DORA

DORA (Digital Operational Resilience Act) is the EU regulation on digital operational resilience for the financial sector. The regulation sets requirements for ICT risk management, incident reporting, resilience testing and management of risks from ICT third parties. It has applied since 17 January 2025.

Back to Dictionary

Table of Contents

    What is DORA?

    DORA (Regulation (EU) 2022/2554) is the EU's regulation on digital operational resilience for the financial sector. It establishes a comprehensive framework to ensure that financial entities can withstand, respond to and recover from all types of ICT-related disruptions and threats.

    Unlike a directive, DORA is a regulation and therefore directly applicable in all EU Member States without the need for national transposition. It has applied since 17 January 2025, replacing a patchwork of national rules and guidelines with a single, harmonised set of requirements.

    Who is subject to DORA?

    DORA applies to a broad range of financial entities, including:

    • Banks and credit institutions
    • Payment institutions and electronic money institutions
    • Investment firms and trading venues
    • Insurance and reinsurance undertakings
    • Pension funds (IORPs)
    • Crypto-asset service providers
    • Central securities depositories and central counterparties
    • ICT third-party service providers designated as critical

    DORA's five pillars

    DORA is structured around five core pillars that together form a comprehensive framework for digital operational resilience:

    • ICT risk management: Financial entities must establish and maintain a robust ICT risk management framework, including governance arrangements, risk identification, protection, detection and response capabilities.
    • Incident reporting: Significant ICT-related incidents must be classified and reported to the competent authority within prescribed timeframes, using harmonised templates.
    • Resilience testing: Entities must conduct regular testing of their ICT systems, including threat-led penetration testing (TLPT) for significant entities.
    • Third-party risk management: DORA introduces requirements for managing ICT third-party risk, including key contractual provisions, a register of information on ICT third-party arrangements, and an oversight framework for critical third-party providers.
    • Information sharing: Financial entities are encouraged to exchange cyber threat intelligence and information among themselves to strengthen collective resilience.

    DORA vs NIS2

    DORA and NIS2 both address cybersecurity, but they apply to different sectors and with different specificity. DORA is a lex specialis for the financial sector, meaning that where DORA imposes specific requirements, these take precedence over the general NIS2 requirements. Financial entities subject to DORA are generally considered to meet the corresponding NIS2 obligations.


    Already applicable:     DORA has applied since 17 January 2025. Financial entities and their critical ICT third-party service providers must already comply with all requirements. Supervisory authorities have begun exercising their oversight powers under the regulation.

    Frequently Asked Questions about DORA

    What is DORA?

    DORA (Digital Operational Resilience Act) is EU Regulation 2022/2554 on digital operational resilience for the financial sector. It sets requirements for ICT risk management, incident reporting, resilience testing, third-party risk management and information sharing.

    When did DORA come into effect?

    DORA entered into force on 16 January 2023 and has applied since 17 January 2025. As a regulation, it is directly applicable in all EU Member States without the need for national transposition.

    Who must comply with DORA?

    DORA applies to a broad range of financial entities including banks, payment institutions, investment firms, insurance undertakings, pension funds, crypto-asset service providers and critical ICT third-party service providers.

    What are DORA's five pillars?

    DORA is built on five pillars: ICT risk management, ICT-related incident reporting, digital operational resilience testing, ICT third-party risk management and information-sharing arrangements between financial entities.

    How does DORA relate to NIS2?

    DORA is lex specialis for the financial sector: where DORA imposes specific requirements, these take precedence over the general NIS2 requirements. Financial entities subject to DORA are generally considered to meet corresponding NIS2 obligations.

    +400 companies use .legal
    Region Sjælland
    Aarhus Universitet
    aj_vaccines_logo
    Realdania
    Right People
    IO Gates
    PLO
    Finans Danmark
    geia-food
    Vestforbrænding
    Evida
    Klasselotteriet
    NRGI1
    BLUE WATER SHIPPING
    Karnov
    Ingvard Christensen
    VP Securities
    AH Industries
    Lægeforeningen
    InMobile
    AK Nygart
    ARP Hansen
    DEIF
    DMJX
    Axel logo
    qUINT Logo
    KAUFMANN (1)
    SMILfonden-logo
    kurhotel_skodsborg
    nemlig.com
    Molecule Consultancy
    Novicell
    Footer topswirl

    Info

    .legal A/S

    hello@dotlegal.com
    +45 7027 0127

    VAT-no: DK40888888

    Support

    support@dotlegal.com
    +45 7027 0127
    Need help?

     

    Office

    Aarhus

    Store Torv 14, 2.
    8000 Aarhus C

    We care about safety

    Download our declarations

    ISAE 3000

    ISAE 3402

    Modules

    Let me help you get started

    joa i blob
    Reach out to me on phone
    +45 7027 0127 and I'll get you started
    arrow-right-white Get a demo

    .legal is not a law firm and is therefore not under the supervision of the Bar Council.

    Footer bottomswirl