ComplianceEU Dora Official Journal Publication
DORA was published in the EU Official Journal. Financial entities have until January 17, 2025 to comply with digital operational resilience requirements including ICT risk management, incident reporting, and third-party risk oversight.
Editorially reviewed for factual accuracy
On 27 December 2022 the EU Digital Operational Resilience Act (DORA) was published in the Official Journal (Regulation (EU) 2022/2554), triggering a 24-month setup period ahead of the 17 January 2025 application date. DORA sets up a harmonized ICT risk management framework for financial entities—including banks, insurers, investment firms, payment institutions, and critical ICT service providers—covering governance, incident reporting, testing, third-party risk, and threat intelligence. Firms must align operating models, control frameworks, and outcome testing to meet the regulation’s prescriptive requirements.
Scope and governance
DORA applies to a broad range of financial entities and designates critical ICT third-party service providers (CTPPs) subject to direct European Supervisory Authority (ESA) oversight. Key governance obligations include:
- Board responsibility for ICT risk management, strategy approval, and oversight.
- Establishing risk management frameworks covering identification, protection, detection, response, and recovery.
- Adopting ICT security policies, business continuity, and disaster recovery plans with periodic testing.
- Maintaining incident response processes aligned with ESA technical standards.
Boards must receive regular reporting on ICT risk, incidents, testing outcomes, and third-party performance.
ICT risk management requirements
Firms must implement controls across:
- ICT risk identification: Asset inventories, risk assessments, dependency mapping, and risk appetite statements.
- Protection and prevention: Security policies, access controls, encryption, vulnerability management, and secure development lifecycle.
- Detection: Monitoring, logging, and anomaly detection with defined thresholds.
- Response and recovery: Incident response plans, communication strategies, backup and recovery testing, and crisis management.
- Learning and evolving: Post-incident reviews, lessons learned, and continuous improvement.
Outcome testing should evidence control effectiveness, such as reduced incident impact, faster recovery times, and improved detection rates.
Incident reporting and information sharing
DORA standardizes incident classification and reporting through ESA technical standards. Financial entities must:
- Classify incidents based on criteria (service downtime, client impact, data breaches) and notify competent authorities.
- Submit initial, intermediate, and final reports within specified timelines.
- Participate in threat intelligence sharing arrangements and consider voluntary sharing with peers.
Firms must ensure incident response teams, communication plans, and reporting tools meet DORA requirements.
Digital operational resilience testing
DORA requires regular testing, including:
- Basic testing (vulnerability assessments, penetration testing, scenario-based tests) for all financial entities.
- Advanced Threat-Led Penetration Testing (TLPT) at least every three years for significant entities, aligned with TIBER-EU.
- Testing of business continuity and disaster recovery, including participation in industry-wide exercises.
Outcome testing must document findings, remediation actions, and retesting results. Entities should maintain testing registers and report outcomes to senior management and regulators.
Third-party risk management
Firms must maintain a full register of ICT third-party arrangements, perform due diligence, and ensure contracts include mandatory clauses (service levels, security requirements, audit rights, exit strategies). Critical ICT third-party providers will be overseen by ESAs, and financial entities must cooperate with regulators during inspections.
Outcome metrics should track supplier performance, incident rates, and compliance with contractual obligations.
Information sharing and threat intelligence
DORA encourages participation in threat intelligence communities, with safeguards for confidentiality. Firms should establish governance for sharing indicators of compromise, tactics, techniques, and procedures (TTPs), and integrate intelligence into detection and response workflows.
How to implement this
- 2023: Conduct gap analyzes, establish DORA program governance, and align with ESA rulemaking timelines.
- 2024: Implement control improvements, update third-party contracts, and prepare for TLPT scoping.
- 2025: finalize compliance documentation, execute required tests, and ensure readiness for supervisory assessments.
Documentation
- Regulation (EU) 2022/2554 (DORA)
- European Commission DORA overview
- ESAs consultation on DORA technical standards
- EBA ICT and security risk guidelines
- TIBER-EU framework
This brief guides financial institutions through DORA setup, aligning governance, testing, and third-party oversight to show operational resilience by the 2025 go-live.
