DORA: Overview

Regulation: EU 2022/2554 (Digital Operational Resilience Act) Effective: 17 January 2025 (fully applicable) Scope: Digital operational resilience of the financial sector

---

What is DORA?

DORA (Digital Operational Resilience Act) is an EU regulation that establishes a uniform framework for managing ICT risks in the financial sector. It is a lex specialis --- for financial institutions it replaces NIS2 requirements in the areas of ICT risk management, incident reporting and resilience testing.

Who falls under DORA?

Financial entities (Art. 2)

Category	Examples
Credit institutions	Banks, savings banks
Payment institutions	Payment services, e-money
Investment firms	Securities dealers
Insurance undertakings	Life and non-life insurance
Reinsurance undertakings	Reinsurance companies
Pension funds	IORPs
Crypto-assets	Crypto-asset service providers (from MiCA)
ICT third parties	Critical ICT providers to the financial sector

Simplified regime (Art. 16)

Smaller entities may use a simplified ICT risk management framework.

Five pillars of DORA

Relationship to other regulations

DORA vs NIS2

Aspect	NIS2	DORA
Type	Directive	Regulation
Scope	All sectors	Financial sector only
Relationship	General framework	Lex specialis (replaces NIS2 for finance)
Incident reporting	24h/72h	By classification + ESAs
Testing	Pen tests	TLPT (Threat-Led) for significant institutions
Third-party	Supply chain	ICT concentration risk + ESAs oversight

DORA + GDPR + AI Act

Timeline

Penalties

Violation	Penalty
Financial entities	Up to EUR 10M or 1% of global turnover
Critical ICT providers	Up to EUR 1M daily (periodic penalty)
Individuals (management)	Possibility of individual sanctions

Supervisory authorities:

• National financial authority --- for domestic financial entities
• ESAs (EBA, EIOPA, ESMA) --- direct oversight of critical ICT providers

Key requirements

ICT Risk Management Framework (Art. 6)

• Documented framework approved by the board
• Digital Operational Resilience Strategy
• Risk tolerance defined by the board
• At least annual review

Incident Reporting (Art. 19)

Phase	Timeline	Content
Initial notification	Without undue delay	Basic incident information
Intermediate report	Ongoing	Updates, impacts
Final report	Within 1 month	Root cause, lessons learned

TLPT (Art. 26)

• For “significant” financial institutions (designated by the regulator)
• Threat-Led Penetration Testing
• Every 3 years
• Certified testers (TIBER-EU framework)

ICT Third-Party Registry (Art. 28)

• Register of all ICT third parties
• Identification of critical providers
• Submission of register to ESAs (deadline 30.4.2025)
• Ongoing updates

---

Next steps

1. Go through the DORA checklist
2. Check finance-specific guidance
3. Verify scope with your national regulator

---

Sources

• DORA Regulation (EU) 2022/2554 (EUR-Lex)
• EBA - DORA RTS/ITS
• ESMA - DORA Guidelines

---

Disclaimer

This content is for informational purposes only and does not constitute legal advice. For your organisation’s specific situation, we recommend consulting a qualified lawyer.

What’s next?

Need help with implementation? We offer a free 15-minute consultation.

Book a consultation -> | Test your readiness -> | Self-Assessment ->