Contents
📘 What is DORA?
The Digital Operational Resilience Act (DORA) is a European Union regulation aimed at strengthening the resilience of the financial sector against ICT-related disruptions such as cyberattacks, system failures, or third-party outages.
DORA introduces binding rules for financial entities and critical service providers to ensure they can withstand, respond to, and recover from operational disruptions.
In force: Adopted in 2022
Applies from: 17 January 2025
⚖️ Who Must Comply?
DORA applies to a wide range of financial entities operating in the EU, including:
- Banks and investment firms
- Insurance and reinsurance companies
- Payment institutions and e-money providers
- Crypto-asset service providers
- ICT third-party providers (including cloud service providers)
🧱 Key Pillars of DORA
| Pillar | Description |
|---|---|
| ICT Risk Management | Firms must maintain robust internal controls for detecting, protecting against, and recovering from ICT incidents. |
| Incident Reporting | Serious ICT-related incidents must be reported to national authorities within tight deadlines. |
| Digital Operational Resilience Testing | Regular testing, including advanced threat-led penetration testing (TLPT), is mandated. |
| Third-Party Risk Management | Governance of ICT providers, including contract requirements and concentration risk. |
| Information Sharing | Encourages secure threat intel sharing between regulated entities. |
🔍 DORA vs Other Frameworks
| Regulation | Focus | Scope | Region |
|---|---|---|---|
| DORA | ICT resilience in financial sector | Legal mandate | EU |
| NIS2 | Cybersecurity across essential sectors | Directive | EU |
| ISO 27001 | Information security | Voluntary standard | Global |
| SOC 2 | Operational controls | Voluntary audit | Global |
🕒 Timelines & Enforcement
- January 2023: Regulation entered into force
- January 2025: Full compliance required
- Ongoing: Regulatory Technical Standards (RTS) issued by EBA, ESMA, and EIOPA
Non-compliance may result in fines, sanctions, or loss of operating licence.
🛠️ Practical Implications
For security and ops teams:
- Conduct gap assessments against DORA requirements
- Implement or enhance incident response playbooks
- Audit third-party service agreements for DORA alignment
- Develop a digital resilience testing calendar
- Centralise incident logging and classification