What is DORA? The Digital Operational Resilience Act Explained
The Digital Operational Resilience Act (DORA) is an EU regulation that establishes a unified framework for managing ICT (Information and Communication Technology) risks across the financial sector. If you operate a fintech, provide services to banks, or work in insurance, investment, or crypto, DORA likely applies to you.
DORA became fully applicable on January 17, 2025, marking a significant shift in how EU financial institutions must approach digital and operational risk. Unlike previous approaches that focused primarily on capital allocation to cover potential losses, DORA requires financial entities to implement comprehensive measures for identifying, protecting against, detecting, responding to, and recovering from ICT-related disruptions.
Key Takeaways
| Point | Summary |
|---|---|
| What it is | EU Regulation (EU) 2022/2554 establishing cybersecurity and operational resilience requirements for the financial sector |
| Effective date | Fully applicable since January 17, 2025 |
| Who it applies to | 20 categories of financial entities plus their ICT service providers |
| Maximum penalty | Up to 2% of total annual worldwide turnover or 1% of average daily global turnover |
| Key difference from other regulations | DORA is a regulation (directly applicable), not a directive, creating uniform standards across all EU member states |
Quick Answer: DORA is an EU regulation that requires financial institutions and their ICT service providers to implement robust cybersecurity measures, report incidents within strict timelines, conduct regular resilience testing, and manage third-party ICT risks. It applies to banks, insurers, investment firms, fintechs, crypto providers, and many others operating in the EU financial sector.
Why DORA Exists
The financial sector's increasing reliance on technology has created new vulnerabilities. A single cyber incident at a major bank or payment processor can cascade across the entire financial system, affecting millions of customers and potentially destabilizing markets.
Before DORA, EU financial regulation addressed ICT risks inconsistently:
- Fragmented approach. Different member states applied varying standards for cybersecurity and operational resilience
- Capital-focused mindset. Financial institutions primarily managed operational risk by setting aside capital for potential losses, rather than actively preventing incidents
- Gaps in third-party oversight. The growing dependence on cloud providers and other technology vendors created systemic risks that existing regulations did not adequately address
DORA addresses these gaps by creating a single, harmonized framework that applies directly across all EU member states.
The Five Pillars of DORA
DORA is structured around five key areas that together form a comprehensive approach to digital operational resilience:
| Pillar | What It Covers |
|---|---|
| ICT Risk Management | Documented frameworks for identifying, protecting against, detecting, and responding to ICT risks |
| Incident Reporting | Classification and reporting of major ICT incidents within strict timelines |
| Resilience Testing | Regular testing including vulnerability assessments and threat-led penetration testing (TLPT) |
| Third-Party Risk Management | Requirements for managing ICT service providers, including contractual obligations and exit strategies |
| Information Sharing | Voluntary arrangements for sharing cyber threat intelligence among financial entities |
Each pillar builds on the others. Effective risk management depends on thorough testing; incident reporting requires robust detection capabilities; and managing third-party risk means understanding your own ICT landscape first.
DORA vs. Other Frameworks
If you are already working on compliance with other frameworks, here is how DORA compares:
| DORA | NIS 2 | ISO 27001 | |
|---|---|---|---|
| Type | EU Regulation | EU Directive | International Standard |
| Sector focus | Financial services only | 18 critical sectors | Any organization |
| Legal status | Directly applicable law | Requires national transposition | Voluntary certification |
| Enforcement | Financial regulators | National authorities | Certification bodies |
| Penalty basis | Turnover-based (up to 2%) | Turnover-based (up to 2%) | Loss of certification |
| Third-party focus | Extensive requirements | Supply chain security | Supplier relationships |
| Testing requirements | Mandatory TLPT for some entities | General testing obligation | Risk-based approach |
Financial entities subject to DORA may also fall under NIS 2, though DORA is considered the more specific (lex specialis) regulation for the financial sector. ISO 27001 certification can support DORA compliance but does not guarantee it.
Who Does DORA Apply To?
DORA applies to 20 categories of financial entities, including:
- Credit institutions (banks)
- Payment institutions and electronic money institutions
- Investment firms and fund managers
- Insurance and reinsurance undertakings
- Crypto-asset service providers
- Central securities depositories and central counterparties
- Trading venues and data reporting services
- Credit rating agencies
- Crowdfunding service providers
Importantly, DORA also affects ICT third-party service providers that support these financial entities. While ICT providers are not directly regulated under DORA, their financial entity clients must ensure contractual arrangements meet DORA requirements. Critical ICT third-party providers (CTPPs) may be designated for direct EU-level oversight.
Timeline and Current Status
| Date | Milestone |
|---|---|
| December 2022 | DORA formally adopted by European Parliament and Council |
| January 16, 2023 | Regulation entered into force |
| January 17, 2025 | DORA became fully applicable |
| Q1 2026 | First submission of Register of Information to regulators |
| 2027 | First TLPT cycle completion for designated entities |
Financial entities should now have their frameworks, policies, and reporting structures in place. Regulators have indicated that 2025 is a transition year, but firms significantly short of compliance may face early enforcement action.
Common Questions
Is DORA mandatory for all financial institutions?
Yes. DORA is an EU regulation, which means it is binding in its entirety and directly applicable in all EU member states. Unlike directives, it does not require national transposition. In-scope financial entities must comply or face penalties.
Does DORA apply to non-EU companies?
DORA can apply to non-EU companies in two ways. First, if a non-EU financial entity operates within the EU, it falls under DORA's scope. Second, non-EU ICT service providers serving EU financial entities will be affected indirectly through contractual requirements imposed by their clients. Critical ICT third-party providers established outside the EU and designated for oversight must establish an EU subsidiary within 12 months of designation.
How does DORA relate to existing financial regulations?
DORA complements existing financial sector regulations by adding a harmonized layer of ICT risk requirements. It applies alongside prudential regulations (CRR/CRD, Solvency II) and conduct regulations (MiFID II, PSD2). Where conflicts arise, DORA as the more specific regulation takes precedence for ICT-related matters.
Can existing ISO 27001 certification help with DORA compliance?
Yes. ISO 27001 provides a strong foundation for meeting many DORA requirements, particularly around risk management, incident handling, and access control. However, DORA has specific requirements that go beyond ISO 27001, including the detailed incident reporting timeline, Register of Information, and TLPT requirements for designated entities.
How Bastion Helps with DORA Compliance
Bastion provides comprehensive support for financial entities navigating DORA compliance:
- Gap assessment. We evaluate your current ICT risk management framework against DORA requirements and identify areas requiring attention
- Policy development. We help develop the required policies, procedures, and documentation that satisfy DORA obligations
- ISO 27001 certification. Since ISO 27001 maps closely to many DORA requirements, achieving certification provides a strong compliance foundation
- Incident response planning. We help establish incident detection, classification, and reporting processes aligned with DORA timelines
- Third-party risk management. We assist with vendor assessment, contractual reviews, and Register of Information preparation
- Ongoing compliance. Continuous monitoring and regular reviews to maintain compliance as requirements evolve
Ready to explore your DORA compliance options? Talk to our team
Sources
- Regulation (EU) 2022/2554 (DORA) - Official text of the Digital Operational Resilience Act
- European Banking Authority - DORA - EBA regulatory activities and technical standards
- EIOPA - Digital Operational Resilience Act - Insurance sector guidance on DORA