The EU Digital Operational Resilience Act (DORA) is a regulation that came into effect on January 17, 2025, aimed at strengthening the digital resilience of financial entities across the EU. It mandates banks, insurance companies, investment firms, and other financial institutions to implement comprehensive ICT risk management frameworks to withstand, respond to, and recover from ICT-related disruptions such as cyberattacks or system failures. DORA harmonizes operational resilience rules across the EU, covering both financial entities and critical ICT third-party service providers, ensuring consistent cybersecurity standards and reducing regulatory fragmentation. It requires institutions to establish robust incident reporting, risk management, and oversight mechanisms, with enforcement by national authorities and European Supervisory Authorities. The act is part of the EU’s broader digital finance strategy to support innovation while safeguarding financial stability and consumer protection.
Publication's URL
https://eur-lex.europa.eu/eli/reg/2022/2554/oj/engAdditional documents on this topic
- EU Commission Delegated Regulation 2024/1773 of 13 March 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying the detailed content of the policy regarding contractual arrangements on the use of ICT services supporting critical or important functions provided by ICT third-party service providers
- EU Commission Delegated Regulation 2024/1774 of 13 March 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying ICT risk management tools, methods, processes, and policies and the simplified ICT risk management framework
- EU Commission Delegated Regulation 2024/1772 of 13 March 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying the criteria for the classification of ICT-related incidents and cyber threats, setting out materiality thresholds and specifying the details of reports of major incidents
- EU Commission Implementing Regulation 2025/302 of 23 October 2024 laying down implementing technical standards for the application of Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to the standard forms, templates, and procedures for financial entities to report a major ICT-related incident and to notify a significant cyber threat
- EU Commission Delegated Regulation 2025/301 of 23 October 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying the content and time limits for the initial notification of, and intermediate and final report on, major ICT-related incidents, and the content of the voluntary notification for significant cyber threats