EU DORA Regulation Enters into Force — January 16, 2023

The Digital Operational Resilience Act (DORA) became law on 16 January 2023, setting a 17 January 2025 application deadline for EU financial entities and critical information and communication technology (ICT) service providers. DORA harmonizes how banks, insurers, investment firms, payment institutions, and third-party ICT vendors govern operational risk, report incidents, test resilience, and manage outsourcing. Institutions must transform policies, contracts, and assurance programs to satisfy prescriptive Articles 5–57 and help supervisors with new oversight powers.

Scope and supervisory expectations

DORA applies to a broad spectrum of financial entities, including credit institutions, electronic money institutions, crypto-asset service providers, central securities depositories, and cloud-based ICT providers deemed critical by the European Supervisory Authorities (ESAs). Entities headquartered outside the EU but operating through branches must comply for EU operations.

National competent authorities retain primary supervision, while the ESAs coordinate through the Joint Oversight Forum to monitor critical third parties. The regulation supplements existing frameworks such as PSD2, MiFID II, Solvency II, and the EBA Guidelines on ICT and security risk, streamlining expectations into a single regime that elevates board accountability and cross-border consistency.

Capabilities required under the five DORA pillars

ICT risk management (Articles 5–14): Boards must approve a digital operational resilience strategy, define risk tolerances, and oversee setup. Institutions need asset inventories, configuration baselines, security patching, logging, vulnerability management, and training programs proportionate to risk.
Incident reporting (Articles 15–20): Entities must classify significant ICT-related incidents, submit early warning notifications, intermediate reports, and final post-incident reviews within stipulated timelines. Centralized registers must capture root causes, impact assessments, and remediation actions to support supervisory insight.
Digital operational resilience testing (Articles 21–24): DORA mandates risk-based testing, including vulnerability assessments, scenario-based testing, and for significant institutions, Threat-Led Penetration Testing (TLPT) at least every three years following TIBER-EU style methodologies.
ICT third-party risk management (Articles 25–39): Firms must maintain full registers of ICT service contracts, assess concentration risk, ensure contractual clauses cover service levels, access, audit rights, data ownership, and exit strategies, and coordinate with regulators if relying on critical providers.
Information sharing (Articles 40–44): Voluntary intelligence sharing arrangements on cyber threats and vulnerabilities must incorporate safeguards for confidentiality, competition law, and data protection.

Implementation sequencing and program governance

Financial institutions should establish DORA programs with executive sponsorship from the Chief Risk Officer and CIO, supported by legal, procurement, and business continuity leads. Conduct a gap assessment against DORA Articles, using the EBA’s Joint Supervisory Statement to prioritize foundational capabilities. Phase 1 should focus on governance artifacts—digital operational resilience strategy, risk appetite statements, and board reporting templates. Phase 2 should remediate controls for incident classification, logging, backup integrity, and communications playbooks. Phase 3 should align third-party inventories, exit plans, and testing schedules ahead of the 2025 go-live. Embed regulatory change management to track forthcoming Level 2 technical standards and guidelines scheduled for consultation through 2024.

Third-party oversight and contract remediation

Articles 28–31 require exhaustive contractual clauses covering service availability, data ownership, sub-outsourcing conditions, termination rights, and audit access. Procurement teams must update due diligence questionnaires to capture resilience metrics, ensure providers support TLPT participation, and verify geographic redundancy.

Develop concentration risk dashboards that analyze dependencies on hyperscale clouds, core banking vendors, and network providers. For critical third parties designated by the ESAs, prepare to support oversight inspections, provide log data, and address supervisory findings. Implement exit strategies with validated migration playbooks, secondary providers, and escrow arrangements for source code or configuration artifacts.

Resilience testing and incident response operations

Security and resilience teams should expand testing beyond traditional penetration testing to incorporate purple team exercises, failover drills, crisis communications simulations, and severe-but-plausible scenarios (for example, ransomware across payment systems). Align TLPT preparations with TIBER-EU guidance, selecting external threat intelligence providers and red teams that meet competence criteria.

Incident response procedures must integrate with national competent authority workflows, ensuring the ability to deliver initial notifications within hours of detection, followed by intermediate reports containing quantification of client impact and service downtime. Establish cross-border coordination protocols so multinational groups can satisfy EU and third-country reporting obligations without conflicting disclosures.

Responsible governance, data protection, and board engagement

DORA reinforces board responsibility for approving the digital operational resilience strategy and reviewing performance metrics. Boards should receive dashboards tracking key risk indicators (KRIs) such as mean time to detect, mean time to recover, percentage of critical applications covered by TLPT, supplier concentration scores, and outstanding remediation actions. Coordinate with data protection officers to ensure incident playbooks incorporate GDPR breach notification requirements, particularly when cyber incidents expose personal data. Integrate resilience reporting into ICAAP/ORSA processes to show capital adequacy for operational risk and to align with the ECB’s cyber resilience supervisory priorities.

