Skip to main content
DORA Auditor

What is DORA?

Last updated: 3 authoritative sourcesDORA Auditor Editorial Team

DORA, the Digital Operational Resilience Act, Regulation (EU) 2022/2554, is an EU regulation that sets uniform requirements for the security of network and information systems across the financial sector. It has applied directly in all member states since 17 January 2025 and is organised around five pillars: ICT risk management, incident reporting, resilience testing, third-party risk, and information sharing.

Why DORA exists

Financial services depend on ICT systems and, increasingly, on a small number of third-party providers for cloud, data, and software. Before DORA, digital-resilience rules were fragmented across member states and sectors. DORA replaces that patchwork with a single, directly applicable framework so that financial entities can withstand, respond to, and recover from ICT-related disruptions.

From the regulation

“This Regulation lays down uniform requirements concerning the security of network and information systems supporting the business processes of financial entities.”, DORA, Article 1

The five pillars

Every DORA obligation maps to one of five areas:

  1. ICT risk management (Article 6), a governance framework for identifying, protecting, detecting, responding to, and recovering from ICT risk.
  2. ICT incident reporting (Articles 17–23), classifying and reporting major ICT-related incidents to competent authorities on defined timelines.
  3. Digital operational resilience testing (Articles 24–27), regular testing, including threat-led penetration testing (TLPT) for significant entities.
  4. ICT third-party risk (Articles 28–30), managing outsourcing risk and maintaining a register of information on ICT third-party arrangements.
  5. Information sharing (Article 45), voluntary exchange of cyber-threat intelligence between financial entities.

Who must comply

DORA covers roughly twenty categories of financial entity, including credit institutions, payment and e-money institutions, investment firms, insurers, and crypto-asset service providers, as well as the critical ICT third-party providers that serve them, who fall under a new EU oversight framework.

What happens if you don't comply

Competent authorities can require remediation, impose administrative penalties, and, for designated critical ICT providers, levy periodic penalty payments. See DORA penalties for the enforcement detail.

Frequently asked questions

When did DORA come into force?
Who does DORA apply to?
What is the difference between DORA and NIS2?

Sources

  1. Regulation (EU) 2022/2554 (DORA), EUR-Lex
  2. ESMA, Digital Operational Resilience Act (DORA)
  3. European Banking Authority, DORA