← Back to all briefings
Policy 5 min read Published Updated Credibility 40/100

Policy Briefing — Digital Operational Resilience Act enters into force

On 16 January 2023 the EU’s Digital Operational Resilience Act (DORA) took effect, starting a phased timeline for financial entities and critical ICT providers to meet governance, testing, and third-party risk obligations.

Zeph Tech Research Lead

Research lead, Zeph Tech

Single-point timeline showing the publication date sized by credibility score.
Publication date and credibility emphasis for this briefing. Source data (JSON)

The Digital Operational Resilience Act (DORA) entered into force on 16 January 2023, 20 days after publication in the EU Official Journal. Banks, insurers, investment firms, and ICT service providers now have two years to align with harmonized EU rules on ICT risk management, incident reporting, digital operational resilience testing, and oversight of critical third-party vendors.

Program leads should map existing frameworks against the act’s five pillars—governance, risk management, incident classification and reporting, testing, and third-party risk—to prioritize gaps. Contracts with ICT providers may need renegotiation to meet new oversight and concentration requirements before the supervisory framework is fully operational.

  • Regulation text details timelines, ICT testing expectations, incident thresholds, and oversight powers for critical providers.
  • Commission notice confirms the effective date and scope, underscoring the two-year implementation runway.
Single-point timeline showing the publication date sized by credibility score.
Publication date and credibility emphasis for this briefing. Source data (JSON)

Related briefings

Curated signals from the same pillar or overlapping topics.

Continue in the Policy pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

  • Operational Resilience
  • Financial Services
  • Third-Party Risk
Back to curated briefings