DORA – Digital Operational Resilience Act

Regulation (EU) 2022/2554 on digital operational resilience for the financial sector (DORA)

In Force Effective: 17/01/2025 EU-wide EU Regulation

Overview

The Digital Operational Resilience Act (DORA) is an EU regulation that establishes uniform requirements for digital operational resilience in the financial sector. DORA has applied since 17 January 2025 and is directly applicable in all EU member states as a regulation.

Who Is Affected?

DORA covers virtually all regulated financial entities:

  • Credit institutions and payment service providers
  • Investment firms and trading venues
  • Insurance and reinsurance undertakings
  • Credit rating agencies and trade repositories
  • Management companies and alternative investment funds
  • Critical ICT third-party service providers (e.g. cloud providers)

Core Obligations

  1. ICT risk management: Comprehensive framework for identification, protection, detection, response, and recovery
  2. ICT incident reporting: Report major ICT-related incidents to the competent supervisory authority
  3. Digital resilience testing: Regular testing, including threat-led penetration testing (TLPT) for systemically important institutions
  4. ICT third-party risk: Contractual safeguards and oversight of ICT service providers
  5. Information sharing: Voluntary exchange of threat intelligence between financial entities

National Transposition

As an EU regulation, DORA applies directly and does not require national transposition. In the DACH region:

  • Germany: BaFin oversees compliance; existing MaRisk/BAIT frameworks are supplemented by DORA
  • Austria: FMA as the competent supervisory authority
  • Switzerland: Not directly affected (non-EU member) but FINMA aligns with comparable standards

Legal Sources

DORA: Does it affect you?

Find out if and how this regulation affects your company – we're happy to advise you.

Frequently Asked Questions

Who is affected by DORA?

All regulated financial entities in the EU, including banks, insurers, investment firms, payment service providers, and critical ICT third-party service providers.

When does DORA apply?

DORA has applied since 17 January 2025. As a regulation, it is directly applicable and does not need to be transposed into national law.

What are the core obligations under DORA?

ICT risk management, ICT incident reporting, digital resilience testing (including threat-led penetration testing), and ICT third-party risk management.