TL;DR
The Digital Operational Resilience Act (DORA) is an EU regulation that strengthens the digital resilience of financial entities by requiring robust ICT risk management practices.
It applies to a wide range of financial organizations, from banks and insurance firms to crypto providers and crowdfunding platforms.
DORA mandates specific measures including incident reporting, third-party risk oversight, and resilience testing, all under a unified regulatory framework.
The regulation came into effect in January 2023 and became fully applicable in January 2025, with oversight activities now underway.
While DORA focuses exclusively on the financial sector, it complements broader cybersecurity regulations like NIS2 by addressing sector-specific digital risks.
The Digital Operational Resilience Act — or DORA for short – is an EU regulation that aims to strengthen the IT security of financial entities, such as banks and investment firms, in the face of unforeseen or severe operational disruptions. In this article, we’ll examine what it is and what businesses need to do to prepare.
What is the DORA Regulation?
In a nutshell, the Digital Operational Resilience Act was introduced to strengthen the operational digital resilience of the EU financial sector to ICT-related incidents. It consolidates the rules relating to the operational resilience of 20 different types of financial entities and ICT third-party service providers.
Before DORA, financial institutions mainly handled operational risks by setting aside capital to offset potential losses. This approach was lacking, particularly because it failed to adequately account for all aspects of digital resilience, especially related to Information and Communication Technology (ICT).
What does DORA Cover?
DORA covers the following areas:
ICT Risk Management: This is a framework that sets down principles and requirements on ICT management.
ICT Third-Party Risk Management: This covers how to mitigate ICT third-party risks.
Digital Operational Resilience Testing: This encompasses a range of operational risk testing, including advanced testing.
ICT-Related Incidents: This lays down requirements for the reporting of ICT-related incidents, and the notification of major events to the relevant authorities.
Information Sharing: Lays down requirements for the exchange of information and intelligence on cyber threats.
Oversight of Critical Third-Party Providers: This is an oversight framework critical ICT third-party providers, as determined by the European Supervisory Authorities (ESAs) for the financial sector.
What Businesses does DORA Regulate?
DORA regulates the following businesses:
Credit institutions
Payment institutions, including payment institutions exempted pursuant to Directive (EU) 2015/2366
Account information service providers
Electronic money institutions, including electronic money institutions exempted pursuant to Directive 2009/110/EC
Investment firms
Crypto-asset service providers and issuers of asset-referenced tokens
Central securities depositories
Central counterparties
Trading venues
Trade repositories
Managers of alternative investment funds
Management companies
Data reporting service providers
Insurance and reinsurance undertakings
Insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries
Institutions for occupational retirement provision
Credit rating agencies
Administrators of critical benchmarks
Crowdfunding service providers
Securitisation repositories.
DORA Regulation Timeline
DORA officially entered into force in January 2023 with a planned 24-month vacatio legis period so financial institutions could prepare for and implement it. In January 2025, it began to apply in full.
Here is the DORA regulation timeline:
16 January 2023: Dora enters into force
29 September 2023: ESAs technical advice on criticality criteria and oversight fees
17 January 2024: First batch of policy mandates
17 July 2024: Second batch of policy mandates
17 January 2025: DORA applies
From 2025 Onwards: Start of the oversight activities, including the designation of critical third-party providers
DORA Regulation Requirements
DORA lays out an extensive and comprehensive list of regulations, but the general DORA requirements are that financial institutions are now required to establish a robust ICT risk management framework, incorporating cybersecurity policies, business continuity plans, and backup strategies. Regular testing of systems and applications is necessary to assess their resilience. They must also manage risks linked to third-party ICT providers by ensuring compliance with DORA regulations and conducting audits. Any significant ICT incidents must be reported to the appropriate authorities, and they are expected to foster information-sharing about cyber threats between financial institutions.
Specific regulations and guidelines can be found at the links below.
Risk Management
The regulations relating to the technical standards specifying ICT risk management tools, methods, processes, and policies, and the simplified ICT risk management framework can be found here.
The regulations relating to technical standards specifying the detailed content of the policy regarding contractual arrangements on the use of ICT services supporting critical or important functions provided by ICT third-party service providers can be found here.
The regulations relating to the standard templates for the register of information can be found here.
Incident Reporting
The regulations relating to technical standards specifying the criteria for the classification of ICT-related incidents and cyber threats, setting out materiality thresholds and specifying the details of reports of major incidents can be found here.
Guidelines on the estimation of aggregated annual costs/losses caused by major ICT incidents can be found here.
Regulations relating to technical standards specifying the content and time limits for the initial notification of, and intermediate and final report on, major ICT-related incidents, and the content of the voluntary notification for significant cyber threats can be found here.
Regulations relating to standard forms, templates, and procedures for financial entities to report a major ICT-related incident and to notify a significant cyber threat can be found here.
Oversight Framework
Guidelines on cooperation between ESAs and CAs regarding the structure of the oversight can be found here.
Regulations on the criteria for the designation of ICT third-party service providers as critical for financial entities can be found here.
Regulations on the amount of the oversight fees to be charged by the Lead Overseer to critical ICT third-party service providers and the way in which those fees are to be paid can be found here.
Regulations on the technical standards on harmonisation of conditions enabling the conduct of the oversight activities can be found here.
DORA and N1S2
DORA and NIS2 (Network and Information Security Directive 2) are both European Union regulations aimed at strengthening cybersecurity, but they have distinct scopes and objectives.
NIS2 is the updated version of the original NIS Directive, broadening its reach to include more sectors and improving incident reporting, risk management, and security measures across essential and important entities. It applies to a wide range of industries, including energy, transport, health, and digital infrastructure.
DORA, on the other hand, is specifically designed for the financial sector. It focuses on ensuring the digital operational resilience of financial entities by setting strict requirements for ICT risk management, incident reporting, and third-party risk oversight.
While both aim to enhance cybersecurity, DORA is sector-specific, whereas NIS2 applies more broadly.
FAQs
What is DORA?
The Digital Operational Resilience Act (DORA) is an EU regulation aimed at ensuring the digital operational resilience of financial entities. It sets requirements for managing ICT risks, enhancing cybersecurity, and ensuring business continuity. DORA ensures that financial institutions can withstand and recover from digital disruptions and cyberattacks.
What does the DORA Regulation apply to?
DORA applies to a wide range of financial entities within the EU, including banks, insurers, investment firms, and payment service providers. It covers ICT risk management, third-party vendor oversight, incident reporting, and testing to enhance resilience against digital threats. It also applies to critical third-party ICT service providers.
Is DORA a regulation or directive?
DORA is a regulation, not a directive. As a regulation, it has direct applicability in EU member states without needing national transposition. This ensures consistent enforcement and implementation across all EU countries, providing a uniform framework for managing ICT risks within the financial sector.
Is DORA applicable in the UK?
DORA is not directly applicable in the UK since it is an EU regulation. However, UK financial entities may still be impacted indirectly, particularly if they have operations within the EU or deal with EU financial services. UK regulations address similar operational resilience concerns independently.
Sources:
Sources last checked on: 20 March 2025
Additional Resources:
This publication is provided for general information purposes and does not constitute legal, tax or other professional advice from Ivy GmbH or its subsidiaries and its affiliates, and it is not intended as a substitute for obtaining advice from a financial advisor or any other professional. We make no representations, warranties or guarantees, whether expressed or implied, that the content in the publication is accurate, complete or up to date.
