In ForcefinancialRegulation (EU) 2022/2554
Digital Operational Resilience Act
Also known as: DORA
DORA is an EU regulation that applies directly to financial entities and their ICT service providers. It creates a comprehensive framework for digital operational resilience including ICT risk management, incident reporting, resilience testing, and third-party risk management. It became applicable on January 17, 2025. Unlike NIS2, DORA is a regulation (directly applicable) rather than a directive, so it does not require national transposition.
Jurisdiction
European Union
Regulator
European Banking Authority
Effective
1/17/2025
Sector
financial
Full Text / Summary
DORA establishes five pillars: (1) ICT Risk Management — comprehensive framework covering identification, protection, detection, response, recovery, and learning; (2) ICT-Related Incident Management — classification, reporting, and communication of major incidents; (3) Digital Operational Resilience Testing — basic testing for all entities, TLPT for significant entities every 3 years; (4) ICT Third-Party Risk Management — comprehensive oversight of ICT service providers, contractual requirements, and exit strategies; (5) Information and Intelligence Sharing — voluntary sharing of cyber threat intelligence. The ESAs (EBA, ESMA, EIOPA) have developed extensive regulatory technical standards (RTS) and implementing technical standards (ITS) that provide detailed requirements.