DORA
What is DORA?
DORAEU Regulation 2022/2554 on Digital Operational Resilience for the financial sector, applicable from 17 January 2025.
The Digital Operational Resilience Act (DORA, Regulation EU 2022/2554) is a directly applicable EU regulation that harmonises ICT risk-management, incident-reporting, resilience-testing and third-party risk obligations for financial entities. Adopted in December 2022, DORA applies from 17 January 2025 and covers banks, payment institutions, insurers, investment firms, crypto-asset service providers and critical ICT third-party providers. It mandates a documented ICT risk-management framework, classification and reporting of major ICT-related incidents, threat-led penetration testing (TLPT) for significant firms, and contractual safeguards for outsourcing to ICT providers. The European Supervisory Authorities (EBA, EIOPA, ESMA) issue technical standards and oversee critical providers.
● Examples
- 01
A European retail bank conducting a threat-led penetration test (TLPT) and reporting a major ICT incident within the regulatory deadlines.
- 02
A cloud provider designated as a critical ICT third-party subject to direct EU oversight.
● Frequently asked questions
What is DORA?
EU Regulation 2022/2554 on Digital Operational Resilience for the financial sector, applicable from 17 January 2025. It belongs to the Compliance & Frameworks category of cybersecurity.
What does DORA mean?
EU Regulation 2022/2554 on Digital Operational Resilience for the financial sector, applicable from 17 January 2025.
How does DORA work?
The Digital Operational Resilience Act (DORA, Regulation EU 2022/2554) is a directly applicable EU regulation that harmonises ICT risk-management, incident-reporting, resilience-testing and third-party risk obligations for financial entities. Adopted in December 2022, DORA applies from 17 January 2025 and covers banks, payment institutions, insurers, investment firms, crypto-asset service providers and critical ICT third-party providers. It mandates a documented ICT risk-management framework, classification and reporting of major ICT-related incidents, threat-led penetration testing (TLPT) for significant firms, and contractual safeguards for outsourcing to ICT providers. The European Supervisory Authorities (EBA, EIOPA, ESMA) issue technical standards and oversee critical providers.
How do you defend against DORA?
Defences for DORA typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for DORA?
Common alternative names include: Digital Operational Resilience Act, Regulation (EU) 2022/2554.
● Related terms
- compliance№ 730
NIS2 Directive
EU Directive 2022/2555 that raises baseline cybersecurity requirements and incident-reporting obligations for essential and important entities across the Union.
- compliance№ 1144
Third-Party Risk Management (TPRM)
The end-to-end discipline of identifying, assessing, contracting, monitoring, and offboarding third parties so that the cyber, operational, and compliance risks they introduce stay within appetite.
- forensics-ir№ 525
Incident Response Plan
A documented, approved playbook that defines how an organisation prepares for, detects, contains, eradicates, recovers from, and learns from cyber incidents.
- defense-ops№ 813
Penetration Testing
An authorized, simulated cyberattack against systems, applications, or people to identify exploitable weaknesses before real adversaries do.
- compliance№ 440
GDPR
The European Union's General Data Protection Regulation governing the processing of personal data of individuals in the EU and EEA.