What is DORA?
DORA (Digital Operational Resilience Act, Regulation EU 2022/2554) establishes a comprehensive framework for ICT risk management in the EU financial sector. Effective January 17, 2025, it creates harmonized requirements for how financial entities manage ICT risk, report incidents, test resilience, and oversee third-party ICT providers.
DORA applies to credit institutions, investment firms, insurance and reinsurance undertakings, payment institutions, crypto-asset service providers, and their critical ICT third-party providers. It represents the most comprehensive EU framework for digital operational resilience in financial services.
The Five Pillars of DORA
DORA is built on five interconnected pillars, each with specific requirements and regulatory technical standards.
| Pillar | Scope | Key Requirements |
|---|---|---|
| ICT Risk Management | Governance, identification, protection, detection, response/recovery, learning | Comprehensive ICT risk management framework with board-level oversight |
| ICT Incident Reporting | Classification, notification, harmonized templates | Report major ICT incidents to competent authorities using standardized formats |
| Digital Operational Resilience Testing | Basic testing, advanced TLPT | Regular testing program; significant entities must conduct threat-led penetration testing |
| ICT Third-Party Risk Management | Register of arrangements, concentration risk, exit strategies | Maintain register of ICT third-party arrangements; manage concentration risk |
| Information Sharing | Voluntary threat intelligence sharing | Arrangements for sharing cyber threat intelligence with other financial entities |
Applicability
DORA applies broadly across the EU financial sector. Understanding whether your organization falls within scope is the first step toward compliance.
| Entity Type | DORA Applies | TLPT Required |
|---|---|---|
| Credit Institutions | Yes | Significant entities |
| Investment Firms | Yes | Significant entities |
| Insurance / Reinsurance | Yes | Significant entities |
| Payment Institutions | Yes | Significant entities |
| Crypto-Asset Service Providers | Yes | Significant entities |
| Critical ICT Third-Party Providers | Yes (direct oversight) | Per oversight framework |
ICT Risk Management Framework
DORA requires financial entities to establish a comprehensive ICT risk management framework covering six key areas:
- Governance — board-level responsibility for ICT risk management, including approval of the ICT risk management framework
- Identification — identify, classify, and document all ICT-supported business functions, information assets, and dependencies
- Protection — implement ICT security policies, access controls, encryption, and network security measures
- Detection — establish mechanisms to detect anomalous activities and ICT incidents promptly
- Response and Recovery — develop ICT business continuity plans, response procedures, and recovery capabilities
- Learning — conduct post-incident reviews, share lessons learned, and continuously improve the framework
Readiness Assessment Checklist
Before engaging with regulators or auditors, evaluate where your organization stands against these readiness questions:
- Is an ICT risk management framework documented with board-level governance and oversight?
- Are incident classification and reporting procedures defined using DORA-harmonized templates?
- Is a resilience testing program in place, including TLPT for significant entities?
- Is there a complete register of all ICT third-party arrangements?
- Has a concentration risk assessment been completed for critical ICT third-party providers?
- Are information sharing arrangements established for cyber threat intelligence?
If you can’t confidently answer “yes” to most of these, a readiness sprint will get you there.
Next step: See our control domain breakdown to understand what DORA requires across all five pillars, with evidence examples for each.