← Back to all briefings
Policy 5 min read Published Updated Credibility 40/100

Policy Briefing – Digital Operational Resilience Act (DORA)

The Digital Operational Resilience Act becomes binding on 17 January 2025 and harmonises ICT risk management, incident reporting, testing and third‑party oversight across the EU financial sector. Financial entities must prepare accurate registers of ICT providers, update governance and contracts, and meet strict enforcement deadlines despite national differences.

Zeph Tech Research Lead

Research lead, Zeph Tech

Horizontal bar chart of credibility scores per cited source.
Credibility scores for every source cited in this briefing. Source data (JSON)

Context

The Digital Operational Resilience Act (DORA) is the EU’s first comprehensive regulation aimed at ensuring that financial entities can withstand, respond to and recover from information‑and‑communication‑technology (ICT) disruptions. Adopted in December 2022, DORA enters into application on 17 January 2025【697941325461393†L134-L139】. It harmonises operational‑resilience rules for roughly twenty categories of financial entities—banks, insurance companies, investment firms, payment institutions, e‑money issuers and other regulated sectors—as well as critical third‑party ICT service providers【697941325461393†L134-L143】. By establishing a single framework across the EU, DORA aims to close gaps in national rules and to protect the financial system from systemic ICT failures【697941325461393†L134-L143】.

DORA emerged against the backdrop of growing digital dependence in the financial sector. Regulators observed that cyber‑attacks and IT outages can cascade across borders and that existing national rules were fragmented【697941325461393†L160-L167】. The regulation therefore introduces consistent requirements for ICT risk management, incident reporting, resilience testing, third‑party risk management, information sharing and oversight【697941325461393†L171-L196】. It is complemented by Directive (EU) 2022/2556, which amends sectoral legislation to align with DORA, and a suite of regulatory technical standards detailing how to implement key obligations【697941325461393†L203-L230】.

Obligations and key features

DORA obliges financial entities to establish an end‑to‑end ICT risk‑management framework. This includes maintaining inventories of critical systems and data, implementing security‑by‑design principles, performing regular vulnerability assessments, and ensuring adequate segregation and backup arrangements. Entities must classify incidents based on severity and notify the competent authority of major ICT incidents; DORA mandates timely reporting of major incidents and, where required, submission of additional information for sectoral supervisors【697941325461393†L171-L196】. They must also define a digital operational resilience testing programme that ranges from basic testing to advanced threat‑led penetration testing, depending on the entity’s size and risk profile【697941325461393†L171-L196】.

Third‑party ICT risk management is a major focus of DORA. Financial entities must assess and monitor the resilience of providers such as cloud platforms, data centres and software vendors, ensure appropriate contractual terms and maintain a register of information detailing all outsourcing arrangements【697941325461393†L171-L196】. In December 2024 the European Supervisory Authorities (ESAs) published the final implementing technical standards for the register of information and completed a dry run with national regulators. The ESAs emphasise that preparing an accurate register is the top priority: the register enables supervisors to identify critical dependencies and will be a key tool for enforcement【991526710115585†L62-L80】. Companies should focus on accuracy and correct formatting rather than exhaustive completeness and are expected to submit the register in early 2025【991526710115585†L62-L80】.

DORA applies uniformly across the EU, yet enforcement will be decentralised. The ESAs have indicated that there will be no transition period: they expect comprehensive compliance by the 17 January 2025 deadline【991526710115585†L25-L52】. Regulators recognise that many organisations will struggle to meet all requirements on day one; nevertheless, ESAs intend to take a strict approach and may prioritise the most significant areas of non‑compliance for enforcement【991526710115585†L44-L60】. Enforcement practices will vary by Member State; some regulators have already adopted DORA‑inspired rules and will have high expectations, while many countries have not yet transposed Directive 2022/2556 and may be slower to impose sanctions【991526710115585†L100-L112】.

