What happens when a bank fails a regulatory exam applies by analogy: supervisory escalation, enhanced monitoring, and in serious cases imposition of a monitorship are all available tools under DORA's enforcement framework.

Related questions

Related concepts and regulations

← All compliance questions