Skip to main content
European Insurance and Occupational Pensions Authority

Digital Operational Resilience Act (DORA)

Why is DORA needed?

The financial sector is increasingly dependent on technology and on tech companies to deliver financial services. This makes financial entities vulnerable to cyber-attacks or incidents.

When not managed properly, ICT risks can lead to disruptions of financial services offered across borders. This in turn, can have an impact on other companies, sectors and even on the rest of the economy, which underlines the importance of the digital operational resilience of the financial sector.

This is where the Digital Operational Resilience Act, or DORA, comes into play.

What does it cover?

  • ICT risk management

    Principles and requirements on ICT risk management framework

  • ICT third-party risk management

    Monitoring third-party risk providers

    Key contractual provisions

  • Digital operational resilience testing

    Basic and advanced testing

  • ICT-related incidents

    General requirements

    Reporting of major ICT-related incidents to competent authorities

  • Information sharing

    Exchange of information and intelligence on cyber threats

  • Oversight of critical third-party providers

    Oversight framework for critical ICT third-party providers

Resources

Implementing act

Implementing and delegated acts in the official journal

Policy products as prepared by the ESAs:

Other resources:

Consultations

Timeline for implementing legislative acts

The three European Supervisory Authorities (the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA) and the European Securities and Markets Authority (ESMA)), are preparing a set of policy products to enable the application of DORA.

Timeline:

  1. 16 January 2023

    Entry into force of DORA

  2. 17 January 2025

    Application of DORA

  3. from 2025

    Start of the oversight activities for the ESAs (incl. CTPPs designation)