DORA: The EU Digital Operational Resilience Act

DORA – the Digital Operational Resilience Act – sets out a harmonised approach to digital operational resilience across the EU’s financial sector.

It was published in the Official Journal of the European Union on 27 December 2022 and comprises a regulation and a directive.

The Directive amends a number of existing EU directives relating to the financial sector.

The Regulation sets out network and information systems security requirements for organisations in the financial sector and their third-party ICT (information and communication technology) service providers.

Among other obligations, financial entities are required to:

• Implement an internal governance and control framework to manage ICT risk. This must be backed up by an incident management process and testing of ICT technologies; and
• Ensure that contracts with third-party ICT suppliers provide suitable assurance of their information security.

The Regulation also enshrines the principle of proportionality, stating that financial entities should take account of “their size and overall risk profile, and the nature, scale and complexity of their services, activities and operations” when implementing measures to meet their obligations.

The EU has two types of legal instruments: directives and regulations.

Directives set minimum standards and parameters for the EU, but leave the actual implementation to the member states themselves. When a directive is passed, the EU sets a deadline by which every member state must put the directive into force, whether by law, regulation or other initiative.

Regulations, on the other hand, apply across the EU with the same authority as if they were local laws. Member states may choose to pass their own laws to implement a regulation (often because the regulation requires each state to define some detail individually), but the regulation will apply regardless.

The DORA Regulation (Regulation (EU) 2022/2554 on digital operational resilience for the financial sector) covers three core concepts. At a high level, these are:

• Risk management
  Financial entities must have a documented ICT risk management framework that “enables them to address ICT risk quickly, efficiently and comprehensively and to ensure a high level of digital operational resilience”. This must be backed up by regular testing.
• Incident management
  Financial entities must have “an ICT-related incident management process to detect, manage and notify ICT-related incidents”. They must also establish “appropriate procedures and processes to ensure a consistent and integrated monitoring, handling and follow-up of ICT-related incidents”.
• Supply chain security
  Financial entities must “manage ICT third-party risk as an integral component of ICT risk within their ICT risk management framework”. As well as implementing contractual arrangements that cover third-party risk, they must maintain a register of service providers and report on it to the competent authority every year.

The Regulation also establishes:

• Requirements in relation to contractual arrangements between financial entities and ICT third-party service providers;
• Rules for an oversight framework for critical ICT third-party service providers when providing services to financial entities; and
• Rules on cooperation among supervisory authorities, and on supervision and enforcement.

The DORA Regulation applies to the EU’s financial sector and suppliers of ICT services to that sector – wherever those suppliers are based.

Financial entities covered by the Regulation include:

• Credit institutions.
• Payment institutions.
• Account information service providers.
• Electronic money institutions.
• Investment firms.
• Crypto-asset service providers and issuers of asset-referenced tokens.
• Central securities depositories.
• Central counterparties.
• Trading venues.
• Trade repositories.
• Managers of alternative investment funds.
• Management companies.
• Data reporting service providers.
• Insurance and reinsurance undertakings.
• Insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries.
• Institutions for occupational retirement provision.
• Credit rating agencies.
• Administrators of critical benchmarks.
• Crowdfunding service providers.
• Securitisation repositories.

The Regulation entered into force on 16 January 2023 and has applied since 17 January 2025.

Read the full text of the DORA Regulation

We have more than 20 years’ experience helping organisations meet their governance, risk management and compliance objectives.

GRC Solutions is recognised under the following frameworks:

• CREST certified as ethical security testers.
• Certified under Cyber Essentials Plus, the UK government-backed cyber security certification scheme.
• Certified to ISO 27001:2013, the world’s most recognised information security standard.

We can provide all the cyber security and information security services and resources you need to ensure your organisation follows industry-recognised best practice and can demonstrate its compliance with DORA’s information security risk management and testing requirements.

View our full range of UK DORA regulatory compliance products and services

What is the DORA regulation?

DORA (the Digital Operational Resilience Act) is an EU regulation that sets uniform requirements for the cyber and operational resilience of financial entities and their critical ICT providers. It aims to ensure firms can withstand, respond to and recover from digital disruptions.

What are the 5 pillars of DORA?

The five pillars of DORA are:

1. ICT risk management.
2. Incident reporting.
3. Digital operational resilience testing.
4. ICT third-party risk management.
5. Information sharing.

Is DORA a regulation or directive?

DORA is a regulation, not a directive. This means it applies directly across all EU member states without the need for national implementation.

Is DORA applicable in the UK?

Although DORA is an EU regulation, UK-based financial entities serving EU clients or operating within the EU may still fall within scope. If you are based in the UK but provide ICT services to the EU financial sector, it will also apply to you.

How does DORA compare to other global regulations?

DORA is broader and more prescriptive than many frameworks. It aligns with global moves to strengthen financial cyber resilience but stands out for its detailed third-party oversight and testing requirements.

How to comply with DORA regulations?

To comply with DORA, financial entities must implement ICT risk frameworks, establish reporting processes, carry out resilience testing, assess critical suppliers and maintain strong governance. Many organisations use gap analysis and readiness assessments to prepare.

DORA – A guide to the EU Digital Operational Resilience Act

Certified DORA Foundation Training Course

Certified DORA Practitioner Training Course

Certified DORA Compliance Officer Training Course

DORA Gap Analysis

DORA Remediation Service

DORA Supply Chain Audit

DORA Bolt-on Toolkit