The EU Digital Operational Resilience Act (DORA) is a regulation introduced by the European Union to strengthen the digital resilience of financial entities. DORA entered into application on January 17, 2025 and ensures that banks, insurance companies, investment firms and other financial entities can withstand, respond to, and recover from ICT (Information and Communication Technology) disruptions, such as cyberattacks or system failures.
DORA creates a comprehensive framework for managing ICT risks in the EU financial sector. It aims to improve ICT risk management in the financial services sector and harmonize regulations across EU member states. Prior to DORA, EU regulations mainly focused on capital for operational risks, with inconsistent ICT and security guidelines across countries. DORA is supplemented by a number of binding Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS) that provide harmonized standards and practical guidelines on effective implementation of the regulatory requirements.
Who does DORA apply to?
DORA applies to a broad range of financial entities such as banks, credit and payment institutions, investment firms, trading venues and central securities depositories, and non-traditional entities, including crypto-asset service providers and crowdfunding platforms. Exemptions exist for managers of alternative investment funds who qualify for an exemption under Article 3(2) of the AIFMD, and small, non-complex institutions that meet certain thresholds based on size, risk profile, and operational complexity. One unique and impactful aspect of DORA that is important to note is that it applies not only to financial entities but also to the critical ICT providers that service the financial sector such as cloud service providers and data centers.
The Five Pillars of DORA
DORA introduces firm rules on ICT risk management, incident reporting, resilience testing, and oversight of third-party providers. Rather than a one-size-fits-all approach, compliance depends on factors like company size, risk tolerance, and the type of ICT systems used. However, at its core, DORA is built around five key pillars that form the foundation of a strong operational resilience framework:
ICT Risk Management: Financial entities are required to implement robust Information and Communication Technology (ICT) risk management frameworks. These should be integrated into their overall risk management strategy and encompass identification, protection, detection, response, and recovery measures.
ICT Incident Reporting: DORA mandates a structured process for reporting significant ICT-related incidents, including classifying incidents based on severity and providing details such as impact and response actions.
Digital Operational Resilience Testing: Regular testing of digital operational resilience is a core requirement under DORA. Financial entities are required to subject their ICT systems and processes to regular testing to assess their resilience against various scenarios, such as cyberattacks and system failures.
Information and Intelligence Sharing: DORA aims to enhance cooperation and information sharing among financial entities to address cyber threats.
ICT Third-Party Risk Management: DORA also places significant emphasis on managing risks arising from third-party ICT service providers. Financial entities are required to implement robust frameworks for assessing and monitoring risks associated with their third-party ICT providers.
Impact of DORA
DORA will have an impact on pension schemes. Pension schemes having more than 15 but fewer than 100 members will be subject to a simplified ICT risk management framework. DORA aims to improve the digital operational resilience of financial entities in the EU and their ICT suppliers and create a uniform regulatory framework across the EU, in order to reduce the susceptibility to cyber threats across the entire value chain of the financial sector. In addition, DORA intends to harmonize national regulations regarding the security of IT systems in the financial sector, thus strengthening the European financial market as a whole against cyber risks and information and communications technology incidents.
DORA compliance is now in effect, making it mandatory for fintech companies, financial institutions, and ICT providers across the EU. With over 22,000 businesses impacted, DORA sets clear expectations for how firms must manage operational resilience and protect against cyber threats. As cybercriminals become more sophisticated, regulatory action has followed. DORA is designed to ensure that businesses have the right security measures in place to handle disruptions, prevent data breaches, and stay operational under pressure.