Supervisory engagement strategy
Firms should prepare for active supervision by ESAs and national competent authorities. This involves designating regulatory liaisons, maintaining evidence repositories, and conducting mock supervisory reviews. Documenting decision logs, board minutes, and remediation plans ensures responses to information requests are timely. Firms operating across multiple jurisdictions should coordinate messaging to avoid inconsistencies.
Outcome testing can include dry-run supervisory meetings, benchmarking readiness scores, and tracking closure of regulator feedback.
Integration with broader resilience initiatives
DORA matches existing frameworks such as the ECB Cyber Resilience Oversight Expectations (CROE) and the UK’s operational resilience regime for cross-border firms. Financial institutions should map DORA controls to existing programs, identifying benefits and gaps. Establishing a unified resilience taxonomy can simplify reporting, testing, and board oversight. Firms should also coordinate DORA setup with CSRD sustainability disclosures and NIS2 obligations to ensure consistent risk narratives.
Change management and culture
Embedding DORA requires cultural change. Firms should develop communication campaigns explaining why digital resilience matters, establish communities of practice, and recognize teams that contribute to resilience improvements. Incorporating DORA objectives into performance evaluations and incentives reinforces accountability.
Data architecture readiness
Meeting DORA’s reporting and testing obligations depends on high-quality data. Firms should assess whether current data lakes, SIEM platforms, and configuration databases can produce the required metrics. Implementing data lineage tools helps trace how resilience metrics are derived, supporting auditability. Teams may need to harmonize taxonomies across risk, security, and continuity functions to avoid inconsistent reporting.
Outcome testing should validate that dashboards pull from authoritative sources and that manual interventions are minimized. Regular data quality reviews—covering completeness, accuracy, and timeliness—should feed into governance forums.
Firms should align employee training with DORA roles, ensuring first-line operations teams, incident responders, and third-party managers understand new obligations. Training metrics and competency assessments should be recorded to show readiness during supervisory reviews.
Boards should request heat maps highlighting critical ICT dependencies and residual risks, enabling strategic oversight and investment prioritization.
Internal audit should validate setup milestones annually, providing assurance to the board and regulators.
Cross-functional steering committees should review resilience KPIs monthly to maintain progress.
External assurance over key resilience processes can provide additional comfort to supervisors.
Independent scenario exercises can validate cross-entity coordination under severe disruption conditions.
Teams can benchmark maturity against industry utilities to gauge readiness.
Regular stakeholder forums with ICT providers can surface systemic risks early.
Continuous improvement logs should document all remediation actions.
Continue in the Compliance pillar
Return to the hub for curated research and deep-dive guides.
Latest guides
-
Third-Party Risk Oversight Playbook
Operationalize OCC, Federal Reserve, EBA, and MAS outsourcing expectations with lifecycle controls, continuous monitoring, and board reporting.
-
Compliance Operations Control Room
Implement cross-border compliance operations that satisfy Sarbanes-Oxley, DOJ guidance, EU DORA, and MAS TRM requirements with verifiable evidence flows.
-
ESG Assurance Operating Guide
Deploy credible ESG assurance across CSRD, SEC climate disclosure, and ISSA 5000 requirements with regulator-aligned controls, data governance, and audit-ready evidence.
Coverage intelligence
- Published
- Coverage pillar
- Compliance
- Source credibility
- 89/100 — high confidence
- Topics
- EU DORA setup · ICT risk management · Operational resilience testing · Third-party oversight
- Sources cited
- 3 sources (eur-lex.europa.eu, esma.europa.eu, iso.org)
- Reading time
- 5 min
Documentation
- Regulation (EU) 2022/2554 on digital operational resilience for the financial sector — Official Journal of the European Union
- EU publishes Digital Operational Resilience Act — European Securities and Markets Authority
- ISO 37301:2021 — Compliance Management Systems — International Organization for Standardization
Comments
Community
We publish only high-quality, respectful contributions. Every submission is reviewed for clarity, sourcing, and safety before it appears here.
No approved comments yet. Add the first perspective.