EU DORA Provisional Agreement

On 10 May 2022 the European Parliament and Council negotiators reached a provisional political agreement on the Digital Operational Resilience Act (DORA), a landmark regulation that harmonizes ICT risk management requirements across the EU financial sector. DORA imposes binding obligations on banks, insurers, investment firms, crypto-asset service providers, and critical ICT third-party providers, covering governance, incident reporting, resilience testing, and supply chain oversight. Final adoption was anticipated later in 2022 with a two-year setup period.

Scope and governance

DORA applies to a broad range of financial entities regulated under existing EU frameworks (CRR/CRD, Solvency II, MiFID II, PSD2, E-money Directive, UCITS/AIFMD) as well as crypto-asset service providers under MiCA. Senior management bears ultimate responsibility for ICT risk management, requiring board-level engagement, defined risk appetite, and oversight of setup. Firms must maintain an ICT risk management framework encompassing policies, roles, asset inventories, and incident response aligned with NIS2 and EBA/EIOPA/ESMA guidelines.

Boards must approve the digital operational resilience strategy, receive regular reporting on risk metrics, and ensure adequate budget, staffing, and training. Governance structures should integrate second-line risk and compliance functions, with clear escalation paths for significant incidents. Institutions must document roles for the Chief Information Security Officer, Chief Risk Officer, and internal audit, ensuring independence and authority to challenge business decisions that undermine resilience.

ICT risk management requirements

Article 5 of DORA mandates risk identification, protection, detection, response, and recovery capabilities. Firms must maintain updated asset registers, classify business functions by criticality, and map dependencies on ICT systems and third parties. Protective measures include security-by-design principles, patch management, vulnerability scanning, and data encryption. Detection capabilities require monitoring of anomalous activities, logging, and threat intelligence integration. Response and recovery obligations encompass incident playbooks, communication plans, backup strategies, and disaster recovery testing with defined recovery time and point objectives.

Operational teams should align controls with industry standards such as ISO/IEC 27001, ISO 22301, and NIST CSF. Implement continuous control monitoring, automated configuration management, and red/blue team exercises. Maintain documentation demonstrating adherence to DORA’s proportionality principle—smaller firms can scale measures based on risk, but must evidence decision-making.

Incident reporting and information sharing

DORA introduces a harmonized incident reporting regime. Financial entities must classify ICT-related incidents according to severity criteria (impact on critical services, number of clients affected, geographic spread, data losses) and notify competent authorities via initial, intermediate, and final reports.

The provisional agreement anticipates alignment with existing sectoral reporting (for example, PSD2 major incident reports, ECB cyber incident reporting), aiming to reduce duplication through a central hub coordinated by the European Supervisory Authorities (ESAs). Institutions should prepare to automate incident data collection, maintain evidence repositories, and integrate regulatory notification timelines into crisis management playbooks.

DORA also encourages voluntary information sharing on cyber threats and vulnerabilities via trusted communities, subject to confidentiality and competition safeguards. Firms should evaluate participation in Information Sharing and Analysis centers (ISACs) and sectoral CERTs, implementing governance to ensure shared intelligence translates into actionable controls.

Digital operational resilience testing

Entities must operate a full testing program, including vulnerability assessments, penetration tests, scenario-based drills, and disaster recovery exercises. Significant institutions designated by supervisors must conduct advanced threat-led penetration testing (TLPT) every three years, building on frameworks like TIBER-EU. Testing must cover critical functions, third-party integrations, and cross-border operations. Firms should develop multi-year testing strategies, maintain vendor-independent testers, and track remediation of findings. Internal audit should verify test effectiveness and management response.

Third-party risk and critical providers

DORA sets up a dedicated oversight framework for critical ICT third-party service providers (CTPPs), likely including major cloud service providers. The ESAs, through a Joint Oversight Forum, will designate CTPPs based on systemic impact and oversee risk assessments, audits, and remediation plans. Financial entities must maintain a register of all ICT third-party arrangements, assess concentration risk, and include contractual clauses covering access, audit rights, service levels, incident notification, data residency, and exit strategies.

Procurement teams should update due diligence questionnaires to capture providers’ resilience capabilities, security certifications, and subcontractor dependencies. Contracts must allow supervisors and institutions to conduct inspections, obtain logs, and test recovery procedures. Exit plans should include data portability, transition services, and regular testing of failover to alternate providers or on-premises infrastructure.

Sub-outsourcing and supply chain

DORA emphasizes transparency over sub-outsourcing. Providers must disclose chains of subcontractors, enabling institutions to assess cumulative risk. Financial entities should map fourth-party dependencies, evaluate geographic concentration, and assess geopolitical and legal risks (for example, data transfer restrictions, sanctions exposure). Implement continuous monitoring for supplier performance, integrating security ratings, attack surface management, and contract KPIs.

