{"id":21978,"date":"2026-07-06T09:00:00","date_gmt":"2026-07-06T09:00:00","guid":{"rendered":"https:\/\/www.securitytoday.de\/2026\/07\/06\/what-is-dora-definition-obligations-deadlines\/"},"modified":"2026-07-11T07:30:31","modified_gmt":"2026-07-11T07:30:31","slug":"what-is-dora-definition-obligations-deadlines","status":"publish","type":"post","link":"https:\/\/www.securitytoday.de\/en\/2026\/07\/06\/what-is-dora-definition-obligations-deadlines\/","title":{"rendered":"What Is DORA? Definition, Obligations, and Deadlines"},"content":{"rendered":"<div class=\"st-definition\">\n<p><strong>What is DORA?<\/strong> The Digital Operational Resilience Act, Regulation (EU) 2022\/2554, is an EU legislative act concerning digital operational resilience in the financial sector. It obliges financial entities to uniformly manage their ICT risks, report serious incidents, conduct regular resilience tests, and supervise their ICT service providers. DORA has been applicable since January 17, 2025 across all member states.<\/p>\n<\/div>\n<div style=\"background:#003340;color:#fff;padding:32px 36px;margin:32px 0;border-radius:8px;\">\n<p style=\"margin:0 0 18px 0;font-size:0.95em;font-weight:800;text-transform:uppercase;color:#69d8ed;border-bottom:2px solid rgba(105,216,237,0.25);padding-bottom:12px;\">Key Takeaways<\/p>\n<ul style=\"margin:0;padding-left:22px;color:rgba(255,255,255,0.92);line-height:1.6;\">\n<li style=\"margin-bottom:10px;\"><strong style=\"color:#69d8ed;\">Legal nature:<\/strong> DORA is a regulation and has been applicable since January 17, 2025. No national transposition is required, unlike a directive.<\/li>\n<li style=\"margin-bottom:10px;\"><strong style=\"color:#69d8ed;\">Scope:<\/strong> the entire financial sector, from banks and insurers to securities and payment service providers, crypto service providers, and asset managers.<\/li>\n<li style=\"margin-bottom:0;\"><strong style=\"color:#69d8ed;\">Core:<\/strong> five areas covering ICT risk management, incident reporting, resilience testing, and third\u2011party risk.<\/li>\n<\/ul>\n<\/div>\n<h2>What DORA Actually Means<\/h2>\n<p>DORA establishes a unified EU framework for the digital resilience of the financial sector. Before DORA, managing ICT risks was scattered across numerous national rules and supervisory requirements. The regulation consolidates these requirements and makes them equally binding in all member states. As a regulation, DORA applies directly, without the need for national legislation to bring it into force.<\/p>\n<div data-element=\"key_number\" style=\"background:#003340;border:1px solid rgba(105,216,237,0.28);border-radius:10px;padding:28px 24px;margin:32px 0;text-align:center;\">\n<div style=\"font-size:1.6em;font-weight:800;color:#69d8ed;line-height:1.05;word-break:keep-all;\">17. Jan. 2025<\/div>\n<p style=\"margin:10px 0 0;font-size:0.92em;color:#e6e3da;\">DORA directly applicable<\/p>\n<p style=\"margin:6px 0 0;font-size:0.78em;color:#8fa3ab;\">Regulation (EU) 2022\/2554<\/p>\n<\/div>\n<p>DORA has been applicable since January 17, 2025. Affected financial institutions must fully meet the requirements as of this date. The regulation is detailed by technical regulatory and implementing standards (RTS and ITS) of the European supervisory authorities, which specify individual obligations in detail.<\/p>\n<p>The framework rests on five pillars. First, ICT risk management with a governance framework for which the management bodies are responsible. Second, a procedure to classify ICT\u2011related incidents and report serious incidents to the competent authority. Third, regular tests of digital resilience. Fourth, managing the risk from ICT third\u2011party service providers, including a register and contractual minimum requirements. Fifth, voluntary exchange about cyber threats among financial institutions.