Digital operational resilience for the financial sector (DORA)

DORA aims to enhance the cybersecurity of the financial sector by implementing measures to safeguard against cyberattacks and addressing digital operational risks within the industry.

Purpose: The purpose of DORA is to ensure the resilience of the financial sector against operational disruptions. It establishes uniform requirements that financial entities must adhere to regarding the security of network and information systems.

Scope: DORA applies to a wide range of financial entities, encompassing both traditional institutions like banks, insurance companies, investment firms, and credit institutions, as well as non-traditional entities such as crypto-asset service providers and crowdfunding platforms. It also extends to third-party service providers that provide information and communication technology (ICT) systems and services to these financial institutions. As a result, cloud service providers, for example, may also be required to comply with the regulations outlined in DORA.

Core obligations: DORA establishes requirements in four main categories: ICT risk management and governance, incident response and reporting, resilience testing, and third-party risk management. By way of example, entities are required to implement mechanisms that effectively detect anomalous activities, classify ICT-related incidents, determine their impact, and report major ICT-related incidents to the relevant competent authority. Financial entities must implement these requirements in a manner proportionate to their size, risk profile, and the nature of the services they provide, among other factors.

Short facts
  • Regulation (EU) 2022/2554 of the European Union and the Council of 14 December 2022 on digital operational resilience for the financial sector (DORA) (Regulation – 2022/2554 – EN – DORA – EUR-Lex)
  • 17 January 2025
  • Considered EEA-relevant and likely to be implemented