Digital Operational Resilience Act (DORA)
AI-assisted content notice: this page includes AI-assisted summaries, FAQs, and glossary entries prepared for navigation purposes. Verify the underlying legal text before relying on this content.
Summary
The Digital Operational Resilience Act (DORA) establishes a harmonised EU framework to ensure that financial entities can withstand, respond to and recover from ICT-related disruptions and cyber threats. It sets uniform requirements on ICT risk management, ICT-related incident reporting, digital operational resilience testing (including threat-led penetration testing), and the management of ICT third-party risk. DORA also creates an EU-level oversight regime for critical ICT third-party service providers to the financial sector, designated and supervised via the European Supervisory Authorities.
Who is affected?
DORA applies to a wide range of regulated financial entities in the EU (e.g., credit institutions, insurers, investment firms, payment and e-money institutions, trading venues, and certain crypto-asset service providers) and to ICT third-party service providers that supply them. Providers designated as critical ICT third-party service providers are subject to EU-level oversight in addition to contractual and risk-management requirements imposed on financial entities.
Scope
It covers ICT risk and operational resilience requirements for EU financial entities and the oversight/management of ICT third-party services used in the provision of financial services.
Key Points
- Harmonised ICT risk management requirements across in-scope financial entities (governance, protection, detection, response and recovery).
- Mandatory classification, logging and reporting of major ICT-related incidents (and certain significant cyber threats) to competent authorities.
- Digital operational resilience testing programme, including threat-led penetration testing (TLPT) for certain entities at least every 3 years.
- Comprehensive ICT third-party risk management, including detailed contractual requirements and exit/termination planning for critical functions.
- EU oversight framework for critical ICT third-party service providers (CTPPs) with a Lead Overseer designated among the European Supervisory Authorities.
- Acts as a sector-specific framework for the financial sector alongside horizontal cybersecurity rules (lex specialis where applicable).
Key Deadlines
- — Application date (most provisions apply from this date).
Related Regulations
Frequently Asked Questions
Who must comply with DORA?
DORA applies to a broad range of EU-regulated financial entities, including banks, insurers, investment firms, payment and e-money institutions, trading venues, and certain crypto-asset service providers. It also covers ICT third-party service providers that supply these entities, especially those designated as critical.
What is the main objective of DORA?
The main objective of DORA is to ensure that financial entities in the EU can withstand, respond to, and recover from ICT-related disruptions and cyber threats by establishing uniform requirements for digital operational resilience.
What are the key obligations for financial entities under DORA?
Financial entities must implement robust ICT risk management, classify and report major ICT-related incidents, conduct digital operational resilience testing, and manage ICT third-party risks, including contractual and exit planning requirements.
How does DORA address ICT third-party risk?
DORA requires financial entities to assess, monitor, and manage risks from ICT third-party service providers, with specific contractual requirements and contingency planning, especially for critical functions. Critical ICT third-party providers are subject to direct EU-level oversight.
What are the incident reporting requirements under DORA?
Financial entities must classify, log, and report major ICT-related incidents and certain significant cyber threats to their competent authorities, following harmonised procedures and timelines set by DORA.
What is threat-led penetration testing (TLPT) under DORA?
TLPT is a form of advanced resilience testing that simulates real-life cyber-attacks on financial entities' systems. Certain entities are required to undergo TLPT at least every three years to identify vulnerabilities and improve their defences.
What are the penalties for non-compliance with DORA?
Penalties for non-compliance are determined by national competent authorities and may include administrative fines, remedial measures, or other sanctions, depending on the severity and nature of the breach.
How does DORA interact with other EU cybersecurity laws?
DORA acts as a sector-specific (lex specialis) framework for the financial sector, complementing horizontal cybersecurity rules such as the NIS2 Directive. Where overlaps exist, DORA's requirements take precedence for in-scope financial entities.
What practical steps should financial entities take to comply with DORA?
Entities should review and update their ICT risk management frameworks, establish incident reporting procedures, plan for regular resilience testing, and ensure robust oversight and contractual arrangements with ICT third-party providers.
When does DORA become fully applicable?
DORA entered into force in January 2023, but its main requirements apply from 17 January 2025, giving entities time to prepare for full compliance.
Key Terms
- ICT Risk Management
- A systematic approach to identifying, assessing, and mitigating risks related to information and communication technology within financial entities.
- Digital Operational Resilience
- The ability of a financial entity to build, assure, and review its operational integrity and reliability in the face of ICT-related disruptions or threats.
- ICT-related Incident
- An event that compromises the availability, authenticity, integrity, or confidentiality of ICT systems, data, or services within a financial entity.
- Threat-Led Penetration Testing (TLPT)
- A controlled, intelligence-driven simulation of cyber-attacks on a financial entity's systems to test and improve its cyber resilience.
- Critical ICT Third-Party Service Provider (CTPP)
- An external ICT service provider whose services are deemed essential to the functioning of financial entities and are subject to EU-level oversight under DORA.
- Lead Overseer
- The European Supervisory Authority designated to coordinate and supervise the oversight of a critical ICT third-party service provider at the EU level.
- Incident Reporting
- The process by which financial entities classify, log, and notify competent authorities of major ICT-related incidents and significant cyber threats.
- Exit/Termination Planning
- The preparation of strategies and procedures for discontinuing or transferring critical ICT services provided by third parties to ensure business continuity.
- Lex Specialis
- A legal doctrine meaning 'the law governing a specific subject matter,' indicating that DORA's sector-specific rules take precedence over general cybersecurity laws for financial entities.
- European Supervisory Authorities (ESAs)
- EU bodies (EBA, EIOPA, ESMA) responsible for the oversight and coordination of financial supervision, including the designation of Lead Overseers under DORA.