How to implement this

2022–2023: Planning. Establish DORA steering committees involving risk, IT, legal, procurement, and business leaders. Conduct gap assessments against existing ICT risk frameworks (EBA Guidelines on ICT and security risk management, EIOPA cloud outsourcing guidelines). Identify priority remediation areas—asset inventory, incident reporting automation, TLPT readiness, third-party governance—and allocate budgets.

2023–2024: Execution. Develop or improve ICT risk management policies, implement tooling for continuous monitoring, and integrate DORA metrics into enterprise risk dashboards. Build incident reporting pipelines capable of generating regulatory templates. Negotiate contract amendments with critical vendors, ensuring audit rights and data access. Launch TLPT programs, selecting accredited providers and coordinating with competent authorities for scoping.

2024 onwards: Operationalisation. With DORA expected to apply in 2024/2025, embed ongoing compliance into business-as-usual processes. Establish key risk indicators (KRIs) for ICT risk (for example, patch latency, mean time to detect/respond, supplier SLA breaches). Run annual board training on digital resilience obligations, update incident simulation exercises, and maintain readiness for supervisory inspections.

Interaction with other EU initiatives

DORA complements NIS2, the AI Act, and the EU Cybersecurity Act. Financial entities classified as essential under NIS2 must harmonize requirements, using single governance structures. Align reporting processes with upcoming harmonized templates under the Cyber Resilience Act and the proposed critical entities resilience directive. Monitor European Banking Authority technical standards and guidelines that will detail risk management, incident reporting, and testing methodologies following DORA’s adoption.

Data and documentation

Maintain full documentation: ICT risk registers, incident logs, testing reports, third-party inventories, and board minutes. Establish evidence repositories accessible during supervisory reviews. Implement configuration management databases linking business services to ICT assets and suppliers to show traceability. Use integrated governance, risk, and compliance (GRC) platforms to track obligations, control ownership, and remediation progress.

The provisional DORA agreement signals a step change in EU financial-sector resilience expectations. Institutions that mobilize governance, invest in tooling, and engage suppliers early will be prepared to meet the regulation’s binding obligations once the final text is published.

You may also find useful

Hand-picked articles on adjacent topics.

Policy · Credibility 91/100 · January 16, 2023

Digital Operational Resilience Act enters into force

DORA entered into force on January 16, 2023, giving EU financial services two years to prepare. The application date was January 17, 2025. This was the starting gun for ICT risk management standardization across the…

Policy · Credibility 86/100 · September 9, 2025

Policy — Operational resilience

DORA's third-party ICT register requirements are now operational for EU financial entities. Maintain comprehensive records of ICT service providers, including risk assessments, contractual arrangements, and concentration…

Policy · Credibility 92/100 · March 31, 2021

Basel Principles for Operational Resilience

The Basel Committee issued principles for operational resilience and updated operational risk management standards, directing banks to map critical operations, test severe scenarios, and tighten third-party oversight…

Policy · Credibility 86/100 · January 17, 2025

Digital Operational Resilience Act (DORA)

DORA is live as of January 17, 2025. If you are in EU financial services, you now have to prove you can withstand ICT disruptions—incident reporting, resilience testing, and third-party oversight are all mandatory. The…

Policy · Credibility 93/100 · July 1, 2025

APRA CPS 230 go-live demands board-owned operational resilience evidence

APRA's CPS 230 operational risk policy framework is now fully in force. Australian financial institutions need documented business continuity, third-party risk management, and operational resilience programs. This is one…

Continue in the Policy pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• AI Policy Implementation Guide

  Coordinate governance, safety, and reporting programmes that meet EU Artificial Intelligence Act timelines and U.S. National AI Initiative Act mandates while sustaining product…

• Digital Markets Compliance Guide

  Implement EU Digital Markets Act, EU Digital Services Act, UK Digital Markets, Competition and Consumers Act, and U.S. Sherman Act requirements with cross-functional operating…

• Semiconductor Industrial Strategy Policy Guide

  Coordinate CHIPS and Science Act, EU Chips Act, and Defense Production Act programmes with capital planning, compliance, and supplier readiness.

Coverage intelligence

Published

May 10, 2022

Coverage pillar

Policy

Source credibility

92/100 — high confidence

Topics

DORA · Operational resilience · Financial services · Third-party risk

Sources cited

3 sources (consilium.europa.eu, europarl.europa.eu, iso.org)

Reading time

6 min

Documentation

1. Council of the EU — Digital finance: Council and Parliament reach provisional agreement on DORA
2. European Parliament — Deal on the Digital Operational Resilience Act
3. ISO 31000:2018 — Risk Management Guidelines — International Organization for Standardization