DORA (Digital Operational Resilience Act)
EU Regulation (2022/2554) on digital operational resilience in the financial sector. Mandatory for 20 categories of financial firms as of January 17, 2025. Regulates ICT risk management, incident reporting, and resilience testing.
The Digital Operational Resilience Act (DORA)—EU Regulation 2022/2554—has been directly applicable in all EU member states since January 17, 2025. Unlike a directive, DORA does not need to be transposed into national law but applies directly. DORA is the first sector-specific EU regulation that explicitly and comprehensively regulates ICT risks in the financial sector. In relation to NIS-2, DORA is considered lex specialis—DORA takes precedence in the financial sector.
What is DORA?
DORA addresses a key vulnerability: financial institutions are heavily dependent on ICT systems and third-party providers, but regulatory requirements for this digital resilience have been fragmented until now. DORA establishes a unified framework for:
- ICT risk management – full lifecycle, from identification to recovery
- ICT incident reporting – harmonized reporting system to financial supervisory authorities
- Resilience testing – regular tests; for significant institutions, TLPT (Threat-Led Penetration Testing)
- ICT third-party management – oversight of cloud providers, data centers, and critical suppliers
- Information Sharing - voluntary sharing of threat intelligence within the financial sector
The 5 DORA Pillars
| Pillar | Article | Key Content |
|---|---|---|
| 1. ICT Risk Management | Art. 5-16 | Governance, framework, strategy, protection, detection, response, recovery |
| 2. ICT Incident Reporting | Art. 17-23 | Classification, reporting obligations (4h/72h/1M), reporting |
| 3. Resilience Testing | Art. 24–27 | Annual tests, TLPT for significant institutions every 3 years |
| 4. ICT Third-Party Risk | Art. 28–44 | Contract requirements, ICT third-party register, supervision of critical providers |
| 5. Information Exchange | Art. 45 | Voluntary sharing of cyber threat intelligence |
Affected Entities
DORA applies to 20 categories of financial firms:
- Credit institutions (banks)
- Payment institutions and e-money institutions
- Investment firms and trading venues
- Insurance undertakings and insurance intermediaries
- Occupational pension institutions
- Credit rating agencies and data provision service providers
- Crowdfunding service providers
- Crypto-asset administrators and service providers
- Third-party ICT service providers (critical providers under direct EU supervision)
Simplified requirements apply to smaller companies (micro-enterprises, certain categories) in accordance with the principle of proportionality (Art. 4 DORA).
DORA vs. NIS-2: Lex specialis
In the financial sector, DORA takes precedence over NIS-2 (lex specialis principle). Companies subject to both sets of regulations must primarily comply with DORA. NIS-2 supplements DORA in areas not covered by DORA.
| Aspect | NIS-2 | DORA |
|---|---|---|
| Scope | 18 sectors | Financial sector (20 categories) |
| Legal form | Directive (implementation required) | Regulation (directly applicable) |
| Reporting obligation | 24h/72h/1M to BSI | 4h/72h/1M to BaFin/EBA |
| Testing | Not specified | TLPT for significant institutions |
| Third-party providers | Supply chain security | ICT third-party register + direct EU supervision |
Reporting Requirements under DORA
The following applies to significant ICT-related incidents:
- 4 hours: Initial report in the event of a significant incident (significant impact on services)
- 72 hours: Interim report with assessment of the incident and measures
- 1 month: Final report with root cause analysis and preventive measures
Report to the competent financial supervisory authority (in Germany: BaFin), which in turn forwards it to the EBA, ESMA, or EIOPA, as well as to other authorities if necessary.
Register of Third-Party ICT Service Providers (Art. 28)
All financial firms subject to DORA must maintain a complete register of their third-party ICT service providers and report it annually to the supervisory authority. ICT third-party service providers classified as critical (e.g., major cloud providers such as AWS, Azure, Google Cloud) are subject to direct EU supervision by the European financial supervisory authorities (EBA, ESMA, EIOPA).
