What is DORA?
The EU's Digital Operational Resilience Act sets binding cyber and resilience rules for financial entities and their ICT providers.
The Digital Operational Resilience Act (DORA) is an EU regulation that creates a single, binding framework for the digital operational resilience of the financial sector. It applies across financial entities and, importantly, to the critical ICT third-party providers that serve them.
DORA is in force and enforced by the European Supervisory Authorities. If you are a financial entity operating in the EU, or a technology provider to one, it likely applies. This guide covers its structure.
- DORA is an EU regulation for the operational resilience of financial entities and their ICT providers.
- It is built around five pillars, from ICT risk management to third-party oversight.
- It includes advanced resilience testing, including threat-led penetration testing for larger entities.
- ICT providers to EU financial firms are directly in scope, alongside the banks themselves.
Who it applies to
DORA covers a broad set of EU financial entities, including banks, investment firms, insurers, payment institutions, and crypto-asset service providers, and it extends to the critical ICT third-party providers, such as cloud and software vendors, that support them. That reach into the supply chain is one of its most significant features.
The five pillars
DORA organises its requirements into five areas:
- ICT risk management: a governance framework to identify, protect, detect, respond, and recover.
- ICT incident management and reporting: classify and report major incidents on set timelines.
- Digital operational resilience testing: regular testing, including threat-led penetration testing for larger entities.
- ICT third-party risk management: oversight and contractual controls for critical providers.
- Information and intelligence sharing on cyber threats.
How to prepare
Preparation means maturing your ICT risk governance, tightening incident detection and reporting, running resilience testing including penetration testing, and getting a real handle on third-party and concentration risk. Continuous monitoring and third-party oversight are central, because DORA treats your providers as part of your resilience.
Frequently asked questions
Build operational resilience
DORA treats your providers as part of your resilience. See your exposure with a free check.
Run a free check