Digital Operational Resilience Act

DORA establishes a comprehensive framework for digital operational resilience in the EU financial sector. It sets uniform requirements for the security of network and information systems supporting business processes of financial entities.

Regulations Tracked

Jurisdictions

Upcoming Milestones

2026-06-07

Last Updated

Who Needs to Comply?

Banks, insurance companies, investment firms, crypto-asset service providers, and critical ICT third-party service providers operating in the EU financial sector.

Key Dates & Timeline

Entered into force January 2023. Full compliance required from January 2025. Regulatory Technical Standards (RTS) adopted throughout 2024.

Latest DORA Updates

guidancehigh2026-06-07

ESAs publish first annual report on DORA major ICT-related incidents

On 2026-06-03, the EBA, EIOPA and ESMA published their first annual overview of major ICT-related incidents under DORA, underscoring that borderless ICT and AI-driven risks now require financial entities to tighten cybersecurity and incident-reporting readiness.

guidancemedium2026-04-14

BaFin risks in focus 2025 on generative AI and operational resilience

BaFin’s 2025 focus-risk update flags generative AI as a fraud and deception risk in finance, so institutions should reinforce DORA-aligned controls over AI-enabled processes and third parties.

enactedhigh2026-03-29

DORA becomes applicable across the EU financial sector

DORA was published as Regulation (EU) 2022/2554 and became applicable on 17 January 2025, triggering enforceable ICT-risk, incident, testing, and third-party oversight obligations for EU financial entities and covered ICT providers.

guidancemedium2026-03-29

EIOPA highlights DORA’s digital operational resilience framework

EIOPA’s 2021 publication supports the DORA proposal by emphasizing that financial firms need stronger ICT-risk management, testing, and oversight of critical third-party providers as digital transformation accelerates.

Jurisdiction Coverage

European Union Germany

Related Frameworks

NIS2 EU AI Act ISO 27001 FINMA

Key Topics

Financial Services Cybersecurity Risk Management

Frequently Asked Questions

What is DORA?

DORA (Digital Operational Resilience Act) is an EU regulation that creates a unified framework for managing ICT risks in the financial sector. It covers ICT risk management, incident reporting, digital operational resilience testing, and third-party risk management.

How does DORA relate to the EU AI Act?

DORA and the EU AI Act are complementary. DORA focuses on ICT operational resilience in financial services, while the EU AI Act governs AI systems across all sectors. Financial firms using AI must comply with both — DORA for operational resilience and the AI Act for AI-specific requirements.

What are the key requirements of DORA?

DORA requires financial entities to establish ICT risk management frameworks, report major ICT-related incidents, conduct digital operational resilience testing, manage third-party ICT service provider risks, and share cyber threat intelligence.

Weekly digest — coming soon

Leave your email to get the first issue when it ships. Free, no account required.

We use your email only for the digest. Privacy policy