DORA — Digital Operational Resilience Act
DORA (the Digital Operational Resilience Act) entered into application on 17 January 2025. It establishes a binding EU-wide framework for ICT risk management, operational resilience testing, third-party risk, and major incident reporting for the financial sector. Unlike NIS2, DORA is a directly applicable Regulation — no national transposition is needed.
Who is in scope?
DORA covers a broad range of financial entities supervised at both EU and national level:
- ▸Credit institutions (banks and building societies)
- ▸Insurance and reinsurance undertakings
- ▸Investment firms and fund managers (UCITS, AIFs)
- ▸Payment institutions and electronic money institutions
- ▸Crypto-asset service providers (CASPs) under MiCA
- ▸Central counterparties (CCPs) and central securities depositories (CSDs)
- ▸Trading venues and data reporting service providers
- ▸Critical ICT third-party service providers (CTPPs)
Micro-enterprises (fewer than 10 employees, turnover <€2M) are exempt from some requirements but must still meet baseline ICT risk management obligations.
The five DORA pillars
ICT Risk Management
Financial entities must maintain a documented ICT risk management framework approved by the management body, with continuous monitoring, protection, and detection capabilities (DORA Articles 5–14).
ICT Incident Reporting
Major ICT incidents must be reported to the competent authority: initial report within 4 hours, intermediate report within 24 hours, and a final root-cause report within 1 month (DORA Articles 17–23).
Digital Operational Resilience Testing
Entities must run regular ICT resilience tests. Significant financial entities must conduct threat-led penetration testing (TLPT) at least every 3 years (DORA Articles 24–27).
ICT Third-Party Risk Management
Entities must maintain an ICT third-party register, include mandatory contractual provisions in ICT contracts, and manage concentration risk. The EC can designate Critical Third-Party Providers (CTPPs) subject to direct EU oversight (DORA Articles 28–44).
Information and Intelligence Sharing
Financial entities may voluntarily participate in cyber threat intelligence sharing arrangements, fostering collective resilience across the sector (DORA Article 45).
Is your organisation DORA-ready?
Answer 8 questions and get a DORA readiness score, gap list and prioritised action plan — free.
Run the free DORA readiness check →DORA compliance by EU country
Select your country to see the relevant financial supervisory authority, national implementation notes and country-specific DORA obligations:
Official sources
- NIS2 Directive (EU) 2022/2555 — EUR-Lex
- DORA Regulation (EU) 2022/2554 — EUR-Lex
- ENISA — EU Agency for Cybersecurity
Last reviewed: 2026-07-03
For decision-support purposes only. Verify obligations with a qualified financial regulatory expert.