Digital Operational Resilience Act enters into force

The Digital Operational Resilience Act (DORA) entered into force on 16 January 2023, 20 days after publication in the EU Official Journal. Banks, insurers, investment firms, and ICT service providers now have two years to align with harmonized EU rules on ICT risk management, incident reporting, digital operational resilience testing, and oversight of critical third-party vendors.

Five pillars of compliance

• ICT Risk Management: Establish governance frameworks, assign senior management accountability, and implement proportionate risk management procedures for ICT systems and assets.
• ICT Incident Reporting: Classify and report major ICT-related incidents to competent authorities within prescribed timeframes. Establish root cause analysis and remediation processes.
• Digital Operational Resilience Testing: Conduct regular testing including vulnerability assessments, penetration testing, and threat-led penetration testing (TLPT) for significant entities.
• Third-Party Risk Management: Maintain registers of ICT third-party providers, conduct due diligence, and include mandatory contractual provisions on resilience, audit rights, and exit strategies.
• Information Sharing: Participate in cyber threat information sharing arrangements with appropriate safeguards.

Key dates and milestones

The regulation applies from January 2025, providing a two-year runway for setup. Regulatory technical standards (RTS) and implementing technical standards (ITS) will be developed by the European Supervisory Authorities to specify detailed requirements. If you are affected, monitor ESA consultations and draft standards.

Third-party oversight framework

Critical ICT third-party providers will be subject to direct oversight by lead overseers designated among the ESAs. Contracts with ICT providers may need renegotiation to meet new oversight and concentration requirements before the supervisory framework is fully operational.

Further reading

• Regulation text
• Commission notice

DORA Framework Overview

The Digital Operational Resilience Act (DORA) entered into force on January 16, 2023, establishing uniform requirements for financial entities across the European Union to ensure they can withstand, respond to, and recover from ICT-related disruptions and threats. The regulation applies to a broad range of financial entities including credit institutions, investment firms, insurance doings, and critical third-party ICT service providers.

DORA represents the first full EU-level framework specifically addressing digital operational resilience in financial services, consolidating and harmonizing previously fragmented requirements across member states and sector-specific regulations. Full compliance is required by January 17, 2025, giving organizations a two-year setup period.

ICT Risk Management Requirements

Financial entities must implement full ICT risk management frameworks proportionate to their size, complexity, and risk profile. Requirements include documented ICT risk management strategies, policies, and procedures addressing the identification, protection, detection, response, and recovery from ICT-related incidents.

Governance arrangements must ensure management body members understand ICT risks and actively oversee ICT risk management frameworks. Dedicated ICT risk management functions with appropriate independence and resources are required, with clear reporting lines to senior management and the board.

ICT Incident Management

DORA establishes harmonized incident classification, reporting, and management requirements. Financial entities must implement processes to detect, manage, and report ICT-related incidents using standardized classifications. Major incidents require notification to competent authorities within specified timeframes, with follow-up reports providing incident details and remediation actions.

Incident response procedures must address containment, eradication, and recovery activities. Post-incident reviews should identify root causes and drive improvements to prevent recurrence. Documentation requirements support both internal governance and regulatory oversight of incident management effectiveness.

Digital Operational Resilience Testing

Proportionate testing requirements ensure financial entities validate their digital operational resilience capabilities. Basic testing including vulnerability assessments and scenario-based testing applies to all entities. Significant financial entities must conduct advanced testing through threat-led penetration testing (TLPT) at least every three years.

Testing programs must cover critical ICT systems and applications supporting business functions. Test results should inform risk assessments and remediation priorities. Documentation of testing activities, findings, and remediation actions supports compliance demonstration and regulatory examinations.

Third-Party ICT Risk Management

DORA establishes full requirements for managing ICT third-party risk, recognizing the financial sector's extensive reliance on external service providers. Financial entities must maintain registers of ICT third-party arrangements, conduct risk assessments before entering arrangements, and include specified contractual provisions addressing security, incident reporting, and exit strategies.

Critical ICT third-party service providers face direct oversight by European Supervisory Authorities through a new oversight framework. This includes designation criteria, examination powers, and the ability to issue recommendations and impose remedial measures for identified deficiencies.

Information Sharing

DORA encourages voluntary information sharing among financial entities regarding cyber threats, vulnerabilities, and good practices. Information sharing arrangements must protect confidential information and comply with competition law. Participation in sector-specific information sharing communities supports collective defense against cyber threats.