<\/p>\n<h2>Who is affected<\/h2>\n<p>The Digital Operational Resilience Act (DORA) applies to a broad range of financial firms and goes well beyond banks. It covers, among other things, credit institutions, insurers and reinsurers, securities firms, payment and e\u2011money institutions, providers of crypto services, asset managers and other regulated market participants. For small and non\u2011interconnected firms, the regulation provides simplified requirements in certain respects.<\/p>\n<p>A distinctive feature of DORA is its focus beyond individual financial firms. Critical information and communication technology (ICT) third\u2011party providers, such as large cloud or infrastructure providers, can be placed under direct EU\u2011level supervision. The classification of such critical providers follows a formal procedure by European regulators, which is still being developed. The process is ongoing, and a definitive public list has not yet been published.<\/p>\n<p>In Germany, implementation is primarily the responsibility of BaFin (Federal Financial Supervisory Authority) and, for institutions under joint European supervision, the German Federal Bank (Bundesbank). At EU level, the three European regulators-EBA (European Banking Authority), ESMA (European Securities and Markets Authority) and EIOPA (European Insurance and Occupational Pensions Authority)-work together in a Joint Committee and oversee the framework for critical ICT third\u2011party providers.<\/p>\n<h2>What Companies Must Check Now<\/h2>\n<p>Affected financial firms should first audit their governance framework for ICT risks. The management board holds responsibility and must approve and monitor the digital resilience strategy. This leads into a full inventory of their own ICT systems, processes and dependencies.<\/p>\n<div data-element=\"checklist\" style=\"background:#23261f;border:1px solid rgba(105,216,237,0.22);border-radius:10px;padding:22px 24px;margin:32px 0;box-shadow:inset 0 1px 0 rgba(230,227,218,0.06),0 2px 10px rgba(0,0,0,0.22);\">\n<p style=\"margin:0 0 12px;font-family:'IBM Plex Mono',ui-monospace,SFMono-Regular,monospace;font-size:0.72em;letter-spacing:0.12em;text-transform:uppercase;color:#69d8ed;\">Check Now<\/p>\n<ul style=\"margin:0;padding-left:0;list-style:none;\">\n<li style=\"margin:0 0 10px;padding-left:26px;position:relative;color:#e6e3da;line-height:1.5;\"><span style=\"position:absolute;left:0;color:#69d8ed;\">&#10003;<\/span>Audit the ICT risk governance framework and secure board approval<\/li>\n<li style=\"margin:0 0 10px;padding-left:26px;position:relative;color:#e6e3da;line-height:1.5;\"><span style=\"position:absolute;left:0;color:#69d8ed;\">&#10003;<\/span>Catalogue ICT systems, processes and dependencies<\/li>\n<li style=\"margin:0 0 10px;padding-left:26px;position:relative;color:#e6e3da;line-height:1.5;\"><span style=\"position:absolute;left:0;color:#69d8ed;\">&#10003;<\/span>Create a register of ICT service providers and adjust contracts<\/li>\n<li style=\"margin:0 0 10px;padding-left:26px;position:relative;color:#e6e3da;line-height:1.5;\"><span style=\"position:absolute;left:0;color:#69d8ed;\">&#10003;<\/span>Establish a procedure for reporting serious ICT incidents<\/li>\n<li style=\"margin:0 0 10px;padding-left:26px;position:relative;color:#e6e3da;line-height:1.5;\"><span style=\"position:absolute;left:0;color:#69d8ed;\">&#10003;<\/span>Clarify whether Threat\u2011Led Penetration Testing applies<\/li>\n<\/ul>\n<\/div>\n<p>A central point is the register of ICT service providers. Companies must identify which vendors provide which functions and adapt their contracts to meet the regulation\u2019s minimum requirements. At the same time, a process for classifying and reporting serious ICT incidents must be set up, with clear internal escalation paths to the competent authority.