DORA is EU Regulation 2022/2554, in force since 17 January 2025. It sets uniform requirements for the digital operational resilience of EU financial institutions — here's everything you need to know.
DORA — the Digital Operational Resilience Act (EU Regulation 2022/2554) — is the EU's comprehensive law requiring financial institutions to withstand, respond to, and recover from ICT (information and communication technology) disruptions.
The regulation was adopted in December 2022 and became fully applicable on 17 January 2025. It applies to over 22,000 financial entities across the EU, from large banks to small payment institutions.
DORA's core insight: in modern finance, a cyberattack or IT failure is as dangerous as a liquidity crisis. Financial regulators need to supervise digital resilience just as rigorously as they supervise capital adequacy.
Before DORA, ICT risk rules for financial firms were fragmented across member states and sectors. A payment processor in Germany faced different digital resilience rules than one in France or Italy. This inconsistency created regulatory arbitrage and systemic gaps. DORA creates a single harmonised framework across all EU member states and all financial sectors.
DORA covers cybersecurity, but also operational resilience more broadly — IT failures, power outages, third-party outages, natural disasters affecting ICT systems. If an event disrupts digital operations, DORA applies.
DORA organises its requirements into five interconnected pillars, each addressed by specific RTS (Regulatory Technical Standards) and ITS (Implementing Technical Standards).
Comprehensive governance framework — risk identification, protection, detection, response and recovery. Management body accountability.
Classification and reporting of major ICT incidents to competent authorities. Strict timelines: 4-hour initial notification, 72-hour report, 1-month final report.
Annual basic testing for all entities. Advanced Threat-Led Penetration Testing (TLPT) mandatory for significant institutions every 3 years.
Oversight of ICT service providers. Contract requirements, due diligence, register of information. Critical providers overseen directly by ESAs.
Voluntary arrangements to share cyber threat intelligence and information across financial entities to strengthen sector-wide resilience.
DORA has one of the broadest scopes of any EU financial regulation. Article 2 lists 21 types of financial entities in scope.
Every in-scope entity must have a documented ICT risk management framework, approved at management body level. This must cover identification of ICT assets and risks, protection and prevention measures, detection of anomalies, response and recovery processes, and learning and improving post-incident.
Major ICT incidents must be reported to the competent authority within strict timeframes. A preliminary notification within 4 hours, an intermediate report within 72 hours, and a final report within one month. The DORA RTS on incident reporting defines the classification criteria for what constitutes a "major" incident.
All financial entities must maintain a Register of Information documenting all contractual arrangements with ICT third-party service providers. This register must be submitted to competent authorities by 30 April 2025 for most entities. The ESAs published a standard template for the register in early 2025.
DORA mandates specific clauses in contracts with ICT providers covering: service levels, audit rights, data access and portability, subcontracting arrangements, termination rights, and business continuity. Existing contracts must be updated to include DORA provisions.
DORA published in the Official Journal of the EU. 24-month implementation period begins.
ESAs publish first batch of RTS/ITS drafts for public consultation. Institutions begin gap analysis and implementation planning.
DORA fully applicable. All requirements in force. Supervisors begin monitoring compliance. TLPT programmes initiated for large institutions.
Register of Information submission deadline for most entities (exact date per national competent authority guidance).
First TLPT cycles for designated large institutions. Supervisory assessments and enforcement actions for non-compliance begin.
Annual resilience testing, continuous monitoring, incident reporting, and third-party oversight required for all in-scope entities.
DORA grants competent authorities broad supervisory and enforcement powers. Administrative penalties under Article 50 can be severe.
| Entity Type | Maximum Fine | Reference |
|---|---|---|
| Financial entities (general) | Up to 2% of total annual worldwide turnover | Art. 50(4)(a) |
| Natural persons | Up to €1,000,000 | Art. 50(4)(b) |
| Critical ICT third-party providers | Up to 1% of average daily worldwide turnover (per day, for up to 6 months) | Art. 35(4) |
NIS2 (Network and Information Security Directive 2) covers cybersecurity for critical sectors broadly. DORA is lex specialis for financial entities — it takes precedence over NIS2 for firms in DORA's scope. Financial entities don't need to comply with NIS2 requirements covered by DORA.
Read: DORA vs NIS2 Full Comparison →DORA and GDPR overlap on incident notification (ICT incidents may involve personal data breaches requiring GDPR notification) and third-party contracts. DORA doesn't replace GDPR — both apply independently. Organisations must satisfy both notification timelines.
ECB supervisors will integrate DORA compliance into their Supervisory Review and Evaluation Process (SREP) for significant institutions, alongside capital and liquidity assessments.
Use our free tools to assess your current state and identify the gaps you need to close.
Free Gap Analysis All RTS & ITS Standards