🇪🇺 EU · Key Regulation
DORA
The Digital Operational Resilience Act, Regulation (EU) 2022/2554, is the EU's harmonised framework for managing information and communication technology risk across the financial sector. It became applicable on 17 January 2025 and applies to a broad range of regulated financial entities, including banks, payment institutions, investment firms, insurers, crypto-asset service providers and certain financial market infrastructures.
In this briefing
- What it is
- What does DORA do?
- Key things to know
Before DORA, ICT and operational-resilience requirements were spread across sector-specific rules, supervisory guidance and national frameworks. DORA introduces a common EU standard for how financial entities govern technology risk, respond to ICT incidents, test resilience and oversee the third parties that support critical or important functions.
DORA is not limited to cybersecurity. It addresses whether the organisation can prevent, withstand, respond to and recover from technology disruption while continuing to deliver regulated services.
What does DORA do?
Establishes an ICT Risk Management Framework
Requires financial entities to maintain a documented framework for identifying, protecting against, detecting, responding to and recovering from ICT-related risks. Responsibility for the framework ultimately sits with the management body.
Harmonises ICT Incident Reporting
Introduces common requirements for classifying and reporting major ICT-related incidents to competent authorities, supported by standard forms, timelines and reporting procedures.
Requires Operational Resilience Testing
Requires proportionate testing of ICT systems, controls and recovery arrangements. Certain firms must also conduct advanced threat-led penetration testing against live production systems.
Strengthens Third-Party Risk Management
Requires firms to assess and manage the risks created by cloud providers, software vendors, data providers and other ICT third parties throughout the contractual lifecycle.
Creates Oversight of Critical ICT Providers
Introduces an EU-level oversight framework for ICT third-party providers designated as critical to the financial sector, giving the European Supervisory Authorities powers to assess risk and issue recommendations.
Harmonises Requirements Across Financial Services
Creates a common operational-resilience baseline across financial entities that were previously subject to different sectoral and national requirements.
Key things to know
DORA is an operating-model requirement, not an IT project
Technology teams may lead parts of implementation, but compliance depends on governance, procurement, legal, risk, compliance, operations and business continuity working together. Treating DORA as a standalone cybersecurity exercise will leave material gaps.
The management body owns the framework
Senior management is expected to define risk tolerance, oversee the ICT risk framework, approve relevant policies and remain sufficiently informed about technology risk. Accountability cannot simply be delegated to the IT function.
Third-party registers require reliable data
Financial entities must maintain detailed registers of their ICT contractual arrangements. This requires consistent information on providers, services, subcontractors, locations, criticality and exit arrangements—not merely a list of vendors.
Contractual compliance does not remove operational risk
Including DORA clauses in an agreement is not enough. Firms must assess concentration risk, subcontracting, data access, audit rights, resilience, termination and whether the service can be replaced without unacceptable disruption.
Critical functions need proportionate controls
Firms must identify which services support critical or important functions and apply enhanced due diligence, testing, monitoring and exit planning to those arrangements.
The Level 1 Regulation is only the starting point
DORA is supplemented by RTS, ITS and supervisory materials covering areas such as ICT policies, incident reporting and third-party arrangements. Firms need to maintain a regulatory inventory and update their framework as technical standards develop.
For general information only. Not legal, regulatory or compliance advice.
Working With This Regulation?
Cryptliance helps firms understand what applies, what it means for the business and what to do next — across strategy, controls, product and market execution.