← Back to all briefings
Compliance 6 min read Published Updated Credibility 71/100

EU Digital Operational Resilience Act Published

The Digital Operational Resilience Act (DORA) was published in the EU Official Journal on 27 December 2022, setting uniform ICT risk, testing, and third-party oversight rules for financial entities ahead of a 2025 application date.

Kodi C.

Editor & Research Lead

Verified for technical accuracy — Kodi C.

Compliance pillar illustration for Zeph Tech briefings
Compliance controls, audit, and evidence briefings

Publication and Regulatory Context

The EU Digital Operational Resilience Act (DORA) was published in the Official Journal on 27 December 2022 following adoption by the Council and European Parliament. The regulation sets up a full framework for ICT risk management across the European financial sector, addressing the growing dependence of financial institutions on technology systems and third-party providers.

DORA creates harmonized requirements that replace fragmented national approaches, ensuring consistent operational resilience standards across all EU member states. Financial entities have until January 2025 to achieve full compliance, with the European Supervisory Authorities developing detailed regulatory technical standards throughout 2023-2024.

Scope and Covered Entities

DORA applies broadly across the financial services ecosystem, covering credit institutions, investment firms, payment institutions, electronic money institutions, crypto-asset service providers, central securities depositories, trading venues, central counterparties, data reporting service providers, insurance doings, pension funds, rating agencies, and various other financial market participants.

The full scope ensures consistent operational resilience standards across interconnected financial services, preventing regulatory arbitrage and addressing systemic risks that could emerge from weak links in the financial infrastructure. Third-party ICT service providers serving covered entities also fall within scope, though with different obligation categories.

ICT Risk Management Framework

Financial entities must implement full ICT risk management frameworks encompassing identification, protection, detection, response, and recovery capabilities. Governance requirements mandate board-level oversight of ICT risk, with management bodies bearing ultimate responsibility for framework effectiveness.

Entities must develop ICT business continuity and disaster recovery plans, conduct regular testing including threat-led penetration testing for significant entities, and maintain ICT asset inventories. Risk assessments must evaluate third-party dependencies and concentration risks. The framework requirements build upon existing sector-specific guidance while establishing binding legal obligations with supervisory oversight and enforcement mechanisms.

Incident Reporting Requirements

DORA establishes mandatory ICT-related incident reporting to competent authorities, creating standardized notification requirements across the financial sector. Major incidents meeting specified materiality thresholds must be reported within defined timeframes, with initial notifications followed by intermediate and final reports as incidents develop.

The reporting framework includes templates and data fields standardized across the EU, enabling aggregated analysis of sector-wide incident patterns. Entities must maintain incident classification and escalation procedures that integrate with external reporting obligations. The reporting requirements create compliance burden but also provide regulators with visibility into operational disruptions affecting financial stability.

Third-Party Risk Management

A central innovation in DORA addresses concentration risk and oversight gaps for critical third-party providers serving the financial sector. The regulation requires contractual provisions ensuring audit rights, access to information, and termination capabilities for critical functions.

Financial entities must maintain registers of third-party arrangements, conduct due diligence assessments, and develop exit strategies for critical outsourcing relationships. For designated critical third-party providers—likely including major cloud service providers—European Supervisory Authorities gain direct oversight authority, conducting examinations and potentially requiring remediation of identified deficiencies. This regulatory innovation addresses longstanding concerns about oversight gaps for technology providers not directly supervised under financial regulation.

Digital Resilience Testing

DORA mandates regular digital operational resilience testing proportionate to entity size, risk profile, and business complexity. Requirements range from vulnerability assessments and network security testing to advanced threat-led penetration testing (TLPT) for significant financial entities.

TLPT must be conducted by independent testers using threat intelligence to simulate sophisticated adversary tactics. Testing results inform remediation planning and risk management improvements. The testing framework draws on existing practices like TIBER-EU while establishing binding requirements with supervisory consequences for inadequate testing programs or failure to address identified vulnerabilities.

Implementation and Regulatory Technical Standards

The European Supervisory Authorities—EBA, ESMA, and EIOPA—are developing regulatory technical standards that provide detailed setup specifications for DORA's principle-based requirements. Standards address ICT risk management framework elements, incident classification criteria, third-party contract provisions, testing methodologies, and critical provider designation processes.

Financial entities should track RTS development and consultation periods to understand forthcoming detailed requirements and influence final standards where possible. Implementation programs should begin with gap assessments against DORA requirements, prioritizing areas with longest remediation timelines and greatest compliance distance from current practices.

Cited sources

See also

Selected articles on related subjects.

Continue in the Compliance pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

  • Third-Party Risk Oversight Playbook

    Operationalize OCC, Federal Reserve, EBA, and MAS outsourcing expectations with lifecycle controls, continuous monitoring, and board reporting.

  • Compliance Operations Control Room

    Implement cross-border compliance operations that satisfy Sarbanes-Oxley, DOJ guidance, EU DORA, and MAS TRM requirements with verifiable evidence flows.

  • ESG Assurance Operating Guide

    Deploy credible ESG assurance across CSRD, SEC climate disclosure, and ISSA 5000 requirements with regulator-aligned controls, data governance, and audit-ready evidence.

Coverage intelligence

Published
Coverage pillar
Compliance
Source credibility
71/100 — medium confidence
Topics
DORA · Financial Services · Operational Resilience · European Union
Sources cited
2 sources (iso.org, federalregister.gov)
Reading time
6 min

Cited sources

  1. Industry Standards and Best Practices — International Organization for Standardization
  2. Federal Register Regulatory Notices
  • DORA
  • Financial Services
  • Operational Resilience
  • European Union
Back to curated briefings

Comments

Community

We publish only high-quality, respectful contributions. Every submission is reviewed for clarity, sourcing, and safety before it appears here.

    Share your perspective

    Submissions showing "Awaiting moderation" are in review. Spam, low-effort posts, or unverifiable claims will be rejected. We verify submissions with the email you provide, and we never publish or sell that address.

    Verification

    Complete the CAPTCHA to submit.