İçeriğe geç
NISDESK
EU Regulation (EU) 2022/2554

DORA — Digital Operational Resilience Act

DORA (the Digital Operational Resilience Act) entered into application on 17 January 2025. It establishes a binding EU-wide framework for ICT risk management, operational resilience testing, third-party risk, and major incident reporting for the financial sector. Unlike NIS2, DORA is a directly applicable Regulation — no national transposition is needed.

Who is in scope?

DORA covers a broad range of financial entities supervised at both EU and national level:

Micro-enterprises (fewer than 10 employees, turnover <€2M) are exempt from some requirements but must still meet baseline ICT risk management obligations.

The five DORA pillars

1

ICT Risk Management

Financial entities must maintain a documented ICT risk management framework approved by the management body, with continuous monitoring, protection, and detection capabilities (DORA Articles 5–14).

2

ICT Incident Reporting

Major ICT incidents must be reported to the competent authority: initial report within 4 hours, intermediate report within 24 hours, and a final root-cause report within 1 month (DORA Articles 17–23).

3

Digital Operational Resilience Testing

Entities must run regular ICT resilience tests. Significant financial entities must conduct threat-led penetration testing (TLPT) at least every 3 years (DORA Articles 24–27).

4

ICT Third-Party Risk Management

Entities must maintain an ICT third-party register, include mandatory contractual provisions in ICT contracts, and manage concentration risk. The EC can designate Critical Third-Party Providers (CTPPs) subject to direct EU oversight (DORA Articles 28–44).

5

Information and Intelligence Sharing

Financial entities may voluntarily participate in cyber threat intelligence sharing arrangements, fostering collective resilience across the sector (DORA Article 45).

Is your organisation DORA-ready?

Answer 8 questions and get a DORA readiness score, gap list and prioritised action plan — free.

Run the free DORA readiness check →

DORA compliance by EU country

Select your country to see the relevant financial supervisory authority, national implementation notes and country-specific DORA obligations:

For decision-support purposes only. Verify obligations with a qualified financial regulatory expert.