DORA

Digital Operational Resilience Act (EU 2022/2554)

RegulationEU

The Digital Operational Resilience Act establishes a comprehensive ICT risk management framework for financial entities across the EU. Enforced since January 2025, it applies to 20 types of financial entities and their critical ICT third-party service providers.

Articles

Entity Types

Key Pillars

Jan 2025

Enforced

Who Needs to Comply

Financial Entities (20 types)

Credit institutions, payment institutions, e-money institutions
Investment firms, central counterparties, central securities depositories
Insurance and reinsurance undertakings
UCITS management companies, AIFMs
Crypto-asset service providers, credit rating agencies

ICT Third-Party Providers

Critical ICT third-party service providers (CTPPs) designated by ESAs
Subject to EU oversight framework led by Lead Overseers

Key Compliance Areas

Art. 5-16

ICT Risk Management

Comprehensive governance for ICT risk covering identification, protection, detection, response, and recovery. Simplified framework for smaller entities.

Art. 17-23

Incident Management & Reporting

Mandatory incident classification and reporting of major ICT incidents to competent authorities using harmonised templates.

Art. 24-27

Resilience Testing

Annual testing of all critical ICT systems. Threat-led penetration testing (TLPT) for systemically important entities.

Art. 28-44

Third-Party Risk Management

Strategy for ICT third-party risk with mandatory contractual provisions, due diligence, and EU oversight framework for critical providers.

Art. 45

Information Sharing

Voluntary exchange of cyber threat information between financial entities to enhance collective resilience.

How Orizon Helps

ICT Risk Assessment

Map your ICT landscape, identify critical functions, and assess risks against DORA’s five-pillar framework.

Gap Analysis

Compare your current ICT risk management, incident reporting, and testing capabilities against DORA requirements.

Third-Party Review

Audit ICT third-party contracts for DORA-compliant provisions and establish ongoing monitoring processes.

Testing Programme

Design and implement resilience testing including annual ICT testing and, where required, threat-led penetration testing.

Reporting Framework

Establish incident classification and reporting workflows aligned with DORA’s harmonised templates and timelines.

Regulatory Deep-Dive

For enforcement timelines, penalties, and detailed regulatory analysis, see our DORA Regulatory Intelligence page.

View regulatory intelligence

Official Sources

Assess Your Compliance

Expert guidance for your DORA compliance journey.

Get Started