<\/p>\n<p>The register of information contracts is not a one\u2011off document but a continuously verified proof. BaFin and European authorities collect these registers to spot market concentration risks, such as many institutions\u2019 reliance on a handful of major cloud providers. A poorly maintained register not only invites regulatory censure but also leaves firms blind to critical dependencies. Likewise, sub\u2011contractor risk comes to the fore: a service provider that outsources significant portions to third parties must disclose that chain.<\/p>\n<p>When it comes to testing, DORA distinguishes between routine baseline tests for all affected firms and threat\u2011led penetration testing (TLPT). These demanding assessments are not mandatory for every company. They apply to entities deemed significant and must be carried out on a regular basis, roughly every three years. Firms should early on clarify whether they fall into that category.<\/p>\n<h2>Distinguishing from Related Terms<\/h2>\n<p>DORA and the NIS2 Directive are frequently discussed together, yet they serve distinct purposes. NIS2 is a directive with broad sectoral coverage, transposed into national law. DORA, by contrast, is a directly applicable regulation that targets the financial sector alone and spells out its digital resilience in detail.<\/p>\n<p>For the financial sector, DORA constitutes a more specific rule. Financial firms covered by DORA are therefore exempt from NIS2 obligations. Consequently, these companies are not subject to duplicate requirements from both frameworks. For companies outside the financial sector, NIS2 remains the relevant instrument.<\/p>\n<p>A common misconception is equating DORA with mere contractual clauses for cloud providers. Third\u2011party risk is just one of five areas covered. DORA encompasses the full scope of ICT risk management, incident reporting, testing, and governance. Likewise, DORA applies to a wide range of financial firms, from banks and insurers to payment service providers.<\/p>\n<h2 style=\"padding-top:64px;margin-bottom:20px;\">Frequently Asked Questions<\/h2>\n<p class=\"st-faq-hint\">Every question is locked. A tap unlocks the answer.<\/p>\n<details>\n<summary><strong>Since when does DORA apply?<\/strong><\/summary>\n<p style=\"margin:8px 0 4px 24px;color:#555;line-height:1.6;\">DORA has been applicable since January 17, 2025. Affected financial institutions must fully meet the requirements from this date.<\/p>\n<\/details>\n<details>\n<summary><strong>Is DORA a directive or a regulation?<\/strong><\/summary>\n<p style=\"margin:8px 0 4px 24px;color:#555;line-height:1.6;\">DORA is a regulation. It applies directly across all EU member states and does not need to be implemented through national laws.<\/p>\n<\/details>\n<details>\n<summary><strong>Must every financial institution conduct a TLPT?<\/strong><\/summary>\n<p style=\"margin:8px 0 4px 24px;color:#555;line-height:1.6;\">No. Threat-led penetration testing applies to companies classified as significant and is scheduled there on a regular basis, roughly every three years. However, all affected companies must conduct regular baseline tests.<\/p>\n<\/details>\n<details>\n<summary><strong>Does DORA also apply in addition to NIS2?