DORA

Regulation on digital operational resilience for the financial sector

EU 2022/2554Enforced — Enforced 17 January 2025

The Digital Operational Resilience Act establishes a comprehensive ICT risk management framework for financial entities across the EU. It applies to 20 types of financial entities and their critical ICT third-party service providers, requiring robust incident management, resilience testing, and third-party oversight.

Articles

Entity Types in Scope

Chapters

Jan 2025

Enforced

Implementation Timeline

27 December 2022

Published in Official Journal of the EU

16 January 2023

Entered into force

17 January 2024

First batch of RTS/ITS published by ESAs

17 July 2024

Second batch of RTS/ITS published by ESAs

17 January 2025

Full application - all requirements enforceable

Who's In Scope

Financial Entities (20 types)

Credit institutions (banks)
Payment institutions
Electronic money institutions
Investment firms
Central counterparties (CCPs)
Central securities depositories (CSDs)
Insurance and reinsurance undertakings
UCITS management companies
Alternative investment fund managers (AIFMs)
Crypto-asset service providers
Credit rating agencies
Trade repositories
Crowdfunding service providers

ICT Third-Party Providers

Critical ICT third-party service providers (CTPPs) - designated by ESAs
Subject to EU oversight framework led by Lead Overseers

Key Requirements

Art. 5-16

ICT Risk Management Framework

Comprehensive governance and organisation for ICT risk, covering identification, protection, detection, response, recovery, and communication. Includes simplified framework for smaller entities (Art. 16).

Art. 17-23

ICT Incident Management & Reporting

Mandatory incident management process, classification of ICT incidents and cyber threats, and reporting of major incidents to competent authorities. Includes harmonised reporting templates.

Art. 24-27

Digital Operational Resilience Testing

Annual testing of all ICT systems supporting critical functions. Includes advanced threat-led penetration testing (TLPT) for systemically important entities.

Art. 28-44

ICT Third-Party Risk Management

Strategy and policy for ICT third-party risk. Mandatory contractual provisions, due diligence, continuous monitoring, and an EU oversight framework for critical ICT providers.

Art. 45

Information Sharing

Voluntary exchange of cyber threat information and intelligence between financial entities to enhance collective digital operational resilience.

Penalties & Enforcement

Financial Entities

Member State discretion

Article 50 delegates penalty-setting to Member States. Penalties must be effective, proportionate and dissuasive. Member States may also impose criminal penalties (Art. 52).

Critical ICT Providers (CTPPs)

1% avg daily worldwide turnover

Lead Overseer can impose periodic penalties of up to 1% of average daily worldwide turnover for up to 6 months for non-compliance (Art. 35(8)).

How Orizon Can Help

NIS2 & DORA Readiness

We provide structured preparation and compliance support for DORA.

Learn more

Official Sources

Assess Your Readiness

Schedule a consultation with our regulatory experts to assess your DORA compliance posture and build a practical roadmap.

Get Started