DORA is an EU regulation (Regulation EU 2022/2554) that establishes binding requirements for the digital operational resilience of financial entities operating within the European Union. It entered into application on 17 January 2025, following a two-year implementation period from its publication in December 2022. DORA applies directly across all EU member states without requiring transposition into national law, and is supervised by each institution’s national competent authority. In Lithuania, the supervising authority is Banka Lietuvos. In the majority of EU member states, supervision is conducted by the national financial services regulator.
DORA was introduced in response to the increasing dependence of financial institutions on ICT systems and third-party technology providers, and the growing frequency and severity of cyber incidents affecting the financial sector. The regulation consolidates and replaces a fragmented set of national guidelines and sector-specific requirements with a single, harmonised framework applicable across all categories of financial entity in the EU.
As illustrated in a typical DORA compliance framework, a financial entity maps its ICT systems and third-party dependencies, establishes governance and risk management policies, implements incident detection and reporting procedures, conducts regular resilience testing, and manages contractual requirements with its ICT service providers. Each of these elements is subject to regulatory oversight and must be documented in a manner that enables the national competent authority to assess compliance during supervisory examinations.
Key Takeaways: #
- DORA (Digital Operational Resilience Act) is an EU regulation that establishes a comprehensive framework for managing ICT (information and communications technology) risk across financial entities, including banks, payment institutions, e-money institutions, and their critical third-party ICT providers;
- DORA became directly applicable across all EU member states on 17 January 2025, with no transposition into national law required. Financial entities that were not compliant by this date are subject to supervisory enforcement by their national competent authority;
- DORA introduces five core requirements: ICT risk management, ICT-related incident reporting, digital operational resilience testing, ICT third-party risk management, and information sharing arrangements.
Who DORA Applies To #
DORA applies to a broad range of financial entities, including credit institutions, payment institutions, e-money institutions, investment firms, insurance undertakings, crypto-asset service providers, and central counterparties. It also applies directly to critical ICT third-party service providers (CTPPs) that provide services to financial entities within the EU, meaning that cloud providers, data analytics firms, and other technology vendors serving EU financial institutions are brought within the regulatory perimeter for the first time.
Micro-enterprises, defined as financial entities with fewer than ten employees and an annual turnover or balance sheet below two million euros, are subject to a simplified DORA regime with reduced requirements in certain areas.
The Five Pillars of DORA #
ICT risk management: DORA requires financial entities to implement a comprehensive ICT risk management framework that covers the identification, protection, detection, response, and recovery functions across all ICT systems supporting their operations. The framework must be documented, approved by the management body, and reviewed at least annually. It must include an ICT business continuity policy, disaster recovery plans, and defined recovery time and recovery point objectives for critical systems. The management body bears direct responsibility for approving and overseeing the ICT risk management framework, and individual members may be held personally accountable for failures in ICT governance.
ICT-related incident reporting: Financial entities must establish processes for classifying, managing, and reporting ICT-related incidents. Major incidents must be reported to the national competent authority within defined timeframes: an initial notification within four hours of classifying the incident as major, an intermediate report within 72 hours, and a final report within one month of the incident being resolved. The EBA, ESMA, and EIOPA have published joint regulatory technical standards defining the classification criteria for major incidents and the templates and procedures for regulatory reporting.
Digital operational resilience testing: DORA requires financial entities to conduct regular testing of their ICT systems and resilience capabilities. All financial entities must carry out basic resilience testing, including vulnerability assessments and scenario-based testing, at least annually. Significant financial entities are additionally required to conduct Threat-Led Penetration Testing (TLPT) at least every three years. TLPT is a structured, intelligence-led assessment of an institution’s ICT defences conducted by qualified external testers, and must follow the TIBER-EU framework or an equivalent national framework recognised by the competent authority.
ICT third-party risk management: DORA introduces detailed requirements for managing the risks associated with ICT third-party service providers. Financial entities must maintain a register of all ICT third-party arrangements, assess the concentration risk arising from dependencies on individual providers, and ensure that contracts with ICT providers include mandatory provisions covering service levels, audit rights, data location, business continuity, and termination rights. For arrangements with critical third-party providers, the European Supervisory Authorities (ESAs) have direct oversight powers, including the ability to conduct inspections and issue recommendations.
Information sharing: DORA encourages financial entities to participate in voluntary information sharing arrangements to exchange cyber threat intelligence, attack indicators, and resilience insights with other financial institutions. Participation in such arrangements is voluntary but recognised as a good practice indicator by supervisory authorities. Information shared within these arrangements benefits from defined legal protections to encourage open sharing without creating regulatory or liability exposure for participating institutions.
Key Differences Between DORA and Existing Frameworks #
DORA differs from pre-existing ICT risk guidelines issued by the EBA and ESMA in several important respects. It is a directly applicable regulation rather than a guideline, meaning compliance is legally mandatory rather than a matter of supervisory expectation. It extends regulatory requirements to ICT third-party providers directly, rather than relying solely on contractual obligations imposed by financial entities. It introduces mandatory TLPT for significant institutions, which was previously voluntary under the TIBER-EU framework. It also establishes a single, harmonised incident reporting framework replacing the inconsistent national approaches that preceded it.
FAQ: #
What is the difference between DORA and NIS2?
- NIS2 (the Network and Information Systems Directive 2) is an EU cybersecurity directive that applies broadly across critical infrastructure sectors, including financial services, energy, transport, and healthcare. DORA is a sector-specific regulation that applies exclusively to financial entities and their ICT third-party providers. Where both NIS2 and DORA apply to the same entity, DORA takes precedence for financial sector entities under the lex specialis principle, meaning DORA’s requirements are treated as the applicable standard for ICT and cybersecurity risk management in the financial sector. Financial entities subject to DORA are considered to comply with the equivalent NIS2 requirements through their DORA compliance.
What are the supervisory consequences of non-compliance with DORA?
- Financial entities that fail to comply with DORA are subject to enforcement action by their national competent authority. Supervisory measures can include binding directions to remediate identified deficiencies, restrictions on business activities, and financial penalties. For critical ICT third-party providers subject to direct ESA oversight, penalties can reach up to one percent of average daily worldwide turnover, applied on a daily basis until compliance is achieved. For financial entities, the penalty framework is defined by national implementing measures, and varies across member states. Non-compliance findings may also be published by the competent authority, creating reputational risk alongside the direct regulatory consequences.
