Digital Operational Resilience

Digital operational resilience is the central concept of the Digital Operational Resilience Act (DORA, Regulation 2022/2554), which entered into application on 17 January 2025. DORA defines it as the ability of a financial entity to build, assure, and review its operational integrity and reliability by ensuring, either directly or indirectly through the use of services provided by ICT third-party service providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity uses.

DORA establishes a comprehensive framework built on five pillars: ICT risk management (establishing governance and control frameworks), ICT-related incident management, classification, and reporting (detecting and reporting major incidents), digital operational resilience testing (including threat-led penetration testing for significant entities), managing ICT third-party risk (ensuring service providers meet resilience standards), and information-sharing arrangements (voluntary threat intelligence exchange between financial entities).

The regulation applies to a wide range of financial entities including credit institutions, investment firms, insurance and reinsurance undertakings, payment institutions, electronic money institutions, central securities depositories, central counterparties, trading venues, trade repositories, managers of alternative investment funds and UCITS, crypto-asset service providers, and ICT third-party service providers designated as critical by the European Supervisory Authorities.

DORA represents the EU's recognition that the financial sector's increasing dependence on technology and ICT third-party providers creates systemic vulnerabilities that require a harmonised regulatory response. Before DORA, digital operational resilience requirements were fragmented across various sectoral directives and national regulations. By creating a unified framework, DORA aims to eliminate regulatory gaps and ensure that all financial entities maintain a consistent level of digital operational resilience.