DORA

Digital Operational Resilience Act

Regnology header banner Regnology header banner

What is DORA? 

The Digital Operational Resilience Act (DORA) is a critical European Union regulation, formally known as Regulation (EU) 2022/2554, designed to enhance the digital resilience of the financial sector. Accompanying this regulation is Directive (EU) 2022/2556, the DORA regulatory framework amending directive, which ensures consistency across sectoral European directives. 

DORA addresses the increasing dependence of the financial sector on information and communication technology (ICT) tools and systems for service delivery. As financial entities rely more on ICT service providers, there is a heightened exposure to potential ICT (third-party) risks, as these providers may not be directly supervised or subject to the same regulatory frameworks. 

Mismanagement of ICT risks can lead to disruptions in service delivery, impacting not only financial entities but also sectors and the broader economy. Thus, ensuring digital operational resilience in the financial sector is crucial. The DORA oversight framework assigns the role of Lead Overseer to the three European Supervisory Authorities (ESAs), ensuring adequate monitoring of Critical Third-Party Providers (CTPPs) on a Pan-European scale.

 

Who are the companies affected by DORA? 

Companies affected by DORA include all financial sector entities within the EU, including:

  • Credit institutions 
  • Investment firms 
  • Payment institutions 
  • Account information service providers 
  • Electronic money institutions 
  • Insurance and reinsurance companies 
  • Crypto-asset service providers 
  • Trading venues 
  • Institutions for occupational retirement provision 
  • ICT third-party service providers 

What is the reporting implementation deadline? 

The DORA reporting implementation deadline is 17 January 2025. From this date, financial entities must comply with DORA’s reporting requirements. 

Key Reporting Deadlines: 

  • 17 January 2025 – Financial entities must start reporting major ICT-related incidents and significant cyber threats to their home authority (Chapter III of Regulation (EU) 2022/2554). 
  • 31 March 2025 – Registers of Information (RoI) DORA on ICT third-party service providers must be updated. 
  • 4 April 2025 – First submission deadline for Registers of Information (RoI) DORA (varies by national authority) 
  • 30 April 2025 – Competent national authorities must submit collected Registers of Information (RoI DORA) to the European Supervisory Authorities (ESAs). 

Financial entities should ensure they are fully prepared to meet these obligations, as no further transitional periods apply. 

 

What requirements are covered by DORA? 

DORA covers various requirements aimed at enhancing digital operational resilience within the EU financial sector, including oversight, monitoring, and risk management obligations for financial entities and CTPPs. These requirements encompass: 

  • ICT Risk Management (Chapter II, Articles 5-16): Establishes requirements for ICT governance, risk assessment, and incident prevention. 
  • ICT-Related Incident Management, Classification, and Reporting (Chapter III, Articles 17-23): Standardizes how financial institutions detect, classify, and report incidents. 
  • Digital Operational Resilience Testing (Chapter IV, Articles 24-27): Mandates regular testing, including Threat-Led Penetration Testing (TLPT). 
  • Management of ICT Third-Party Risk (Chapter V, Section I, Articles 28-30): Defines requirements for risk management related to ICT service providers. 
  • Oversight of Critical ICT Third-Party Service Providers (CTPPs) (Chapter V, Section II, Articles 31-44): Establishes an EU-wide supervisory framework. 
  • Information Sharing Arrangements (Chapter VI, Article 44): Encourages knowledge-sharing on cyber threats among financial entities. 
  • Register of Information (RoI) DORA: Ensuring structured documentation and tracking of ICT incidents, resilience measures, and compliance steps for financial entities. 

Reporting templates 

Reporting templates are integral components of DORA compliance, facilitating the submission of necessary information to regulatory authorities. These templates streamline reporting processes and ensure consistency in data submission across entities subject to DORA. 

  1. Reporting of Major ICT-Related Incidents and Cyber Threats – Entities must fulfill ICT incident reporting DORA obligations by submitting structured reports to regulatory authorities.  
  2. Submission of Registers of Information (RoI) DORA on ICT Third-Party Providers – Financial institutions must maintain an updated Register of Information (RoI) DORA to ensure compliance with DORA reporting requirements.

 

DORA’s relationship with NIS2 and other regulations 

DORA complements other EU cybersecurity regulations, particularly the NIS2 Directive. As a lex specialis, DORA takes precedence over NIS2 for financial entities, ensuring sector-specific cybersecurity risk management and incident reporting requirements. 

  • In conversation with Google Cloud — Building best practices for DORA compliance - Part 1

    Learn more

  • In conversation with Google Cloud — Building best practices for DORA compliance - Part 2

    Learn more

Contact us

© 2025 Regnology Group GmbH All Rights Reserved