Digital Operational Resilience Act (DORA) - EIOPA
Skip to main content
Logo
EnglishEnglish
European Insurance and Occupational Pensions Authority

Digital Operational Resilience Act (DORA)

The Digital Operational Resilience Act (DORA) is a regulation introduced by the European Union to strengthen the digital resilience of financial entities. It entered into application on 17 Jan 2025 and ensures that banks, insurance companies, investment firms and other financial entities can withstand, respond to, and recover from ICT (Information and Communication Technology) disruptions, such as cyberattacks or system failures.

DORA brings harmonisation to rules relating to operational resilience for the financial sector, applicable to 20 different types of financial entities and ICT third-party service providers.

AdobeStock_265258002

Why is DORA needed?

The financial sector is increasingly dependent on technology and on tech companies to deliver financial services. This makes financial entities vulnerable to cyber-attacks or incidents.

When not managed properly, ICT risks can lead to disruptions of financial services offered across borders. This in turn, can have an impact on other companies, sectors and even on the rest of the economy, which underlines the importance of the digital operational resilience of the financial sector.

This is where the Digital Operational Resilience Act, or DORA, comes into play.

What does DORA cover?

  • ICT risk management

    Principles and requirements on ICT risk management framework

  • ICT third-party risk management

    Monitoring third-party risk providers

    Key contractual provisions

  • Digital operational resilience testing

    Basic and advanced testing

  • ICT-related incidents

    General requirements

    Reporting of major ICT-related incidents to competent authorities

  • Information sharing

    Exchange of information and intelligence on cyber threats

  • Oversight of critical third-party providers

    Oversight framework for critical ICT third-party providers

The DORA regulation is implemented on three levels.

Level 1 - Regulation and amending Directive

Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector 

Directive (EU) 2022/2556 of the European Parliament and of the Council of 14 December 2022 amending Directives 2009/65/EC, 2009/138/EC, 2011/61/EU, 2013/36/EU, 2014/59/EU, 2014/65/EU, (EU) 2015/2366 and (EU) 2016/2341 as regards digital operational resilience for the financial sector 

Level 2 - Regulatory, implementing and delegated acts in the official journal

Level 3 - Guidelines

Reporting of the register of information:

Opinions:

Q&As on DORA:

Other resources: