What is DORA?
DORA, the Digital Operational Resilience Act, Regulation (EU) 2022/2554, is an EU regulation that sets uniform requirements for the security of network and information systems across the financial sector. It has applied directly in all member states since 17 January 2025 and is organised around five pillars: ICT risk management, incident reporting, resilience testing, third-party risk, and information sharing.
Why DORA exists
Financial services depend on ICT systems and, increasingly, on a small number of third-party providers for cloud, data, and software. Before DORA, digital-resilience rules were fragmented across member states and sectors. DORA replaces that patchwork with a single, directly applicable framework so that financial entities can withstand, respond to, and recover from ICT-related disruptions.
From the regulation
The five pillars
Every DORA obligation maps to one of five areas:
- ICT risk management (Article 6), a governance framework for identifying, protecting, detecting, responding to, and recovering from ICT risk.
- ICT incident reporting (Articles 17–23), classifying and reporting major ICT-related incidents to competent authorities on defined timelines.
- Digital operational resilience testing (Articles 24–27), regular testing, including threat-led penetration testing (TLPT) for significant entities.
- ICT third-party risk (Articles 28–30), managing outsourcing risk and maintaining a register of information on ICT third-party arrangements.
- Information sharing (Article 45), voluntary exchange of cyber-threat intelligence between financial entities.
Who must comply
DORA covers roughly twenty categories of financial entity, including credit institutions, payment and e-money institutions, investment firms, insurers, and crypto-asset service providers, as well as the critical ICT third-party providers that serve them, who fall under a new EU oversight framework.
What happens if you don't comply
Competent authorities can require remediation, impose administrative penalties, and, for designated critical ICT providers, levy periodic penalty payments. See DORA penalties for the enforcement detail.
Frequently asked questions
When did DORA come into force?
DORA entered into force on 16 January 2023 and has applied since 17 January 2025, after a two-year implementation period.
Who does DORA apply to?
DORA applies to around 20 categories of financial entity, banks, insurers, investment firms, payment institutions, crypto-asset service providers and more, plus the critical ICT third-party providers that serve them.
What is the difference between DORA and NIS2?
NIS2 is a broad cybersecurity directive; DORA is a sector-specific regulation for financial entities. Where both could apply, DORA takes precedence as lex specialis for ICT operational resilience. See our DORA vs NIS2 comparison.