Sectoral differences and challenges

The ESAs note that DORA obligations overlap with existing guidelines for banking and insurance, so institutions in heavily regulated sectors may already be partly compliant【991526710115585†L83-L88】. In contrast, alternative investment fund managers and other less regulated entities face a steeper compliance curve because they lack established ICT risk frameworks【991526710115585†L83-L92】. The ESAs’ register of information dry run found that registers submitted by banks and insurers contained roughly five times as many data points as those submitted by alternative investment fund managers【991526710115585†L94-L98】. These disparities highlight the need for sector‑specific guidance and resources.

DORA’s scope extends beyond EU‑established entities. Non‑EU financial firms offering services in the EU must appoint an EU representative and comply with DORA’s requirements, adding to the compliance burden. Entities should anticipate that supervisory scrutiny will focus not only on internal controls but also on the resilience and governance of their ICT service providers. Oversight of critical ICT third‑party providers—including cloud platforms—will be central to DORA’s effectiveness and will involve joint examination teams of national regulators【697941325461393†L171-L199】.

Implications

For IT and security teams, DORA demands a holistic view of digital operations. Organisations must map their entire technology stack, identify critical assets, implement layered defences and monitor performance. Registers of information should capture the most significant third‑party dependencies with sufficient detail to allow regulators to understand exposure【991526710115585†L62-L80】. Testing programmes should incorporate threat‑led penetration tests to evaluate resilience against sophisticated attackers【697941325461393†L171-L196】. Incident‑response plans must align with sectoral reporting requirements and ensure swift communication with regulators.

For legal and procurement teams, DORA necessitates revising contracts to include DORA‑compliant clauses around service levels, incident notification, audit rights and exit strategies. Because enforcement will vary across jurisdictions, firms should monitor national implementing measures and prepare to deal with multiple competent authorities【991526710115585†L100-L112】. Board oversight is essential; regulators will expect evidence that senior management actively participates in ICT risk governance and resilience planning【991526710115585†L44-L52】.

Recommended actions

  • Act now: Treat the 17 January 2025 deadline as a hard stop. Prioritise registering critical ICT outsourcing relationships and ensure accuracy in the register【991526710115585†L62-L80】. Submit the register promptly to regulators and update it regularly as contracts change.
  • Implement ICT risk management: Develop a comprehensive ICT risk‑management framework that covers asset inventory, threat modelling, vulnerability management, business continuity and segregation of duties【697941325461393†L171-L196】.
  • Enhance resilience testing: Establish a testing programme commensurate with your risk profile, including advanced threat‑led penetration tests where required【697941325461393†L171-L196】.
  • Update contracts and governance: Review contracts with ICT service providers and incorporate clauses that support resilience, incident reporting, audit rights and exit plans【991526710115585†L62-L80】【991526710115585†L115-L124】. Ensure that governance structures assign clear responsibility for ICT risk management to senior management and board committees【991526710115585†L44-L52】.
  • Coordinate across jurisdictions: Track national transposition of Directive 2022/2556 and adapt compliance programmes to country‑specific enforcement practices【991526710115585†L100-L112】.
  • Integrate third‑party oversight: Conduct due diligence on ICT providers, monitor their resilience and ensure contract terms include clear obligations and remedies【697941325461393†L171-L196】.

Zeph Tech analysis

DORA is a milestone in EU financial regulation that places digital resilience on par with financial stability. By imposing uniform requirements across banks, insurers, fund managers and technology providers, it seeks to prevent IT outages and cyber incidents from triggering systemic shocks. The regulation’s strict deadline and emphasis on registers of information reflect regulators’ desire for early visibility into the ICT supply chain. However, sectoral and national differences will complicate implementation; regulators themselves may struggle with enforcement. Practitioners should view DORA compliance as an opportunity to strengthen cybersecurity fundamentals—asset management, threat monitoring, supply‑chain oversight and board governance. Early investment in these capabilities will not only meet regulatory expectations but also enhance operational resilience and customer trust.

Horizontal bar chart of credibility scores per cited source.
Credibility scores for every source cited in this briefing. Source data (JSON)

Related briefings

Curated signals from the same pillar or overlapping topics.

Continue in the Policy pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

Back to curated briefings