What is DORA (Digital Operational Resilience Act)?

DORA — the Digital Operational Resilience Act, formally Regulation (EU) 2022/2554 — is the European Union's single rulebook for technology resilience in the financial sector. It was adopted in December 2022, started applying on 17 January 2025, and replaces a patchwork of national supervisory expectations on operational and ICT risk with a directly applicable EU regulation. DORA is built on five pillars: ICT risk management, incident reporting, digital operational resilience testing, ICT third-party risk management, and information sharing on cyber threats. The supervisory bite is real — financial entities face administrative penalties up to 1% of average daily worldwide turnover per day for non-compliance, and the EU's three European Supervisory Authorities (ESAs) can designate critical non-EU ICT suppliers and oversee them directly.

DORA matters outside the EU because it follows the data, not the borders. A UK SaaS company providing services to a regulated EU bank is in scope as an ICT third-party service provider, even though it isn't a financial entity itself. The bank has to prove it holds the right contractual and oversight controls, and the bank's regulator can ask to see them.

Who's in scope

DORA applies to about 22,000 financial entities and their ICT suppliers across the EU. The financial entity list is broad: credit institutions, payment and e-money institutions, investment firms, crypto-asset service providers, insurers and reinsurers, central counterparties, trading venues, fund managers, credit rating agencies, statutory auditors, and crowdfunding providers, among others.

Small microenterprises (fewer than 10 staff and turnover under €2 million) get a proportionate regime with reduced obligations — they still have to comply, but the documentation and testing requirements are lighter.

ICT third-party service providers come into scope through the contractual chain. A SaaS vendor, a cloud provider, a payment-services platform, a managed security service — if a financial entity depends on you for an ICT service that supports a critical or important function, you're in the contractual chain and you'll see DORA clauses in the master services agreement.

The five pillars

1. ICT risk management

Financial entities have to establish an ICT risk management framework approved and overseen by the management body. The framework covers identification of ICT assets and dependencies, protection and prevention controls, detection mechanisms, response and recovery procedures, learning and evolving processes, and crisis communication. It has to be reviewed annually and after any major ICT-related incident. The board is on the hook — DORA is explicit that ultimate responsibility sits with the management body, not the CISO or the head of operations.

2. ICT-related incident management and reporting

DORA standardises how financial entities classify, log, and report ICT incidents. Major incidents have to be reported to the competent national authority via a three-stage process: an initial notification within strict timeframes (the technical standards set hours, not days), an intermediate report, and a final report. There's a voluntary notification regime for significant cyber threats as well. The ESAs publish the templates and the classification criteria via Regulatory Technical Standards, and the format is consistent across the EU.

3. Digital operational resilience testing

All in-scope financial entities have to run a programme of ICT resilience testing proportionate to their size and risk profile. The basic testing includes vulnerability assessments, penetration tests, scenario-based exercises, and source code reviews. The largest and most systemic entities have to go further with Threat-Led Penetration Testing (TLPT) at least every three years, run by external testers under a framework based on TIBER-EU. TLPT exercises simulate sophisticated, persistent attackers and have to cover live production systems, not test environments.

4. ICT third-party risk management

This is the pillar with the biggest impact on non-EU suppliers. Financial entities have to maintain a register of all ICT third-party contractual arrangements, classify the criticality of each one, and embed specific contractual terms in every contract — service descriptions, locations of data processing, security requirements, audit rights, termination triggers, exit assistance, sub-contracting consent, and incident reporting obligations. The EU has also designated a small number of "critical ICT third-party service providers" (CTPPs) — the largest cloud and software vendors used widely across EU financial services — who are subject to direct oversight by the ESAs.

5. Information sharing

DORA explicitly permits and encourages information-sharing between financial entities on cyber threats and indicators of compromise. Participation is voluntary, but the regulation removes some of the data-protection and competition-law uncertainty that historically discouraged sharing.

Penalties

The penalty regime is split between financial entities and critical ICT third-party providers.

For financial entities, administrative penalties are set by national competent authorities under the national implementing legislation, but DORA requires those penalties to be effective, proportionate, and dissuasive. In practice the headline figures cited in industry coverage — up to 2% of total annual worldwide turnover for the most serious breaches — reflect the upper bound that national supervisors can apply.

For critical ICT third-party providers (the designated CTPPs only), the ESAs themselves can impose periodic penalty payments of up to 1% of average daily worldwide turnover from the preceding business year, applied daily until compliance is achieved, capped at six months. For a large cloud provider, that's a very significant number.

How DORA compares to GDPR and NIS2

GDPR protects personal data. DORA protects the operational continuity of financial services. They overlap when a security incident involves personal data — a ransomware attack on a bank triggers both GDPR breach notification and DORA major incident reporting — but they're not the same regulation and the reports go to different supervisors.

NIS2 (the second Network and Information Security Directive) is the EU's general cybersecurity regulation for "essential and important entities" across critical sectors including energy, transport, health, and digital infrastructure. Financial entities sit at the intersection: NIS2 applies to them as a general matter, but DORA is lex specialis — where DORA covers a topic, DORA prevails, and the financial entity reports under DORA rather than NIS2 for that topic. The European Banking Authority has published guidance on how to handle the overlap.

Extraterritorial reach: who outside the EU needs to care

DORA doesn't directly regulate non-EU companies. It regulates EU financial entities, and it makes those financial entities responsible for ensuring their ICT supply chain meets DORA's contractual and operational requirements.

The practical consequence is that non-EU vendors who sell ICT services to EU financial entities will see DORA-shaped contract amendments, evidence requests for security controls, incident-notification clauses with specific timing, and audit/inspection rights for the financial entity's regulator. Non-EU vendors who are large enough to be designated as critical ICT third-party providers come under direct ESA supervision regardless of where they're established — the EU has designated providers based in the United States and elsewhere.

For UK financial entities that operate in the EU through subsidiaries or branches, DORA applies to those EU operations directly. The UK has its own "operational resilience" rules from the FCA and PRA that pre-date DORA and cover similar ground but with different deadlines, taxonomy, and reporting routes — the UK rules and DORA aren't a clean one-to-one map.