What is the DORA Regulation?
The DORA Regulation (Digital Operational Resilience Act, EU 2022/2554) is the European Union’s binding framework for digital operational resilience in the financial sector. Specifically, the EU published it on 27 December 2022, and it entered into force on 16 January 2023. Moreover, it became fully applicable on 17 January 2025. As a result, all in-scope financial entities must now comply with its requirements.
In practice, the DORA Regulation fills a critical gap in EU financial regulation. Specifically, it standardizes ICT risk management, incident reporting, resilience testing, and third-party risk oversight across the entire financial sector. Furthermore, it replaces the fragmented, sector-by-sector approaches that previously led to inconsistent protection levels across Member States.
What is the main goal of the DORA Regulation?
The DORA Regulation aims to harmonize digital operational resilience rules across the EU financial sector. Specifically, it ensures that financial entities can withstand, respond to, and recover from ICT-related disruptions and threats. Moreover, it addresses the sector’s growing dependence on technology and third-party ICT providers, which creates systemic risk when a single provider fails or suffers a breach.
In practice, the regulation pursues two parallel objectives. First, it raises the baseline for ICT risk management and resilience across 21 types of financial entities. Second, it establishes EU-level oversight of critical ICT third-party service providers (CTPPs), because outsourcing risk does not eliminate it.
Who does the DORA Regulation apply to?
The DORA Regulation applies to 21 different types of financial entities operating in the EU. Specifically, the regulation defines its own scope rather than relying on national interpretations, which ensures consistent coverage across Member States. Moreover, it extends beyond traditional financial institutions to capture entities that were previously outside the regulatory perimeter.
In practice, in-scope entities include:
- Credit institutions, payment institutions, and electronic money institutions
- Investment firms, trading venues, and central counterparties
- Insurance and reinsurance undertakings
- Crypto-asset service providers and crowdfunding platforms
- ICT third-party service providers designated as critical by the European Supervisory Authorities (ESAs)
What are the four key areas the DORA Regulation covers?
The DORA Regulation organizes its requirements around four interconnected pillars. Specifically, each pillar addresses a different dimension of digital operational resilience. Moreover, the pillars reinforce each other, so weaknesses in one area affect the effectiveness of the others.
In practice, the four pillars are:
- ICT risk management: financial entities must build, implement, and maintain a sound, comprehensive ICT risk management framework, including a documented strategy for ICT third-party risk covering critical or important functions
- ICT incident management and reporting: entities must detect, manage, and report major ICT incidents to competent authorities within harmonized timelines, and voluntarily report significant cyber threats
- Digital operational resilience testing: entities must test ICT tools and systems regularly, and certain entities must undergo advanced Threat-Led Penetration Testing (TLPT)
- ICT third-party risk management: entities must maintain a Register of Information (RoI) of all contractual arrangements with ICT providers, and apply enhanced oversight to subcontractors supporting critical or important functions
How does the DORA Regulation relate to NIS2 and other EU legislation?
The DORA Regulation acts as lex specialis relative to the NIS2 Directive and to specific provisions of the CER Directive. Specifically, lex specialis means that where DORA contains specific provisions on a matter, those provisions take precedence over the more general rules in NIS2 and CER. As a result, financial entities subject to DORA do not apply NIS2 cybersecurity requirements in parallel. Instead, they follow DORA exclusively for ICT and cyber risk management.
In practice, this distinction matters for financial groups with entities across multiple EU Member States. Specifically, compliance teams should map each entity to its applicable framework early, because applying both NIS2 and DORA requirements in parallel creates duplicated effort without adding compliance value.
