The Digital Operational Resilience Act (DORA), Regulation (EU) 2022/2554, became applicable on 17 January 2025. It is the EU's comprehensive framework for digital operational resilience in the financial sector, addressing a long-standing gap in EU financial services regulation: the inconsistent and fragmented approach to ICT risk management across different types of financial entity. DORA establishes uniform requirements for ICT risk management, incident reporting, operational resilience testing, and third-party ICT risk — and applies directly across all EU member states without the need for national transposition.
Who Is In Scope?
DORA applies to a wide range of financial entities regulated in the EU, including:
- Credit institutions (banks)
- Payment institutions and e-money institutions
- Investment firms and trading venues
- Central securities depositories and central counterparties
- Insurance and reinsurance undertakings
- Insurance intermediaries
- Crypto-asset service providers (CASPs) authorised under MiCA
- Crowdfunding service providers
- Management companies (UCITS, AIFMs)
- Critical ICT third-party service providers (CTTPSs) — designated by the European Supervisory Authorities
Proportionality applies: microenterprises and small financial entities benefit from simplified requirements in certain areas, though core obligations remain.
ICT Risk Management Framework
DORA requires financial entities to maintain a comprehensive ICT risk management framework (Articles 5–16). Key requirements include:
- Governance: Management body accountability for ICT risk, with clear roles and responsibilities defined. The management body must have sufficient knowledge to understand and challenge ICT risk reporting.
- ICT risk identification: Maintaining a complete, classified inventory of ICT assets (hardware, software, data, third-party services) and mapping dependencies.
- Protection and prevention: Implementing technical and organisational measures including network segmentation, patch management, data integrity controls, and encryption of data in transit and at rest.
- Detection: Establishing anomaly detection mechanisms and monitoring capabilities to identify ICT-related incidents promptly.
- Response and recovery: Documented BCM and ICT disaster recovery plans with defined RTOs and RPOs tested at least annually.
- Learning and evolving: Post-incident reviews, threat intelligence gathering, and regular updates to the ICT risk framework.
Incident Reporting and TLPT
Incident reporting: DORA introduces harmonised ICT-related incident reporting to competent authorities. Major ICT-related incidents must be reported using standardised templates within defined timelines: initial notification (within 4 hours of classifying as major, no later than 24 hours after becoming aware), intermediate report (within 72 hours), and final report (within one month). Significant cyber threats — even those that do not materialise into incidents — must also be notified on a voluntary basis.
Digital Operational Resilience Testing (DORA Article 24–27): Financial entities must conduct a programme of ICT testing. All in-scope entities must conduct basic testing (vulnerability assessments, scenario-based testing, network security testing) at least annually. Significant financial entities — those identified as systemically important — must additionally conduct Threat-Led Penetration Testing (TLPT) at least every three years. TLPT is a sophisticated red team exercise based on actual threat intelligence, conducted by accredited testers using the TIBER-EU framework.
Third-Party ICT Risk
One of DORA's most significant innovations is its treatment of ICT third-party risk (Articles 28–44). Financial entities must:
- Maintain a complete register of all ICT third-party service providers
- Assess and classify contractual arrangements by criticality
- Include mandatory contractual provisions in agreements with ICT providers — covering audit rights, SLAs, data security, business continuity, and exit strategies
- Conduct regular monitoring and risk assessment of critical ICT providers
The most critical cloud and technology providers to the financial sector are designated as Critical Third-Party Providers (CTTPSs) and subject to direct oversight by the European Supervisory Authorities (ESAs) — a significant expansion of regulatory reach into the technology supply chain.
A DORA audit examines the completeness and effectiveness of your ICT risk management framework, incident classification and reporting procedures, resilience testing programme, and third-party risk management arrangements — providing assurance to your board, regulators, and counterparties.