Any Questions? We've got you Covered
We know DORA can feel overwhelming, but it doesn’t have to be.
Our FAQ breaks down the Digital Operational Resilience Act into clear, practical answers so you can focus on getting compliant without the stress.
What is the Digital Operational Resilience Act (DORA)?
DORA is an EU regulation (Regulation (EU) 2022/2554) aimed at strengthening the digital operational resilience of financial entities and their ICT third-party providers by establishing harmonized requirements across the EU.
When did DORA become applicable?
DORA entered into application on 17 January 2025, following a two-year implementation period.
Who must comply with DORA?
DORA applies to a broad range of financial entities, including banks, investment firms, insurance undertakings, payment institutions, crypto-asset service providers, central counterparties, and others. It also covers ICT third-party service providers designated as critical by EU supervisory authorities.
What are the main pillars of DORA?
DORA is built around five key areas:
- ICT Risk Management
- ICT-Related Incident Management, Classification & Reporting
- Digital Operational Resilience Testing (including Threat-Led Penetration Testing, TLPT)
- Managing ICT Third-Party Risk
- Information-Sharing Arrangements
What specific obligations must firms fulfill?
Firms must:
- Establish a documented ICT risk management framework.
- Classify and report major ICT incidents within strict timeframes.
- Conduct resilience testing (including TLPT).
- Maintain registers of contractual arrangements with ICT third parties.
- Participate in voluntary, secure sharing of cyber-threat intelligence.
What are the reporting requirements for third-party ICT contracts?
Financial entities must maintain a comprehensive Register of Information (RoI) documenting contracts with ICT third parties, at individual, sub-consolidated, and consolidated levels. Reporting to the European Supervisory Authorities (ESAs) is done via competent national authorities. In 2025, the reference date was 31 March, and from 2026 onwards, it will be 31 December of the preceding year.
What about technical standards and templates?
The ESAs have developed Technical Standards (RTS) and Implementing Standards (ITS) to operationalize DORA’s rules—covering incident classification, TLPT, simplified risk frameworks, and contract templates. Some standards were adopted in 2024, with more pending publication.
Are there transitional arrangements or grace periods?
There is no transitional period post-17 January 2025; most requirements have been effective since early 2022. Firms were expected to have identified and begun closing any compliance gaps ahead of the application date.
What consequences exist for non-compliance?
Consequences may include fines, public warnings, mandated remediation plans, and in severe cases, withdrawal of authorization. Critical ICT third-party providers face additional sanctions, such as up to 1% of global daily turnover per day, for non-compliance.
What has been the early impact of DORA?
Six months into implementation, firms are actively embedding DORA into operations. They have invested heavily (nearly half spending over €1 million), expanded staff responsibilities, and enhanced incident response and third-party oversight systems. DORA is increasingly seen as a strategic investment in resilience rather than just compliance.
You don’t need to be a banker to understand that our modern economy runs on digital infrastructure. From transferring funds and processing insurance claims to simply checking an account balance, nearly every critical financial service depends on complex, interconnected IT systems.
But what happens when these systems fail? The cost is more than just downtime; it’s a loss of customer trust, financial stability, and economic integrity.
This is where DORA comes in.
What is DORA? (And No, It’s Not the Explorer)
DORA stands for the Digital Operational Resilience Act. It is a landmark piece of European Union legislation that was formally adopted and entered into force on January 16, 2023. However, the regulation provides a implementation period, meaning the strict deadline for full compliance is January 17, 2025.
In simple terms, DORA is a comprehensive, unified regulatory framework designed to ensure that the entire financial sector can withstand, respond to, and recover from all types of ICT-related disruptions and threats.
Think of it as a stringent set of rules that makes the digital backbone of finance more resilient against cyber-attacks, technical failures, and other severe operational shocks. Its goal is to fortify the financial system, protecting it from the cascading failures that a single point of weakness could cause.
Who Needs to Care About DORA?
If you think this is just a problem for big banks in Frankfurt, think again. DORA’s scope is vast and intentionally inclusive. It applies to:
- Credit Institutions (Banks)
- Insurance & Reinsurance Companies
- Investment Firms
- Payment & E-money Institutions
- Crypto-Asset Service Providers
- Critical Third-Party Providers (like cloud computing services, data centers, and software vendors that serve the financial industry)
This last point is crucial. For the first time, major tech providers (like AWS, Google Cloud, Microsoft Azure, and others) will be directly subject to EU financial supervision. If your company provides ICT services to a financial entity, DORA applies to you, too.
The 5 Pillars of DORA: What Does It Actually Require?
ICT-Related Incident Reporting
Major incidents must be reported to regulators quickly and consistently. This allows authorities to see the bigger picture and identify systemic risks early.
ICT Risk Management
Firms must have a robust, well-documented, and continuous framework to manage ICT risk. This isn’t a one-off project; it’s an integral part of your corporate governance.
Digital Operational Resilience Testing
You can’t just say you’re resilient; you have to prove it. DORA mandates regular advanced testing (like penetration testing, threat-led penetration testing, and scenario-based tests) to uncover weaknesses before attackers do.
ICT Third-Party Risk Management
Financial entities are responsible for the risks posed by their vendors. DORA establishes strict rules for managing third-party relationships, particularly with critical providers, and introduces oversight powers for EU regulators over these tech giants.
Information Sharing
DORA encourages the voluntary sharing of cyber threat information and intelligence between companies (e.g., best practices, threat indicators) to strengthen the sector’s collective defense.