The Digital Operational Resilience Act (DORA) is an EU regulation that creates a single, binding framework for managing information and communications technology (ICT) risk across the European financial system. Formally Regulation (EU) 2022/2554, it was adopted alongside an accompanying directive amending earlier financial-sector laws, and entered into application on 17 January 2025 after a two-year implementation window.
DORA covers a broad scope of financial entities — banks, investment firms, payment and e-money institutions, insurers and reinsurers, crypto-asset service providers, trading venues, central counterparties, fund managers, credit rating agencies, and others — as well as the critical ICT third-party providers (such as major cloud and software vendors) that serve them.
The regulation organises obligations around five main pillars:
- ICT risk management, requiring a documented framework approved by the management body.
- ICT-related incident reporting, with classification thresholds and harmonised notification templates to competent authorities.
- Digital operational resilience testing, including periodic basic testing and, for significant entities, threat-led penetration testing (TLPT) broadly aligned with the TIBER-EU framework.
- Third-party risk management, including mandatory contractual terms, a register of information on outsourcing arrangements, and concentration-risk monitoring.
- Information sharing on cyber threats among financial entities, on a voluntary basis.
A distinctive feature is the new Oversight Framework for ICT third parties designated as critical (CTPPs). The European Supervisory Authorities (EBA, ESMA, EIOPA) act as Lead Overseers, able to issue recommendations and, ultimately, periodic penalty payments to non-EU cloud providers and other critical vendors.
DORA is lex specialis relative to the NIS2 Directive for financial entities: where both could apply, DORA's more granular requirements generally prevail. Detailed implementation is fleshed out through Regulatory and Implementing Technical Standards drafted by the ESAs.
Example
In January 2025, EU banks and their cloud providers — including hyperscalers such as AWS, Microsoft Azure, and Google Cloud — began complying with DORA's contractual, reporting, and resilience-testing requirements.
Frequently asked questions
DORA entered into application on 17 January 2025, two years after its entry into force in January 2023.
Keep learning