Sector-specific adoption considerations

Banks and payment institutions: Map DORA requirements to the EBA Guidelines on ICT and security risk management, ensuring alignment with SWIFT Customer Security program controls and PSD2 incident reporting (Commission Implementing Regulation (EU) 2017/2055).
Insurance and reinsurance: Integrate DORA controls with Solvency II operational risk frameworks and EIOPA’s cloud outsourcing guidelines, emphasizing policy administration system availability and claims handling resilience.
Asset managers and market infrastructures: Coordinate DORA setup with CSDR, EMIR, and MiFID II obligations. For CCPs and trading venues, ensure TLPT exercises reflect market stress scenarios and include coordination with participants.
Crypto-asset service providers: Newly authorized providers under MiCA should use DORA to formalize wallet security, incident disclosure, and cold storage resilience, anticipating heightened supervisory scrutiny.

Measurement, reporting, and continuous improvement

Establish integrated reporting that consolidates KRIs, audit findings, and remediation progress. Use GRC platforms to map controls to DORA Articles, assign control owners, and capture evidence. Implement service level objectives (SLOs) for recovery time and recovery point targets, and simulate disruption scenarios to validate assumptions. Track participation in intelligence-sharing communities such as FS-ISAC Europe, ensuring information exchange agreements meet Article 40 safeguards. Conduct annual board attestations summarizing DORA readiness, and integrate lessons learned from incidents into strategy updates.

External developments to monitor

Monitor Level 2 technical standards covering incident reporting templates, TLPT methodology, and criteria for critical third-party designation—drafts are scheduled for 2024 consultation with final adoption expected in 2024–2025. Track ESMA, EBA, and EIOPA guidance on cooperation among competent authorities, as well as potential alignment with the NIS2 Directive’s cybersecurity obligations. Watch for cross-border enforcement precedents once DORA becomes applicable, particularly coordinated supervisory actions against major cloud providers or financial groups with material outages.

Documentation

• Regulation (EU) 2022/2554 — Digital Operational Resilience for the Financial Sector
• ESAs Joint Supervisory Statement on DORA setup
• ECB Banking Supervision — 2023 priorities include cyber resilience
• EBA Guidelines on ICT and security risk management

This brief supports financial institutions with DORA gap assessments, resilience testing programs, supplier oversight remediation, and board-level reporting.

You may also find useful

Hand-picked articles on adjacent topics.

Cybersecurity · Credibility 94/100 · January 17, 2025

Cyber Resilience — DORA

DORA enforcement started January 17, 2025—regulators can now show up and ask for proof. You need a living checklist: board governance docs, incident drill results, third-party registers, and an evidence vault for every…

Cybersecurity · Credibility 86/100 · January 17, 2025

Digital Operational Resilience Act

With DORA now applicable, EU financial institutions must operationalize governance blueprints, universal opt-out aware resilience processes, and evidence mechanisms that stand up to cross-border supervisory scrutiny.

Cybersecurity · Credibility 94/100 · February 18, 2025

Cybersecurity Governance — DORA

DORA went live January 17, 2025, and financial entities need to classify and report ICT incidents using the ESA's new technical standards. Time to build your decision trees and reporting workflows.

Cybersecurity · Credibility 89/100 · April 18, 2023

European Commission Proposes Cyber Solidarity Act — April 18, 2023

EU Cyber Solidarity Act proposal in April 2023 aimed to strengthen collective cyber defense. EU-wide detection infrastructure, emergency response, and mutual assistance. Building European cyber resilience.

Cybersecurity · Credibility 94/100 · May 13, 2022

Cybersecurity Directive Political Agreement — May 13, 2022

NIS2 trilogue wrapped up in May 2022. The directive massively expands who is covered by EU cybersecurity requirements—more sectors, stricter rules, broader supply chain obligations. Time to start preparing.

Continue in the Cybersecurity pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Cybersecurity Operations Playbook

  Use our research to align NIST CSF 2.0, CISA KEV deadlines, and sector mandates across threat intelligence, exposure management, and incident response teams.

• Network Security Fundamentals Explained Practically

  A practitioner-focused guide to network security fundamentals covering firewalls, segmentation, IDS/IPS, DNS security, VPNs, wireless security, zero trust architecture, and traffic…

• Small Business Cybersecurity Survival Checklist

  A budget-conscious cybersecurity checklist built specifically for small businesses. This guide covers foundational security policies, network hardening, employee training, phishing…

Coverage intelligence

Published

January 16, 2023

Coverage pillar

Cybersecurity

Source credibility

93/100 — high confidence

Topics

Digital Operational Resilience Act · EU financial regulation · Operational resilience · Third-party risk

Sources cited

4 sources (eur-lex.europa.eu, esma.europa.eu, bankingsupervision.europa.eu, eba.europa.eu)

Reading time

6 min

Documentation

1. Regulation (EU) 2022/2554 — Digital Operational Resilience for the Financial Sector — European Union
2. ESAs Joint Supervisory Statement on DORA setup — European Supervisory Authorities
3. ECB Banking Supervision priorities for 2023 — European Central Bank
4. EBA Guidelines on ICT and security risk management — European Banking Authority