The DORA regulation, short for Digital Operational Resilience Act, is the European Union’s response to the growing risk posed by reliance on technology in the financial sector. Unlike earlier approaches that focused on setting aside capital to cover operational losses, DORA establishes mechanisms to prevent, detect and recover from cybersecurity incidents. The regulation was published in December 2022 and will apply fully as of 17 January 2025.

DORA was created to fill a regulatory gap: before its introduction, institutions managed operational risk by allocating capital, but this did not address the specific risks of the digital age. The regulation’s objectives include:

• Establishing a common level of digital operational resilience for all financial entities in the EU.
• Harmonising ICT risk management, incident reporting, resilience testing and third‑party technology oversight.
• Encouraging cooperation between authorities through a framework for supervision and coordination.

DORA has a broad reach. It applies to banks, payment institutions, investment firms, insurers and reinsurers, electronic money institutions, crypto‑asset service providers and market infrastructures. It also covers ICT providers serving these entities, including those located outside the EU.

A key feature is the designation of critical third‑party providers (CTPPs). The Commission’s criteria classify as critical those providers serving at least 10 % of financial entities or supporting essential functions of systemic institutions.

ICT risk management

DORA obliges entities to implement a comprehensive ICT risk management framework that covers identification, protection, detection, response and recovery. This framework should include:

• A complete inventory of ICT functions and systems.
• Periodic assessments of vulnerabilities and cyber threats.
• Clear assignment of responsibilities at management level.

Incident management and reporting

Entities must detect and classify incidents in a standardised way and notify “major” incidents to the competent authorities. The reporting scheme includes:

• Classification by severity.
• Rapid communication to authorities and, when appropriate, to customers.
• Voluntary notification of significant threats.

Digital operational resilience testing

To assess their resilience, entities must conduct regular digital operational resilience tests. These include vulnerability assessments, simulations and threat‑led penetration tests (TLPT) at least every three years for systemic institutions.

Third‑party risk management

This pillar requires exhaustive control of the supply chain:

• A standardised register of all contracts and subcontracts.
• Risk assessments prior to contracting an ICT provider.
• Contracts that include mandatory clauses on security, incident reporting and audit rights.
• Multi‑vendor strategies to avoid concentration risks.

Information sharing

DORA promotes cooperation between entities through agreements to share intelligence on cyber threats. These agreements must define participation conditions and confidentiality.

DORA’s implementation follows three levels:

• Level 1: Regulation (EU) 2022/2554 and Directive (EU) 2022/2556, which establish the general principles.
• Level 2: Regulatory and implementing technical standards (RTS and ITS) that detail procedures such as incident classification, contract content and information register templates.
• Level 3: Guidelines and FAQs issued by the supervisory authorities, clarifying practical application.

The regulation entered into force in January 2023, but the mandatory application date is 17 January 2025.

Financial entities must develop a comprehensive compliance programme that includes:

• An ICT risk management framework that analyses all functions and threats.
• Continuous monitoring of systems and tools.
• Continuity and recovery plans, with segregated backups.
• Third‑party management, with detailed records of agreements and processes for risk concentration.
• Classification and reporting of incidents according to harmonised criteria.
• Involvement of the board of directors and senior management in ICT risk governance.

ICT service providers must adapt their processes to support their financial clients’ compliance. Their main responsibilities include:

• Providing information about their security mechanisms and architecture.
• Allowing audits and coordinated penetration tests.
• Notifying incidents and cooperating in crisis management.
• Adapting contracts to comply with DORA’s mandatory clauses.

If a provider is designated as a critical third‑party provider (CTPP), it will be under the direct supervision of a European supervisory authority and must meet strict governance, security and reporting criteria. Critical providers operating outside the EU must establish a European subsidiary within one year.

DORA interacts with other EU laws:

• NIS 2 and the NIS Directive (cybersecurity): provide a general framework, but DORA sets specific requirements for the financial sector.
• PSD2 and MiCA: contain security obligations for payment and crypto‑asset service providers, complemented by DORA’s incident management and third‑party supervision.
• UK regime: focuses on principles and outcomes rather than prescriptive rules, whereas DORA is detailed.

The short timeframe until January 2025 forces entities and providers to accelerate their compliance projects. Some technical standards are still being finalised, which adds uncertainty. European authorities have run pilot exercises and published FAQs and guidelines to support the transition.

The first list of critical providers is expected in 2025. Amendments and future guidelines, such as the oversight guideline published in July 2025, will continue to evolve the framework. Companies that anticipate and adopt good cyber resilience practices will gain competitive advantages.

DORA is a transformative regulation aimed at strengthening the digital operational resilience of Europe’s financial sector. Its holistic approach—covering risk management, incident reporting, testing, third‑party oversight and cooperation—fills a regulatory gap and adapts supervision to the digital era. Effective implementation will require coordination between financial entities, ICT providers and regulators, but it will lay a solid foundation for a more secure and reliable financial system.