Definition

What is the Digital Operational Resilience Act (DORA)?

Andy Patrizio
By

The Digital Operational Resilience Act (DORA) is a European Union regulation designed to enhance cybersecurity and ensure functional continuity of the financial sector, employing rigorous information and communications technology (ICT) standards across all EU financial entities.

DORA mandates that all impact organizational categories -- more than 20 total -- develop detailed risk management frameworks with clearly defined roles and responsibilities, underpinning the European Commission's strategy to strengthen cybersecurity within the EU financial sector.

The act complements the Network and Information Security 2 (NIS2) Directive. Both DORA and NIS2 aim to increase information security at companies, but there are significant differences between the two.

First, NIS2 is a directive that sets a goal for EU countries. However, because NIS2 is a directive and not a regulation, each EU member must adopt, apply, comply with and enforce its legislation related to the directive. Few have done so.

DORA, on the other hand, is a regulation similar to the EU's General Data Protection Regulation (GDPR). Unlike NIS2, regulations such as DORA are enforceable laws with immediate legal effects applied across all EU states.

Also, NIS2 broadly targets companies and organizations across 18 sectors essential to a functioning society and economy, including energy, transportation, healthcare, water supply and digital infrastructures. By contrast, DORA focuses exclusively on the financial sector: banks, insurance companies, investment firms and other service providers.

Why is DORA needed?

Because these institutions rely on digital systems, the entire interconnected financial sector must regularly withstand, respond to and recover from all types of digital disruptions and attacks. DORA is a legislative blueprint meant to undercut the criminal appeal of targeting financial institutions.

Moreover, a cyberattack on one financial institution may create a domino effect that spreads through the system. Therefore, threats must be isolated at their source.

Finally, fragmented and inconsistent cybersecurity regulations among EU states created confusion for all business sectors. DORA seeks to build and maintain a unified approach throughout the EU financial sector, collectively managing risks in a consistent manner across national boundaries.

What are the core components of DORA?

DORA's foundation includes five pillars that collectively form a digital resilience framework to shield the EU financial sector. The following are its core components:

  1. ICT risk management. DORA mandates that financial entities use a comprehensive framework for managing ICT risks. This framework includes regular risk assessments to identify potential threats and vulnerabilities, appropriate security controls and safeguards, and creation and support of incident response plans, along with continuous monitoring and updating of the strategy.
  2. ICT-related incident reporting. Organizations are required to maintain processes for detecting, reporting and investigating ICT-related incidents. These advanced systems swiftly identify potential ICT threats and disruptions. Further, they set up clear internal reporting channels to ensure rapid communication of incidents, develop standardized procedures for classifying incidents and conduct thorough analyses of incidents to determine root causes and prevent future occurrences.
  3. Digital operational resilience testing. DORA mandates regular testing of digital operational resilience to ensure the effectiveness of existing strategies and systems. The act requires annual basic testing for routine assessments of ICT systems, more comprehensive threat-led penetration testing every three years and continuous improvement to the tests as needed.
  4. Third-party risk management. Financial entities must employ strenuous measures to manage risks associated with ICT third-party service providers. For example, thorough evaluations of potential and existing ICT service providers ensure security measures comply with regulatory requirements. Also, service-level agreements automatically include clear security and performance standards. Of course, successful management includes continuous oversight mechanisms and detailed documentation of third-party risk management processes.
  5. Information and intelligence sharing. To thwart future attempts against unprepared institutions and the sector overall, DORA emphasizes the importance of sharing information and intelligence about cyberthreats and vulnerabilities with fellow financial entities and relevant authorities.

Which businesses must comply with DORA?

DORA applies to a wide swath of the financial sector and not strictly in the EU. Faegre Drinker, a large, longstanding U.S.-based international law firm, recognizes the need for proactive compliance with DORA among affected parties. Regardless, the following entities are required to comply with DORA:

  • Financial entities operating in the EU, including banks, insurance companies and financial entities outside the EU that offer financial services in the EU.
  • ICT service providers that supply entities within the scope of DORA.
  • Intragroup arrangements, such as when a U.S. parent company provides ICT services to an EU entity within DORA's scope.
  • Third-party IT providers of, according to DORA's language, "critical or important functions" to financial entities.

    DORA's broad scope extends beyond traditional financial institutions. The regulation's goal is a comprehensive framework for digital operational resilience across the financial sector, ensuring critical financial operations are adequately prepared to manage ICT risks, respond to incidents and maintain operational continuity.

    Why is DORA legislation important to cybersecurity?

    DORA legislation introduces uniform, harmonized governing principles for the management of cyber-risks among EU nations, highlighted by the following:

    • A focus on ICT risks inadequately addressed by previous capital allocation approaches.
    • A coordinated set of rules and standards for ICT risk management across the EU financial sector, replacing fragmented national regulations with a more cohesive approach.
    • A mandated, multifaceted approach to managing ICT-related risks, including protection, detection, containment, recovery and repair in the event of cyberincidents.
    • Strict oversight of and contractual requirements on third parties not covered by previous security regulations.
    • A mechanism for regulatory authorities to impose obligations directly on critical ICT service providers, extending the reach of cybersecurity governance.
    • Uniform incident reporting requirements, fostering greater transparency and enabling faster response to cyberthreats across the financial sector.

    Key dates for DORA

    The Digital Operational Resilience Act became law on Jan. 16, 2023, and applies as of Jan. 17, 2025.

    In May 2024, the European Supervisory Authorities published templates, technical documents and tools for the dry-run exercise on DORA reporting. The templates, available to financial entities preparing and recording their registers of information, are in Excel format and include an example document.

    This was last updated in March 2025

    Continue Reading About What is the Digital Operational Resilience Act (DORA)?