<\/strong><\/summary>\n<p style=\"margin:8px 0 4px 24px;color:#555;line-height:1.6;\">For financial institutions, DORA applies as a more specific regulation. They are therefore exempt from the NIS2 obligations, so there is no duplicate duty from both frameworks.<\/p>\n<\/details>\n<details>\n<summary><strong>Who oversees DORA in Germany?<\/strong><\/summary>\n<p style=\"margin:8px 0 4px 24px;color:#555;line-height:1.6;\">In Germany, the primary supervisory authorities are BaFin, the Federal Financial Supervisory Authority, and, for institutions under joint European supervision, the Deutsche Bundesbank (German Federal Bank). Critical IT third\u2011party service providers may additionally fall under EU\u2011level supervision.<\/p>\n<\/details>\n<p><!--ST-LOWER-CARDS lang=en--><\/p>\n<h3 style=\"margin:48px 0 18px;padding-left:12px;font-size:1.05em;font-weight:800;color:#e6e3da;border-left:3px solid #69d8ed;line-height:1.2;\">Editor&#8217;s Picks<\/h3>\n<p><a href=\"https:\/\/www.securitytoday.de\/en\/2026\/06\/29\/dora-in-operation-what-the-regulator-wants-to-see\/\" style=\"display:flex;align-items:center;gap:14px;padding:12px 14px;margin:0 0 10px;background:#23261f;border:1px solid rgba(105,216,237,0.18);border-radius:12px;box-shadow:inset 0 1px 0 rgba(230,227,218,0.06),0 6px 18px rgba(0,0,0,0.22);text-decoration:none;color:#e6e3da;box-sizing:border-box;width:100%;\"><span style=\"flex:0 0 116px;aspect-ratio:16\/9;overflow:hidden;border-radius:8px;background:#111210;border:1px solid rgba(230,227,218,0.08);display:block;\"><img decoding=\"async\" src=\"https:\/\/www.securitytoday.de\/wp-content\/uploads\/2026\/06\/dora-finanzinstitute-resilienz-nachweis-tlpt-cover-hero-250x141.jpg\" alt=\"\" loading=\"lazy\" width=\"116\" height=\"65\" style=\"width:100%;height:100%;object-fit:cover;display:block;\"><\/span><span style=\"display:block;min-width:0;\"><span style=\"display:block;font-size:0.68em;font-weight:700;letter-spacing:0.1em;text-transform:uppercase;color:#69d8ed;margin-bottom:5px;\">Editor&#8217;s Pick<\/span><span style=\"display:block;font-size:1.0em;font-weight:650;line-height:1.35;color:#e6e3da;overflow-wrap:anywhere;\">DORA in Operation: What the Regulator Wants to See<\/span><\/span><\/a><a href=\"https:\/\/www.securitytoday.de\/en\/2026\/06\/25\/from-when-the-reporting-deadline-clock-really-starts-ticking\/\" style=\"display:flex;align-items:center;gap:14px;padding:12px 14px;margin:0 0 10px;background:#23261f;border:1px solid rgba(105,216,237,0.18);border-radius:12px;box-shadow:inset 0 1px 0 rgba(230,227,218,0.06),0 6px 18px rgba(0,0,0,0.22);text-decoration:none;color:#e6e3da;box-sizing:border-box;width:100%;\"><span style=\"flex:0 0 116px;aspect-ratio:16\/9;overflow:hidden;border-radius:8px;background:#111210;border:1px solid rgba(230,227,218,0.08);display:block;\"><img decoding=\"async\" src=\"https:\/\/www.securitytoday.de\/wp-content\/uploads\/2026\/07\/nis2-dora-dsgvo-meldefristen-vergleich-startpunkt-incident-cover-hero-1-250x143.jpg\" alt=\"\" loading=\"lazy\" width=\"116\" height=\"65\" style=\"width:100%;height:100%;object-fit:cover;display:block;\"><\/span><span style=\"display:block;min-width:0;\"><span style=\"display:block;font-size:0.68em;font-weight:700;letter-spacing:0.1em;text-transform:uppercase;color:#69d8ed;margin-bottom:5px;\">Editor&#8217;s Pick<\/span><span style=\"display:block;font-size:1.0em;font-weight:650;line-height:1.35;color:#e6e3da;overflow-wrap:anywhere;\">From When the Reporting Deadline Clock Really Starts Ticking<\/span><\/span><\/a><a href=\"https:\/\/www.securitytoday.de\/en\/2026\/07\/02\/five-positions-that-require-a-siem-budget\/\" style=\"display:flex;align-items:center;gap:14px;padding:12px 