Launch Q3 2026
BearGuard®
BearGuard®
Governance & AI Guardrails
DE EN
🔒 EU/EEA Data Protection

DORA — Digital Operational Resilience Act

DORA (Regulation EU 2022/2554) strengthens the digital operational resilience of the EU financial sector with harmonized ICT risk management and resilience requirements.

LinkedIn X WhatsApp

Summary

The Digital Operational Resilience Act (DORA) is an EU Regulation (2022/2554) that establishes uniform requirements for ICT risk management, ICT incident reporting, digital operational resilience testing, and third-party risk management in the financial sector.

  • ICT risk management: Financial entities must establish and maintain a comprehensive ICT risk management framework.
  • Incident reporting: Harmonized classification and reporting of major ICT-related incidents to supervisory authorities.
  • Resilience testing: Regular testing including threat-led penetration testing (TLPT) for systemically important institutions.
  • Third-party risks: Strict contractual requirements for ICT third-party providers, especially cloud services.

History

DORA emerged in response to the financial sector's growing dependence on digital systems and increasing cyberattacks on financial institutions. The EU Commission published the draft in September 2020 as part of the "Digital Finance Package." After trilogue negotiations, DORA was published in the EU Official Journal on 27 December 2022 and entered into force on 17 January 2023. Application began on 17 January 2025, following the development of accompanying regulatory technical standards (RTS) and implementing technical standards (ITS) by the ESAs.

Scope

DORA applies directly (without national transposition) to a broad range of financial entities: banks, insurance companies, investment firms, payment institutions, e-money institutions, trading venues, central securities depositories, central counterparties, credit rating agencies, alternative investment fund managers, UCITS management companies, and crypto-asset service providers. In addition, ICT third-party providers designated as "critical" are subject to direct oversight by European Supervisory Authorities (ESAs).

Key Requirements

  • ICT risk management framework: Comprehensive strategy, governance, continuous monitoring and improvement.
  • Incident management: Classification, reporting within defined timelines (initial report: 4 hours for critical incidents), root cause analysis.
  • TLPT: Threat-led penetration testing at least every 3 years for significant institutions.
  • Third-party risk management: Contractual requirements, exit strategies, concentration risk monitoring.
  • Information sharing: Voluntary sharing of threat intelligence between financial entities.
  • Governance: Clear management body accountability for ICT risks.

Related Frameworks

GDPR/DSGVONIS2SanktionenCRA

Content last reviewed: 22 February 2026. Found an error or need an update? [email protected]