Platform
Solutions
Partners
Why NMT
Resources
Contact Us
GuidesFrameworks & Standards

What is DORA?

The EU's Digital Operational Resilience Act sets binding cyber and resilience rules for financial entities and their ICT providers.

6 min read

The Digital Operational Resilience Act (DORA) is an EU regulation that creates a single, binding framework for the digital operational resilience of the financial sector. It applies across financial entities and, importantly, to the critical ICT third-party providers that serve them.

DORA is in force and enforced by the European Supervisory Authorities. If you are a financial entity operating in the EU, or a technology provider to one, it likely applies. This guide covers its structure.

Key takeaways
  • DORA is an EU regulation for the operational resilience of financial entities and their ICT providers.
  • It is built around five pillars, from ICT risk management to third-party oversight.
  • It includes advanced resilience testing, including threat-led penetration testing for larger entities.
  • ICT providers to EU financial firms are directly in scope, alongside the banks themselves.

Who it applies to

DORA covers a broad set of EU financial entities, including banks, investment firms, insurers, payment institutions, and crypto-asset service providers, and it extends to the critical ICT third-party providers, such as cloud and software vendors, that support them. That reach into the supply chain is one of its most significant features.

The five pillars

DORA organises its requirements into five areas:

  • ICT risk management: a governance framework to identify, protect, detect, respond, and recover.
  • ICT incident management and reporting: classify and report major incidents on set timelines.
  • Digital operational resilience testing: regular testing, including threat-led penetration testing for larger entities.
  • ICT third-party risk management: oversight and contractual controls for critical providers.
  • Information and intelligence sharing on cyber threats.

How to prepare

Preparation means maturing your ICT risk governance, tightening incident detection and reporting, running resilience testing including penetration testing, and getting a real handle on third-party and concentration risk. Continuous monitoring and third-party oversight are central, because DORA treats your providers as part of your resilience.

Frequently asked questions

Does DORA apply to non-EU companies?
It can. Financial entities operating in the EU are covered, and ICT third-party providers that serve EU financial entities, including non-EU providers, can fall in scope, especially if designated critical.
How is DORA different from existing security frameworks?
DORA is binding EU law focused specifically on the financial sector's operational resilience, with explicit rules on incident reporting, testing, and third-party oversight, rather than a voluntary framework.
What is threat-led penetration testing under DORA?
It is advanced, intelligence-driven testing that simulates real attacker behaviour against live systems, required periodically for larger or more significant entities.
How does NMT help with DORA?
NMT supports ICT risk visibility, continuous monitoring and detection, penetration testing, and third-party risk management, which map directly to several DORA pillars.

Build operational resilience

DORA treats your providers as part of your resilience. See your exposure with a free check.

Run a free check
Related
Guide: What is Third-Party Risk Management? Guide: What is VAPT? Cybersecurity for NBFCs & fintechs Guide: What is NIS2?