Digital Operational Resilience Act (DORA)

The Digital Operational Resilience Act (DORA) is a regulation introduced by the European Union to strengthen the digital resilience of financial entities. It entered into application on 17 Jan 2025 and ensures that banks, insurance companies, investment firms and other financial entities can withstand, respond to, and recover from ICT (Information and Communication Technology) disruptions, such as cyberattacks or system failures.

DORA brings harmonisation to rules relating to operational resilience for the financial sector, applicable to 20 different types of financial entities and ICT third-party service providers.

Why is DORA needed?

The financial sector is increasingly dependent on technology and on tech companies to deliver financial services. This makes financial entities vulnerable to cyber-attacks or incidents.

When not managed properly, ICT risks can lead to disruptions of financial services offered across borders. This in turn, can have an impact on other companies, sectors and even on the rest of the economy, which underlines the importance of the digital operational resilience of the financial sector.

This is where the Digital Operational Resilience Act, or DORA, comes into play.

What does DORA cover?

ICT risk management
Principles and requirements on ICT risk management framework
ICT third-party risk management
Monitoring third-party risk providers
Key contractual provisions
Digital operational resilience testing
Basic and advanced testing
ICT-related incidents
General requirements
Reporting of major ICT-related incidents to competent authorities
Information sharing
Exchange of information and intelligence on cyber threats
Oversight of critical third-party providers
Oversight framework for critical ICT third-party providers

DORA legal provisions

The DORA regulation is implemented on three levels.

Level 1 - Regulation and amending Directive

Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector

Directive (EU) 2022/2556 of the European Parliament and of the Council of 14 December 2022 amending Directives 2009/65/EC, 2009/138/EC, 2011/61/EU, 2013/36/EU, 2014/59/EU, 2014/65/EU, (EU) 2015/2366 and (EU) 2016/2341 as regards digital operational resilience for the financial sector

Level 2 - Regulatory, implementing and delegated acts in the official journal

Level 3 - Guidelines

Reporting of the register of information:

Opinions:

EIOPA Opinion on the scope of DORA in light of the review of the Solvency II framework

Q&As on DORA:

Other resources: