EU Regulation 2022/2554

DORA Regulation

The Digital Operational Resilience Act ensures financial entities can withstand, respond to, and recover from ICT-related disruptions and threats.

Start DORA Assessment View Requirements

Entity types

Financial sector

4hrs

Initial report

Major incidents

3yr

Testing cycle

Threat-led penetration

2025

Effective date

January 17th

Who Must Comply with DORA?

DORA applies to virtually all regulated financial entities in the EU and their critical ICT service providers.

Banking & Credit

Credit institutions
Payment institutions
E-money institutions
Account information providers

Investment & Trading

Investment firms
Trading venues
Central counterparties
Trade repositories

Insurance & Pensions

Insurance companies
Reinsurance companies
Insurance intermediaries
Pension funds

Critical ICT Third-Party Providers (cloud platforms, data analytics, SaaS providers) serving financial entities are also directly regulated under DORA.

Five Pillars of DORA

DORA is built on five key pillars that ensure comprehensive digital operational resilience

ICT Risk Management

Comprehensive framework for identifying, protecting, detecting, responding to, and recovering from ICT risks. Includes governance, policies, and procedures.

ICT Incident Reporting

Harmonized incident classification, reporting to regulators within strict timelines, and information sharing with other financial entities.

Digital Operational Resilience Testing

Regular testing including vulnerability assessments, scenario-based testing, and threat-led penetration testing (TLPT) every 3 years.

ICT Third-Party Risk Management

Due diligence on ICT providers, contractual arrangements, exit strategies, and oversight of critical third-party providers.

Information Sharing

Voluntary sharing of cyber threat intelligence and information between financial entities to improve collective resilience.

Major ICT Incident Reporting

DORA establishes strict timelines for reporting major ICT-related incidents.

4 hours

Initial Notification

First alert to competent authority after classifying as major

72 hours

Intermediate Report

Status update with preliminary root cause and impact

1 month

Final Report

Full analysis, root cause, remediation measures taken

How Dependra Helps with DORA

Our platform helps financial institutions manage ICT third-party risk and maintain operational resilience.

Inventory all ICT third-party service providers
Assess vendor concentration and criticality
Monitor provider security posture
Identify EU-based alternatives for critical services
Generate DORA compliance documentation
Track contractual requirements and exit strategies

Start DORA Assessment

ICT Risk Score: 91/100

2 Critical providers identified

Related Regulations

GDPR

Data protection regulation

NIS2

Network and information security

PCI DSS

Payment card security standard

ISO 27001

Information security management

SOC 2

Service organization controls

ePrivacy

Electronic communications privacy

Official Resources

DORA Regulation Full Text

Official EU legislation

European Supervisory Authorities

EBA, ESMA, EIOPA guidance

DORA Quick Facts

Full Name: Digital Operational Resilience Act
Regulation Number: EU 2022/2554
Adopted: November 16, 2022
Application Date: January 17, 2025
Scope: EU Financial Sector

Ready for DORA Compliance?

Ensure your financial institution meets ICT risk management requirements.

Start DORA Assessment View Demo