14px;margin:0 0 10px;background:#23261f;border:1px solid rgba(105,216,237,0.18);border-radius:12px;box-shadow:inset 0 1px 0 rgba(230,227,218,0.06),0 6px 18px rgba(0,0,0,0.22);text-decoration:none;color:#e6e3da;box-sizing:border-box;width:100%;\"><span style=\"flex:0 0 116px;aspect-ratio:16\/9;overflow:hidden;border-radius:8px;background:#111210;border:1px solid rgba(230,227,218,0.08);display:block;\"><img decoding=\"async\" src=\"https:\/\/www.securitytoday.de\/wp-content\/uploads\/2026\/07\/security-budget-priorisierung-nis2-paragraf-30-cover-hero-250x143.jpg\" alt=\"\" loading=\"lazy\" width=\"116\" height=\"65\" style=\"width:100%;height:100%;object-fit:cover;display:block;\"><\/span><span style=\"display:block;min-width:0;\"><span style=\"display:block;font-size:0.68em;font-weight:700;letter-spacing:0.1em;text-transform:uppercase;color:#69d8ed;margin-bottom:5px;\">Editor&#8217;s Pick<\/span><span style=\"display:block;font-size:1.0em;font-weight:650;line-height:1.35;color:#e6e3da;overflow-wrap:anywhere;\">Five Line Items That Need Budget Before SIEM<\/span><\/span><\/a><\/p>\n<h3 style=\"margin:48px 0 18px;padding-left:12px;font-size:1.05em;font-weight:800;color:#e6e3da;border-left:3px solid #69d8ed;line-height:1.2;\">More from the MBF Media Network<\/h3>\n<p><a href=\"https:\/\/www.cloudmagazin.com\/en\/2026\/06\/29\/kritis-in-the-cloud-what-secures-the-migration\/\" style=\"display:flex;align-items:center;gap:14px;padding:12px 14px;margin:0 0 10px;background:#23261f;border:1px solid rgba(105,216,237,0.18);border-radius:12px;box-shadow:inset 0 1px 0 rgba(230,227,218,0.06),0 6px 18px rgba(0,0,0,0.22);text-decoration:none;color:#e6e3da;box-sizing:border-box;width:100%;\"><span style=\"flex:0 0 116px;aspect-ratio:16\/9;overflow:hidden;border-radius:8px;background:#111210;border:1px solid rgba(230,227,218,0.08);display:block;\"><img decoding=\"async\" src=\"https:\/\/www.securitytoday.de\/wp-content\/uploads\/2026\/07\/net-kritis-cloud-migration-c5-nis2-dachgeset-70478771.jpg\" alt=\"\" loading=\"lazy\" width=\"116\" height=\"65\" style=\"width:100%;height:100%;object-fit:cover;display:block;\"><\/span><span style=\"display:block;min-width:0;\"><span style=\"display:block;font-size:0.68em;font-weight:700;letter-spacing:0.1em;text-transform:uppercase;color:#0bb7fd;margin-bottom:5px;\">cloudmagazin<\/span><span style=\"display:block;font-size:1.0em;font-weight:650;line-height:1.35;color:#e6e3da;overflow-wrap:anywhere;\">KRITIS in the Cloud: What Secures the Migration<\/span><\/span><\/a><a href=\"https:\/\/mybusinessfuture.com\/en\/the-ai-oversight-in-germany-now-has-an-address\/\" style=\"display:flex;align-items:center;gap:14px;padding:12px 14px;margin:0 0 10px;background:#23261f;border:1px solid rgba(105,216,237,0.18);border-radius:12px;box-shadow:inset 0 1px 0 rgba(230,227,218,0.06),0 6px 18px rgba(0,0,0,0.22);text-decoration:none;color:#e6e3da;box-sizing:border-box;width:100%;\"><span style=\"flex:0 0 116px;aspect-ratio:16\/9;overflow:hidden;border-radius:8px;background:#111210;border:1px solid rgba(230,227,218,0.08);display:block;\"><img decoding=\"async\" src=\"https:\/\/www.securitytoday.de\/wp-content\/uploads\/2026\/07\/net-die-ki-aufsicht-in-deutschland-hat-jetzt-91048899-250x141.jpg\" alt=\"\" loading=\"lazy\" width=\"116\" height=\"65\" style=\"width:100%;height:100%;object-fit:cover;display:block;\"><\/span><span style=\"display:block;min-width:0;\"><span style=\"display:block;font-size:0.68em;font-weight:700;letter-spacing:0.1em;text-transform:uppercase;color:#aa8ac2;margin-bottom:5px;\">MyBusinessFuture<\/span><span