HomeGlossaryDORA

What is DORA?

Digital Operational Resilience Act

DORA (Digital Operational Resilience Act) is an EU regulation (Regulation (EU) 2022/2554) that establishes a comprehensive framework for managing information and communication technology (ICT) risks in the financial sector. It requires financial entities — including banks, insurers, investment firms, and crypto-asset service providers — to implement robust ICT risk management, incident reporting, digital operational resilience testing, and third-party risk management frameworks.

Why DORA Matters

As financial services become increasingly digital, the risk of ICT disruptions, cyberattacks, and technology failures has grown exponentially. DORA addresses the reality that a single ICT incident can cascade across interconnected financial systems, potentially causing systemic harm. Before DORA, ICT risk management requirements were scattered across various EU directives and national rules, creating inconsistencies and gaps. DORA creates a unified, comprehensive framework that ensures all financial entities — regardless of size or type — maintain adequate digital operational resilience.

Regulatory Implications

DORA establishes five key pillars of digital operational resilience:

How DORA Relates to Compliance Monitoring

DORA applies from January 17, 2025, and the European Supervisory Authorities (ESAs) continue to finalize technical standards and guidelines. Compliance teams must track developments from ESMA, EBA, and EIOPA, as well as national competent authorities implementing supervisory approaches. RegPulse monitors all DORA-related publications, helping your team navigate the evolving requirements across ICT risk management, incident reporting, and third-party oversight.

Related Terms

MiCAPSD2PSD3RegTechCompliance Monitoring

Further Reading

Monitor DORA Regulations with RegPulse

Stay ahead of DORA-related regulatory changes across the US, EU, and UK with AI-powered alerts.

Start Free Trial →

Frequently Asked Questions

DORA applies to virtually all regulated financial entities in the EU, including credit institutions, investment firms, payment institutions, electronic money institutions, insurance companies, crypto-asset service providers (CASPs), central securities depositories, and trading venues. It also applies to critical ICT third-party service providers designated by European Supervisory Authorities.
DORA entered into force on January 16, 2023, and applies from January 17, 2025. Financial entities must be fully compliant by this date. The European Supervisory Authorities have been publishing regulatory technical standards (RTS) and implementing technical standards (ITS) throughout 2023-2024 to detail specific requirements.
Cloud service providers serving EU financial entities may be designated as critical ICT third-party service providers and become subject to direct oversight by an EU Lead Overseer. Even non-designated providers face indirect requirements through their financial entity clients, who must ensure contractual provisions, audit rights, and exit strategies are in place.

📖 Related Terms

AMLD6 · Electronic Money Institution (EMI) · MiCA · PSD2

⚖️ Related Regulations

DORA RegulationMiCA RegulationESMA Oversight

📚 Further Reading

← All Glossary Terms View Pricing Start Free Trial