TOPICS·FINANCE

Digital Operational Resilience Act (DORA)

EU regulation on digital operational resilience for the financial sector.

EUUpdated May 2026

IN A NUTSHELL

What

EU regulation establishing a unified framework for ICT risk management and digital operational resilience in the financial sector.

Who

Banks, insurers, investment firms, payment institutions, crypto-asset service providers, and their critical ICT third-party service providers.

When

Fully applicable since 17 January 2025. All covered entities must have compliance frameworks operational now.

Penalty

National competent authorities set penalties; critical ICT providers face direct oversight and periodic penalty payments by ESAs.

OVERVIEW

Applicable since 17 January 2025, the Digital Operational Resilience Act establishes a unified framework for managing information and communication technology (ICT) risks in the European financial sector. DORA recognises that financial institutions' dependence on technology creates systemic vulnerabilities that existing sectoral rules addressed only in a fragmented manner. By harmonising ICT risk management requirements across the financial industry, it aims to ensure that firms can withstand, respond to, and recover from all types of ICT-related disruptions and threats.

DORA applies to a broad range of financial entities, including banks, insurance companies, investment firms, payment institutions, crypto-asset service providers, and trading venues. Critically, it also brings ICT third-party service providers, including cloud computing providers, into the regulatory perimeter through a dedicated oversight framework. This means that technology vendors serving the financial sector must themselves meet specific requirements and may be subject to direct supervision by European Supervisory Authorities.

Key obligations under DORA span five pillars: ICT risk management, ICT-related incident management and reporting, digital operational resilience testing, managing ICT third-party risk, and information sharing. Financial entities must implement comprehensive ICT risk management frameworks, classify and report major ICT-related incidents to competent authorities, and conduct regular resilience testing, including advanced threat-led penetration testing for significant institutions. The regulation mandates detailed contractual requirements for arrangements with ICT service providers and encourages voluntary cyber threat intelligence sharing among financial entities.

The timeline for DORA implementation began with its entry into force in January 2023, with full application from January 2025. Financial entities and their critical ICT providers should now have operational compliance frameworks in place. The European Supervisory Authorities have published Regulatory Technical Standards and guidelines detailing specific requirements for incident classification, testing methodologies, and third-party risk management.

DORA complements the NIS2 Directive as a lex specialis for the financial sector, meaning that where DORA applies, its requirements take precedence over the more general NIS2 provisions. It also intersects with the Cyber Resilience Act regarding the security of ICT products used in financial services. For financial institutions and their technology partners, DORA represents a fundamental shift toward treating digital operational resilience as a core regulatory obligation, not merely an IT concern.

KEY MILESTONES

May 28, 2026

YOU ARE HERE

WHO DOES THIS AFFECT?

Select your company type for tailored compliance guidance.

KEY OBLIGATIONS

☐If designated as critical ICT third-party provider, comply with ESA oversight framework

☐Meet contractual requirements demanded by financial entity clients under DORA

☐Support financial entities in resilience testing and incident reporting

☐Maintain exit strategies and data portability capabilities for financial clients

YOUR FIRST STEP

Determine whether your services to financial entities may lead to designation as a critical ICT third-party provider by the European Supervisory Authorities

KEY COMPLIANCE REQUIREMENTS

ICT risk management framework

Implement a comprehensive, documented ICT risk management framework approved by the management body.

Incident classification and reporting

Classify ICT-related incidents using ESA methodology and report major incidents to competent authorities.

Digital resilience testing

Conduct regular resilience testing; significant institutions must perform threat-led penetration testing (TLPT) at least every 3 years.

Third-party risk management

Maintain a register of all ICT third-party arrangements and ensure contracts meet DORA-specified requirements.

Information sharing

Participate in voluntary cyber threat intelligence sharing arrangements with other financial entities.

Exit strategies

Develop exit strategies for all critical ICT third-party services to ensure operational continuity if a provider fails.

KEY INTERPRETATIONS & FAQ