Regulation Guide

DORA - Digital Operational Resilience Act

Comprehensive guide to DORA (Regulation EU 2022/2554). Understand ICT risk management, incident reporting, resilience testing, and third-party risk obligations for financial entities. Reversa helps you achieve DORA compliance.

Key Figures

22,000+Financial entities in scope across the EU
5Core regulatory pillars
Jan 2025Full application date
1%Daily turnover penalty for critical ICT providers

Overview

What is this regulation?

The Digital Operational Resilience Act (DORA), formally Regulation (EU) 2022/2554, establishes a comprehensive framework for managing ICT (Information and Communication Technology) risks in the European financial sector. DORA recognizes that financial entities are deeply dependent on digital technologies and that ICT disruptions can have systemic consequences for the entire financial system. The regulation harmonizes ICT risk management rules across the EU, replacing the fragmented national approaches that previously existed. DORA applies to virtually all regulated financial entities - including banks, insurance companies, investment firms, payment institutions, crypto-asset service providers, and critical ICT third-party service providers. It creates a unified supervisory approach to digital operational resilience, ensuring that all financial entities can withstand, respond to, and recover from ICT-related disruptions. The regulation covers five core pillars: ICT risk management frameworks, ICT-related incident reporting, digital operational resilience testing, managing ICT third-party risk, and information-sharing arrangements. DORA entered into force on January 16, 2023, and has been applicable since January 17, 2025, making compliance an immediate priority for the European financial sector.

Who does it affect?

Organizations and roles impacted by this regulation

1

Credit institutions (banks) and payment institutions operating in the EU

2

Investment firms, trading venues, and central counterparties

3

Insurance and reinsurance undertakings

4

Crypto-asset service providers authorized under MiCA

5

Critical ICT third-party service providers (including cloud providers)

Key Obligations

Core compliance requirements organizations must address

01

ICT Risk Management Framework

Financial entities must establish and maintain a comprehensive ICT risk management framework covering identification, protection, detection, response, and recovery capabilities. The management body bears ultimate responsibility and must approve, oversee, and be held accountable for the ICT risk strategy.

02

ICT Incident Reporting

Entities must classify ICT-related incidents using defined criteria, report major incidents to competent authorities within strict timelines (initial notification, intermediate report, and final report), and notify affected clients when incidents impact their financial interests.

03

Digital Operational Resilience Testing

All financial entities must conduct basic ICT testing (vulnerability assessments, scenario-based tests, penetration testing). Significant entities must also perform advanced threat-led penetration testing (TLPT) at least every three years, using qualified external testers following the TIBER-EU framework.

04

Third-Party ICT Risk Management

Financial entities must maintain a register of all ICT third-party service providers, conduct due diligence before outsourcing, include specific contractual provisions, and manage concentration risk. Critical ICT providers will be subject to direct EU oversight through a Lead Overseer designated by the European Supervisory Authorities.

05

Information Sharing

DORA encourages financial entities to participate in voluntary cyber threat intelligence sharing arrangements to collectively enhance digital operational resilience and raise awareness of ICT risks across the financial sector.

06

Governance and Accountability

Management bodies must approve ICT risk management strategies, allocate adequate budgets, undertake regular ICT risk training, and be personally accountable for DORA compliance. Board members must maintain sufficient knowledge and skills regarding ICT risks.

Penalties for Non-Compliance

DORA empowers national competent authorities to impose administrative penalties and remedial measures for non-compliance. While the regulation does not specify fixed penalty amounts (leaving this to national transposition measures and supervisory discretion), penalties can include public statements identifying the responsible entity, orders to cease non-compliant conduct, and significant administrative fines. For critical ICT third-party service providers under the Lead Overseer framework, periodic penalty payments of up to 1% of average daily worldwide turnover can be imposed for each day of non-compliance, for up to six months. The real risk extends beyond financial penalties: failure to maintain digital operational resilience can result in service disruptions, customer harm, and systemic risk - all of which carry severe reputational and business consequences.

Implementation Timeline

Key milestones and compliance deadlines

Sept 2020

European Commission publishes the Digital Finance Package, including the DORA legislative proposal

Nov 2022

DORA regulation adopted by the European Parliament and the Council

Jan 2023

DORA enters into force - 24-month implementation period begins

Jan 2024

European Supervisory Authorities publish first batch of Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS)

Jan 2025

DORA becomes fully applicable - all financial entities must be compliant

How Reversa Helps

Purpose-built tools for navigating this regulation with confidence

Regulatory Radar

24/7 monitoring of hundreds of official sources - ESAs, national competent authorities, and supervisory bodies. Receive same-morning notifications when DORA-related RTS/ITS updates, guidelines, or enforcement actions are published.

AI-Powered Analysis

Deep-dive regulatory impact analysis with sector-specialized AI agents that extract concrete DORA obligations - from ICT risk management requirements to incident reporting timelines relevant to your entity type.

Legislative Twins

Map DORA obligations to your organization's specific context - creating digital representations of how the regulation affects your entity based on your classification, size, and ICT risk profile.

Automated Reporting

Generate newsletters, compliance radars, and reports for committees and stakeholders automatically - keeping your team aligned on DORA developments and supervisory expectations without manual effort.

Frequently Asked Questions

Common questions about this regulation

When did DORA become applicable?
DORA became fully applicable on January 17, 2025. The regulation entered into force on January 16, 2023, providing a 24-month implementation period. All in-scope financial entities and critical ICT third-party service providers must now be compliant with all DORA requirements.
Who needs to comply with DORA?
DORA applies to virtually all regulated financial entities in the EU: banks, insurance companies, investment firms, payment institutions, crypto-asset service providers, trading venues, central securities depositories, and more - over 22,000 entities in total. It also applies to critical ICT third-party service providers serving the financial sector, including major cloud computing providers.
How does DORA relate to NIS2?
DORA is considered lex specialis (sector-specific law) to NIS2 for the financial sector. This means that where DORA provisions cover the same ground as NIS2 (such as incident reporting or risk management), DORA requirements take precedence for financial entities. However, NIS2 may still apply to aspects not specifically covered by DORA. Financial entities should assess both regulations to ensure comprehensive compliance.
What is threat-led penetration testing (TLPT) under DORA?
TLPT is an advanced form of security testing required by DORA for significant financial entities. Based on the TIBER-EU framework, TLPT involves red team exercises that simulate real-world cyberattacks against an entity's critical functions and systems. TLPT must be conducted by qualified external testers at least every three years, covering several critical or important functions identified by the entity.
How can Reversa help with DORA compliance?
Reversa supports DORA compliance through its Regulatory Radar (24/7 monitoring of ESA publications, RTS/ITS updates, and supervisory guidance), AI-Powered Analysis (sector-specialized agents that extract concrete DORA obligations from regulatory texts), Legislative Twins (mapping how DORA requirements affect your specific entity type and ICT risk profile), and Automated Reporting (generating compliance radars and reports for committees and stakeholders). Reversa keeps your DORA compliance posture current as new technical standards and guidance are published.

Master DORA Compliance with Reversa

From ICT risk management to third-party oversight - navigate DORA with confidence.

Related Regulations

NIS2MiCAGDPR

Cookie Usage

We use analytical cookies to improve our website and your experience. For more information, visit our Cookie Policy.