Wrapping up

DORA sets up a full digital operational resilience framework for EU financial services, requiring significant investments in ICT risk management, incident management, testing, and third-party oversight capabilities. If you are affected, begin setup planning immediately to ensure readiness for the 2025 compliance deadline.

Regulatory Technical Standards

European Supervisory Authorities will develop regulatory technical standards (RTS) specifying detailed requirements for ICT risk management, incident reporting, testing, and third-party risk management. If you are affected, monitor RTS development and incorporate final requirements into compliance programs as they are adopted. Draft standards provide early insight into regulatory expectations and help inform setup planning.

Cross-border coordination between national competent authorities ensures consistent application of DORA requirements across member states. Financial entities operating in multiple jurisdictions should engage with relevant authorities to understand supervisory expectations and coordinate compliance activities. Harmonized requirements reduce compliance burden compared to handling divergent national frameworks.

Investment in ICT risk management capabilities, testing programs, and third-party oversight processes positions financial entities for successful DORA compliance while improving overall operational resilience. Documentation of setup decisions and compliance activities supports regulatory examinations and shows organizational commitment to digital operational resilience objectives.

Regular assessment against evolving requirements ensures compliance programs remain current. Engagement with industry associations provides insight into common challenges and setup approaches. early compliance preparation reduces regulatory risk while strengthening operational resilience capabilities.

Early planning ensures successful setup.

ICT Risk Management Framework

DORA establishes thorough ICT risk management requirements for financial entities operating in the EU. Mandatory elements include risk assessment processes, incident reporting mechanisms, and third-party risk oversight. The regulation harmonizes previously fragmented national requirements into a unified framework.

Critical Third-Party Oversight

Critical ICT service providers face direct supervisory oversight by European Supervisory Authorities. Designation criteria include concentration risk, interconnectedness, and substitutability assessments. Oversight powers enable inspections, information requests, and corrective measures.

Operational Resilience Testing

Threat-led penetration testing requirements apply to significant financial entities. Testing scenarios must reflect realistic threat landscapes and business-critical functions. Remediation timelines and verification processes demonstrate continuous improvement of resilience capabilities.

Similar analysis

Additional analysis covering similar themes.

Policy · Credibility 92/100 · May 10, 2022

EU DORA Provisional Agreement

EU lawmakers reached a provisional agreement on DORA in May 2022, setting harmonized ICT risk, incident reporting, testing, and third-party oversight rules for financial institutions and critical ICT providers ahead of…

Policy · Credibility 86/100 · September 9, 2025

Policy — Operational resilience

DORA's third-party ICT register requirements are now operational for EU financial entities. Maintain comprehensive records of ICT service providers, including risk assessments, contractual arrangements, and concentration…

Policy · Credibility 92/100 · March 31, 2021

Basel Principles for Operational Resilience

The Basel Committee issued principles for operational resilience and updated operational risk management standards, directing banks to map critical operations, test severe scenarios, and tighten third-party oversight…

Policy · Credibility 93/100 · July 1, 2025

APRA CPS 230 go-live demands board-owned operational resilience evidence

APRA's CPS 230 operational risk policy framework is now fully in force. Australian financial institutions need documented business continuity, third-party risk management, and operational resilience programs. This is one…

Policy · Credibility 86/100 · September 8, 2025

Policy — Financial regulation

DORA's Register of Information requirement is operational—financial entities need to maintain detailed records of their ICT third-party arrangements. This is not just a list of vendors; you need contracts, risk…

Continue in the Policy pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• AI Policy Implementation Guide

  Coordinate governance, safety, and reporting programmes that meet EU Artificial Intelligence Act timelines and U.S. National AI Initiative Act mandates while sustaining product…

• Digital Markets Compliance Guide

  Implement EU Digital Markets Act, EU Digital Services Act, UK Digital Markets, Competition and Consumers Act, and U.S. Sherman Act requirements with cross-functional operating…

• Semiconductor Industrial Strategy Policy Guide

  Coordinate CHIPS and Science Act, EU Chips Act, and Defense Production Act programmes with capital planning, compliance, and supplier readiness.

Coverage intelligence

Published

January 16, 2023

Coverage pillar

Policy

Source credibility

91/100 — high confidence

Topics

Operational Resilience · Financial Services · Third-Party Risk

Sources cited

3 sources (eur-lex.europa.eu, esma.europa.eu, iso.org)

Reading time

6 min

Further reading

1. Regulation EU 2022/2554 DORA — eur-lex.europa.eu
2. ESMA DORA Implementation — esma.europa.eu
3. ISO 22301 Business Continuity — iso.org