The Digital Operational Resilience Act (DORA) is an EU regulation that sets binding, harmonised rules for how financial firms manage information and communication technology (ICT) risk and withstand cyberattacks and IT disruptions. Adopted as Regulation (EU) 2022/2554, it entered into force on 27 December 2022 and has applied directly across all EU Member States since 17 January 2025. Because it is a regulation, not a directive, it applies without the need for national transposition.

DORA consolidates what were previously fragmented, sector-by-sector ICT rules into a single rulebook covering five core areas: ICT risk management, incident reporting, resilience testing, third-party risk, and information sharing. It is accompanied by Directive (EU) 2022/2556, which aligned existing financial-services directives with the new framework.

What is DORA and why was it introduced?

DORA (Regulation (EU) 2022/2554) creates a single, EU-wide framework for digital operational resilience in the financial sector. Its goal is to ensure financial entities can withstand, respond to, and recover from all types of ICT-related disruptions and threats, including cyberattacks and system failures.

Before DORA, ICT and cyber rules were scattered across multiple directives and supervisory guidelines, applied inconsistently across sectors and Member States. DORA replaces that patchwork with directly applicable, harmonised obligations, supplemented by detailed Regulatory and Implementing Technical Standards (RTS/ITS) developed by the European Supervisory Authorities (the ESAs: EBA, ESMA and EIOPA).

Who must comply with DORA?

DORA applies to a broad range of financial entities, and — uniquely — to the ICT third-party service providers that serve them.

In-scope financial entities include:

  • Credit institutions (banks), payment institutions, e-money institutions and account information service providers
  • Investment firms, trading venues, central counterparties (CCPs) and central securities depositories (CSDs)
  • Insurance and reinsurance undertakings and intermediaries
  • Crypto-asset service providers and issuers of asset-referenced tokens
  • Managers of alternative investment funds (AIFMs) and UCITS management companies
  • Institutions for occupational retirement provision (IORPs), credit rating agencies and others

Proportionality applies. Microenterprises and certain small entities are subject to a simplified ICT risk-management framework and are generally exempt from the most demanding obligations (such as advanced threat-led penetration testing). Some very small or low-risk entities may be excluded entirely under the relevant sectoral thresholds.

What are the five pillars of DORA?

DORA's requirements are commonly grouped into five pillars:

  1. ICT risk management — A comprehensive framework with board-level accountability for identifying, protecting, detecting, responding to and recovering from ICT risks; including asset mapping, business-continuity and disaster-recovery plans.
  2. ICT-related incident management, classification and reporting — Processes to detect, manage and classify incidents, and to report major ICT-related incidents to competent authorities on a defined timeline.
  3. Digital operational resilience testing — A risk-based testing programme; significant entities must also undergo threat-led penetration testing (TLPT).
  4. ICT third-party risk management — Managing risks from outsourced ICT services, including mandatory contractual provisions and a register of information on all third-party arrangements.
  5. Information sharing — Voluntary arrangements for exchanging cyber threat intelligence among financial entities.

A related strand — direct oversight of critical ICT third-party providers by the ESAs — sits alongside these pillars.

What are DORA's incident reporting requirements and timelines?

Financial entities must classify ICT-related incidents and report those deemed major to their competent authority. Under the technical standards developed by the ESAs, reporting follows a three-stage process:

  • Initial notification — submitted as early as possible, generally within 4 hours of classifying the incident as major, and no later than 24 hours from becoming aware of it.
  • Intermediate report — typically due within 72 hours of the initial notification, with updated information.
  • Final report — due within one month, including root-cause analysis, impact and remediation.

The clock for the initial notification runs from classification as major, not detection. Entities must also notify clients where the incident affects their financial interests, and may voluntarily report significant cyber threats.

How does DORA regulate ICT third parties and resilience testing?

ICT third-party risk

Financial entities remain fully responsible for compliance even when ICT services are outsourced. They must maintain a register of information on all contractual arrangements, ensure contracts contain DORA's mandatory provisions (audit rights, exit strategies, service levels, sub-contracting controls), and assess concentration risk.

Oversight of critical providers (CTPPs)

The ESAs designate certain providers — such as major cloud platforms — as critical ICT third-party providers (CTPPs), each assigned a Lead Overseer with direct oversight powers. This is one of the first EU regimes to supervise tech providers directly.

Resilience testing

All in-scope entities run a testing programme (e.g. vulnerability assessments). Entities identified as significant — excluding microenterprises — must perform advanced threat-led penetration testing (TLPT) at least every three years, drawing on the TIBER-EU methodology.

What are the penalties for non-compliance with DORA?

DORA itself does not fix a single EU-wide fine for financial entities. Instead, national competent authorities set and impose administrative penalties and remedial measures under their existing powers, and DORA requires these to be effective, proportionate and dissuasive. Penalties can include fines, public reprimands, orders to cease conduct and withdrawal of authorisation, with details varying by Member State.

For critical ICT third-party providers, DORA writes a penalty regime directly into the text: the Lead Overseer can impose periodic penalty payments of up to 1% of the provider's average daily worldwide turnover, applied daily for up to six months, to compel compliance.

How should organisations prepare for DORA compliance?

DORA has applied since 17 January 2025, so in-scope entities should already be operating to it. Practical, regulation-aligned steps include:

  • Establish board-level ownership of the ICT risk-management framework, with clear governance and accountability.
  • Map ICT assets and dependencies, including business-continuity and recovery arrangements.
  • Build incident detection, classification and reporting processes that can meet the 4-hour / 72-hour / one-month timeline.
  • Compile and maintain the register of information on all ICT third-party arrangements, and remediate contracts to include DORA's mandatory clauses.
  • Stand up a resilience testing programme, and prepare for TLPT if identified as a significant entity.
  • Track the RTS/ITS and ESA guidance, which add operational detail beyond the Level 1 text.

Frequently asked questions

When did DORA take effect?

DORA entered into force on 27 December 2022 and has applied since 17 January 2025. As a regulation, it applies directly in all EU Member States without national transposition.

Is DORA a regulation or a directive?

DORA is a regulation — Regulation (EU) 2022/2554 — so it is directly binding across the EU. It is accompanied by Directive (EU) 2022/2556, which amended existing financial-services directives to align them with DORA.

Does DORA apply to non-EU companies?

DORA primarily binds EU financial entities. However, ICT third-party providers serving them — including non-EU firms such as global cloud providers — can fall within scope, and those designated as critical (CTPPs) face direct ESA oversight. Providers may also be bound indirectly through DORA's mandatory contract requirements.

What counts as a 'major' ICT-related incident under DORA?

Major incidents are determined using classification criteria in the regulation and supporting technical standards — based on factors such as clients and transactions affected, data losses, geographic spread, duration/downtime, economic impact and reputational harm. Only incidents meeting these thresholds trigger mandatory reporting.

What is threat-led penetration testing (TLPT) under DORA?

TLPT is advanced, intelligence-led red-team testing that simulates real attacker tactics against live systems. Financial entities identified as significant (excluding microenterprises) must conduct it at least every three years, following the TIBER-EU framework.

How does DORA relate to NIS2?

DORA is sector-specific to financial services and operates as lex specialis — its detailed ICT rules take precedence for financial entities over the more general NIS2 Directive (EU) 2022/2555, while the two frameworks are designed to be complementary.

Official sources