FinlexPro
Get Started
RegulationsDORA
EU 2022/2554

DORA

Digital Operational Resilience Act

The EU's comprehensive framework for ICT risk management in the financial sector. Covers cybersecurity, incident reporting, resilience testing, and third-party oversight.

64 ArticlesFully Applicable20+ Entity Types

Overview

DORA creates a harmonized framework for digital operational resilience across the EU financial sector, ensuring entities can withstand, respond to, and recover from ICT-related disruptions.

Five Pillars of DORA

  1. ICT Risk Management: Comprehensive framework for identifying, protecting, detecting, responding to ICT risks
  2. Incident Reporting: Harmonized classification and reporting of major ICT incidents
  3. Resilience Testing: Regular testing including threat-led penetration testing (TLPT)
  4. Third-Party Risk: Managing risks from ICT service providers including oversight framework
  5. Information Sharing: Voluntary arrangements for cyber threat intelligence

Regulation Structure

I

General Provisions

Articles 1-4

Subject matter, scope, definitions, and proportionality principle.

II

ICT Risk Management

Articles 5-16

ICT risk management framework, governance, business continuity, and learning processes.

III

ICT-Related Incident Management

Articles 17-23

Classification, reporting, harmonization of reporting, and voluntary notification.

IV

Digital Operational Resilience Testing

Articles 24-27

Testing requirements, threat-led penetration testing, and mutual recognition.

V

Managing ICT Third-Party Risk

Articles 28-44

Third-party risk principles, contractual arrangements, and oversight framework.

VI

Information Sharing Arrangements

Articles 45

Voluntary cyber threat intelligence sharing among financial entities.

Frequently Asked Questions

Who must comply with DORA?

DORA applies to virtually all regulated financial entities in the EU including banks, investment firms, insurers, payment institutions, e-money institutions, CASPs, and critical ICT third-party providers.

What are the incident reporting requirements?

Major ICT incidents must be reported to competent authorities using harmonized templates. Initial notification within 24 hours, intermediate report within 72 hours, and final report within one month.

What testing is required under DORA?

All entities must conduct regular ICT testing. Significant entities must perform threat-led penetration testing (TLPT) at least every three years on critical functions.

Key Dates

December 14, 2022

DORA published in Official Journal

January 16, 2023

DORA entered into force

January 17, 2025

DORA became fully applicable

2025-2026

RTS/ITS implementation ongoing

Entities in Scope

Credit institutions
Investment firms
Payment institutions
E-money institutions
Crypto-asset service providers (CASPs)
Insurance undertakings
Central securities depositories
Trading venues
Trade repositories
Credit rating agencies

Related Tools

Compliance Checker

Assess your ICT framework

Search DORA with AI

Get instant answers with article citations from the full DORA text.

Try FinlexPro