DORA - Digital Operational Resilience Act
The EU regulation imposing ICT risk management, incident reporting, resilience testing and third-party oversight requirements on financial entities - applicable since 17 January 2025.
What DORA does
DORA (Regulation (EU) 2022/2554) sets a single, harmonised framework for the digital operational resilience of EU financial entities. It applies broadly - to banks, investment firms, payment institutions, e-money institutions, CASPs under MiCA, insurance and reinsurance, fund managers, central counterparties - and to their critical ICT third-party providers.
Five pillars
- ICT risk management - governance, identification, protection and detection.
- ICT incident reporting - major incidents within tight deadlines.
- Digital operational resilience testing - including threat-led penetration testing (TLPT) for significant entities.
- Third-party risk management - contractual standards, register of arrangements, oversight of CTPPs.
- Information sharing - voluntary frameworks for threat-intel exchange.
Critical Third-Party Provider regime
One of DORA's structural innovations is direct EU supervision of ICT providers designated as "critical" - likely to include major cloud providers. ESMA, EBA and EIOPA jointly act as lead overseers, with the ability to issue recommendations and ultimately to require contract termination.