What Is DORA? Definition, Obligations, and Deadlines
What is DORA? The Digital Operational Resilience Act, Regulation (EU) 2022/2554, is an EU legislative act concerning digital operational resilience in the financial sector. It obliges financial entities to uniformly manage their ICT risks, report serious incidents, conduct regular resilience tests, and supervise their ICT service providers. DORA has been applicable since January 17, 2025 across all member states.
Key Takeaways
- Legal nature: DORA is a regulation and has been applicable since January 17, 2025. No national transposition is required, unlike a directive.
- Scope: the entire financial sector, from banks and insurers to securities and payment service providers, crypto service providers, and asset managers.
- Core: five areas covering ICT risk management, incident reporting, resilience testing, and third‑party risk.
What DORA Actually Means
DORA establishes a unified EU framework for the digital resilience of the financial sector. Before DORA, managing ICT risks was scattered across numerous national rules and supervisory requirements. The regulation consolidates these requirements and makes them equally binding in all member states. As a regulation, DORA applies directly, without the need for national legislation to bring it into force.
DORA directly applicable
Regulation (EU) 2022/2554
DORA has been applicable since January 17, 2025. Affected financial institutions must fully meet the requirements as of this date. The regulation is detailed by technical regulatory and implementing standards (RTS and ITS) of the European supervisory authorities, which specify individual obligations in detail.
The framework rests on five pillars. First, ICT risk management with a governance framework for which the management bodies are responsible. Second, a procedure to classify ICT‑related incidents and report serious incidents to the competent authority. Third, regular tests of digital resilience. Fourth, managing the risk from ICT third‑party service providers, including a register and contractual minimum requirements. Fifth, voluntary exchange about cyber threats among financial institutions.
Who is affected
The Digital Operational Resilience Act (DORA) applies to a broad range of financial firms and goes well beyond banks. It covers, among other things, credit institutions, insurers and reinsurers, securities firms, payment and e‑money institutions, providers of crypto services, asset managers and other regulated market participants. For small and non‑interconnected firms, the regulation provides simplified requirements in certain respects.
A distinctive feature of DORA is its focus beyond individual financial firms. Critical information and communication technology (ICT) third‑party providers, such as large cloud or infrastructure providers, can be placed under direct EU‑level supervision. The classification of such critical providers follows a formal procedure by European regulators, which is still being developed. The process is ongoing, and a definitive public list has not yet been published.
In Germany, implementation is primarily the responsibility of BaFin (Federal Financial Supervisory Authority) and, for institutions under joint European supervision, the German Federal Bank (Bundesbank). At EU level, the three European regulators-EBA (European Banking Authority), ESMA (European Securities and Markets Authority) and EIOPA (European Insurance and Occupational Pensions Authority)-work together in a Joint Committee and oversee the framework for critical ICT third‑party providers.
What Companies Must Check Now
Affected financial firms should first audit their governance framework for ICT risks. The management board holds responsibility and must approve and monitor the digital resilience strategy. This leads into a full inventory of their own ICT systems, processes and dependencies.
Check Now
- ✓Audit the ICT risk governance framework and secure board approval
- ✓Catalogue ICT systems, processes and dependencies
- ✓Create a register of ICT service providers and adjust contracts
- ✓Establish a procedure for reporting serious ICT incidents
- ✓Clarify whether Threat‑Led Penetration Testing applies
A central point is the register of ICT service providers. Companies must identify which vendors provide which functions and adapt their contracts to meet the regulation’s minimum requirements. At the same time, a process for classifying and reporting serious ICT incidents must be set up, with clear internal escalation paths to the competent authority.
The register of information contracts is not a one‑off document but a continuously verified proof. BaFin and European authorities collect these registers to spot market concentration risks, such as many institutions’ reliance on a handful of major cloud providers. A poorly maintained register not only invites regulatory censure but also leaves firms blind to critical dependencies. Likewise, sub‑contractor risk comes to the fore: a service provider that outsources significant portions to third parties must disclose that chain.
When it comes to testing, DORA distinguishes between routine baseline tests for all affected firms and threat‑led penetration testing (TLPT). These demanding assessments are not mandatory for every company. They apply to entities deemed significant and must be carried out on a regular basis, roughly every three years. Firms should early on clarify whether they fall into that category.
Distinguishing from Related Terms
DORA and the NIS2 Directive are frequently discussed together, yet they serve distinct purposes. NIS2 is a directive with broad sectoral coverage, transposed into national law. DORA, by contrast, is a directly applicable regulation that targets the financial sector alone and spells out its digital resilience in detail.
For the financial sector, DORA constitutes a more specific rule. Financial firms covered by DORA are therefore exempt from NIS2 obligations. Consequently, these companies are not subject to duplicate requirements from both frameworks. For companies outside the financial sector, NIS2 remains the relevant instrument.
A common misconception is equating DORA with mere contractual clauses for cloud providers. Third‑party risk is just one of five areas covered. DORA encompasses the full scope of ICT risk management, incident reporting, testing, and governance. Likewise, DORA applies to a wide range of financial firms, from banks and insurers to payment service providers.
Frequently Asked Questions
Every question is locked. A tap unlocks the answer.
Since when does DORA apply?
DORA has been applicable since January 17, 2025. Affected financial institutions must fully meet the requirements from this date.
Is DORA a directive or a regulation?
DORA is a regulation. It applies directly across all EU member states and does not need to be implemented through national laws.
Must every financial institution conduct a TLPT?
No. Threat-led penetration testing applies to companies classified as significant and is scheduled there on a regular basis, roughly every three years. However, all affected companies must conduct regular baseline tests.
Does DORA also apply in addition to NIS2?
For financial institutions, DORA applies as a more specific regulation. They are therefore exempt from the NIS2 obligations, so there is no duplicate duty from both frameworks.
Who oversees DORA in Germany?
In Germany, the primary supervisory authorities are BaFin, the Federal Financial Supervisory Authority, and, for institutions under joint European supervision, the Deutsche Bundesbank (German Federal Bank). Critical IT third‑party service providers may additionally fall under EU‑level supervision.
Editor’s Picks
Editor’s PickDORA in Operation: What the Regulator Wants to SeeEditor’s PickFrom When the Reporting Deadline Clock Really Starts TickingEditor’s PickFive Line Items That Need Budget Before SIEM
More from the MBF Media Network
cloudmagazinKRITIS in the Cloud: What Secures the MigrationMyBusinessFutureThe AI oversight in Germany now has an addressDigital ChiefsThe AI writes the code. Who is liable for it?