style=\"display:block;font-size:1.0em;font-weight:650;line-height:1.35;color:#e6e3da;overflow-wrap:anywhere;\">The AI oversight in Germany now has an address<\/span><\/span><\/a><a href=\"https:\/\/www.digital-chiefs.de\/en\/the-ai-writes-the-code-who-is-liable-for-it\/\" style=\"display:flex;align-items:center;gap:14px;padding:12px 14px;margin:0 0 10px;background:#23261f;border:1px solid rgba(105,216,237,0.18);border-radius:12px;box-shadow:inset 0 1px 0 rgba(230,227,218,0.06),0 6px 18px rgba(0,0,0,0.22);text-decoration:none;color:#e6e3da;box-sizing:border-box;width:100%;\"><span style=\"flex:0 0 116px;aspect-ratio:16\/9;overflow:hidden;border-radius:8px;background:#111210;border:1px solid rgba(230,227,218,0.08);display:block;\"><img decoding=\"async\" src=\"https:\/\/www.securitytoday.de\/wp-content\/uploads\/2026\/07\/net-ki-generierter-code-haftung-governance-r-68881977-250x143.jpg\" alt=\"\" loading=\"lazy\" width=\"116\" height=\"65\" style=\"width:100%;height:100%;object-fit:cover;display:block;\"><\/span><span style=\"display:block;min-width:0;\"><span style=\"display:block;font-size:0.68em;font-weight:700;letter-spacing:0.1em;text-transform:uppercase;color:#e8828d;margin-bottom:5px;\">Digital Chiefs<\/span><span style=\"display:block;font-size:1.0em;font-weight:650;line-height:1.35;color:#e6e3da;overflow-wrap:anywhere;\">The AI writes the code. Who is liable for it?<\/span><\/span><\/a><!--\/ST-LOWER-CARDS--><\/p>\n","protected":false},"excerpt":{"rendered":"Learn how DORA impacts the financial sector, key compliance requirements since January 2025, and how it differs from NIS2.","protected":false},"author":50,"featured_media":20758,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_yoast_wpseo_focuskw":"DORA regulation","_yoast_wpseo_title":"What Is DORA? Definition, Obligations, and Deadlines","_yoast_wpseo_metadesc":"DORA explained: Who it affects in finance, five key obligations since January 2025, and how it compares to NIS2.","_yoast_wpseo_meta-robots-noindex":"","_yoast_wpseo_meta-robots-nofollow":"","_yoast_wpseo_meta-robots-adv":"","_yoast_wpseo_canonical":"","_yoast_wpseo_opengraph-title":"","_yoast_wpseo_opengraph-description":"","_yoast_wpseo_opengraph-image":"","_yoast_wpseo_opengraph-image-id":0,"_yoast_wpseo_twitter-title":"","_yoast_wpseo_twitter-description":"","_yoast_wpseo_twitter-image":"","_yoast_wpseo_twitter-image-id":0,"evm_cvss":0,"evm_risk":0,"evm_casefile":"","evm_primary_cve":"","evm_external_preview_token":"","evm_external_preview_expires":"","_evm_translation_lang":"en","featured_post":0,"featured_post_sortierung":0,"_wp_old_slug":[],"footnotes":""},"categories":[263],"tags":[],"class_list":["post-21978","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-sicherheitslexikon-en"],"evm_reading_time_minutes":7,"wpml_language":"en","wpml_translation_of":20746,"_links":{"self":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts\/21978","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/users\/50"}],"replies":[{"embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/comments?post=21978"}],"version-history":[{"count":1,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts\/21978\/revisions"}],"predecessor-version":[{"id":21984,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts\/21978\/revisions\/21984"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/media\/20758"}],"wp:attachment":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/media?parent=21978"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/categories?post=21978"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/tags?post=21978"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}