The Digital Operational Resilience Act (DORA) is a regulation introduced by the European Union to strengthen the digital resilience of financial entities. It entered into application on 17 Jan 2025 and ensures that banks, insurance companies, investment firms and other financial entities can withstand, respond to, and recover from ICT (Information and Communication Technology) disruptions, such as cyberattacks or system failures.
DORA brings harmonisation to rules relating to operational resilience for the financial sector, applicable to 20 different types of financial entities and ICT third-party service providers.
Why is DORA needed?
The financial sector is increasingly dependent on technology and on tech companies to deliver financial services. This makes financial entities vulnerable to cyber-attacks or incidents.
When not managed properly, ICT risks can lead to disruptions of financial services offered across borders. This in turn, can have an impact on other companies, sectors and even on the rest of the economy, which underlines the importance of the digital operational resilience of the financial sector.
This is where the Digital Operational Resilience Act, or DORA, comes into play.
What does DORA cover?
- ICT risk management
Principles and requirements on ICT risk management framework
- ICT third-party risk management
Monitoring third-party risk providers
Key contractual provisions
- Digital operational resilience testing
Basic and advanced testing
- ICT-related incidents
General requirements
Reporting of major ICT-related incidents to competent authorities
- Information sharing
Exchange of information and intelligence on cyber threats
- Oversight of critical third-party providers
Oversight framework for critical ICT third-party providers
DORA legal provisions
The DORA regulation is implemented on three levels.
Level 1 - Regulation and amending Directive
Level 2 - Regulatory, implementing and delegated acts in the official journal
- RTS on ICT risk management framework
- RTS on ICT incidents classification
- RTS on ICT incidents reporting process
- ITS on ICT incidents reporting
- RTS on Threat Led Penetration Testing (TLPT)
- RTS on ICT third-party policy
- RTS on subcontracting
- ITS on Register of Information
- DR on CTPPs designation criteria
- DR on DORA oversight fees
- RTS on harmonisation of oversight conditions
- RTS on Joint Examination Team (JET)
Level 3 - Guidelines
- Guidelines on oversight cooperation
- Guidelines on estimation of aggregated annual costs and losses caused by major ICT-related incidents
Reporting of the register of information:
- ESAs Decision the reporting by competent authorities to the ESAs of information necessary for the designation of critical ICT third-party service providers
- Reporting tools
Opinions:
Q&As on DORA:
Other resources:
- ESAs Report on the feasibility for further centralisation of reporting of major ICT-related incidents under DORA
- ESAs public statement on DORA application
- Establishing the EU's systemic cyber incident coordination framework (EU-SCICF)
- ESAs' report on the landscape of ICT third-party providers in the EU
- Commission’s rejection letter of the ITS on register of information
- ESAs' response to the Commission's rejection of ITS on registers of information
- ESAs' response to the Commission's rejection of RTS on subcontracting
- Roadmap for CTPPs designation
Oversight
DORA establishes an EU-wide oversight framework for critical ICT third-party providers (CTPPs) to ensure that the financial sector remains secure and resilient against ICT disruptions.
The oversight framework helps to address potential systemic and concentration risks arising from the financial sector's reliance on a limited number of ICT providers.
Declarations of interest
Members, alternates and observers of the DORA Oversight Forum (OF) are subject to the Ethics Rules for non-staff members of the ESAs and shall declare any interest as defined in Article 1(2) in relation to entities defined in Article 3(23) of DORA.