EU
Scope
Applies across EU financial entities and critical ICT providers.
Digital Operational Resilience Act (DORA)
Understand the EU’s digital resilience rulebook.
Learn what the Digital Operational Resilience Act (DORA) requires, who it applies to, and how to prepare ICT risk management, incident reporting, and third-party oversight in simple terms.
What this guide covers:
What is the Digital Operational Resilience Act?
DORA is the EU regulation that harmonises ICT risk management, incident reporting, and third-party oversight for financial entities, effective from January 2025. It provides a plain-language blueprint for digital operational resilience across the EU.
2025
Start
Rules apply from 17 January 2025.
ICT
Focus
Centres on digital resilience, testing, and supplier risk.
WHY IT MATTERS
Why DORA reshapes digital resilience
Creates a single rulebook. Harmonises expectations across EU countries so multi-national firms have one operational resilience definition to follow.
Raises the bar. Requires regular testing, incident reporting, and third-party oversight, pushing teams to mature quickly.
Impacts vendors. Critical ICT providers face direct supervision, so procurement must collaborate closely with risk and compliance.
REQUIREMENTS
Key DORA requirements
- ICT risk management Implement frameworks covering governance, detection, response, and recovery.
- Testing & reporting Run advanced testing programs and report major ICT incidents quickly.
- Third-party oversight Track critical ICT contracts, concentration risk, and exit strategies.
PREPARATION
How to prepare for DORA
- Gap assessment Compare current ICT resilience controls to DORA articles and record remediation priorities.
- Update contracts Ensure vendor contracts include DORA-required clauses, including reporting and exit rights.
- Enhance testing Plan threat-led penetration testing (TLPT) for critical services and integrate results into resilience programs.
- Train teams Educate risk, ICT, procurement, and leadership on new obligations using simple language.
DORA quick wins
Create a DORA register
Document impacted entities, systems, and third parties.
Coordinate with legal
Align compliance, legal, and procurement on contract updates.
Engage vendors
Discuss readiness with critical ICT providers early.
DORA GLOSSARY SNAPSHOT
DORA glossary snapshot
DORA. Digital Operational Resilience Act, EU regulation on ICT resilience.
TLPT. Threat-Led Penetration Testing required for certain entities.
Critical ICT provider. Third parties deemed essential to the EU financial system and subject to oversight.
FAQS
DORA FAQs
Who must comply with DORA?
EU financial entities (banks, insurers, payment firms, investment firms) and critical ICT providers supporting them.
What is the timeline?
DORA applies from 17 January 2025; preparation should occur now to meet requirements.
How does DORA relate to existing rules?
It complements regulations like PSD2, MiFID, and EBA guidelines by providing a unified digital resilience framework.
What are the penalties?
Supervisors can impose fines, remediation orders, or restrictions for non-compliance.
Drova RunReady tracks ICT risks, vendor oversight, and remediation tasks for DORA readiness.
Ready to prepare for DORA?
GRC 101 HUB
Explore related topics
Operational resilience hub
Understand foundational concepts before tackling DORA.
Financial services resilience
See sector-specific implications.
Impact tolerance guide
DORA requires clear tolerances for critical services.
Scenario testing
Plan advanced testing programs including TLPT.
Risk controls toolkit
Strengthen ICT control environments.
Risk register template
Track DORA-related risks and remediation.
