The Digital Operational Resilience Act, commonly abbreviated DORA, is Regulation (EU) 2022/2554 of the European Parliament and of the Council, adopted on 14 December 2022 and published in the Official Journal on 27 December 2022. It became applicable on 17 January 2025, following a two-year implementation window. DORA forms part of the European Commission's broader Digital Finance Package alongside the Markets in Crypto-Assets Regulation (MiCA).
DORA's purpose is to harmonise rules on the operational resilience of the EU financial sector against information and communication technology (ICT) disruptions, including cyberattacks. Before DORA, ICT risk requirements were scattered across sectoral rules (CRD, Solvency II, MiFID II) and national supervisory guidance, producing fragmented obligations. The regulation consolidates these into a single binding framework.
The regulation applies to roughly 20 categories of financial entities, including banks, investment firms, insurers, crypto-asset service providers, central counterparties, trading venues, and crowdfunding service providers. It is structured around five core pillars:
- ICT risk management: a governance framework with board-level accountability.
- ICT-related incident reporting: classification, notification, and root-cause reporting to competent authorities, with templates developed by the European Supervisory Authorities (ESAs).
- Digital operational resilience testing: including threat-led penetration testing (TLPT) modelled on the TIBER-EU framework for significant entities.
- ICT third-party risk management: contractual requirements and a register of information on outsourcing arrangements.
- Information sharing on cyber threats among financial entities.
A novel feature is the Oversight Framework for Critical ICT Third-Party Service Providers (CTPPs), under which the ESAs (EBA, ESMA, EIOPA) can directly oversee designated cloud providers and other critical vendors—a first in EU financial regulation, which previously regulated only the financial entity, not its supplier. CTPPs may be fined up to 1% of average daily worldwide turnover per day of non-compliance. DORA is complemented by Directive (EU) 2022/2556, which amends sectoral directives for consistency.
Example
In January 2025, EU banks and insurers began submitting their first registers of information on ICT third-party arrangements to national competent authorities under DORA, with hyperscale cloud providers such as AWS and Microsoft Azure expected to be designated as Critical ICT Third-Party Providers later that year.
Frequently asked questions
DORA entered into force on 16 January 2023 and became applicable on 17 January 2025, giving financial entities and supervisors a two-year transition period.
Keep learning