Start Here: Why Did DORA Exist at All?
Before DORA, financial institutions across the EU managed operational risk primarily by setting aside capital. The logic was: if something goes wrong, we have money to absorb the loss.
That logic worked for many types of risk. It does not work for a cyberattack that takes your systems offline, or a technology failure that stops your customers from accessing their accounts. You cannot write a cheque to fix a collapsed IT infrastructure mid-incident.
Regulators across Europe had been handling this patchwork-style — each country had its own rules, its own standards, its own expectations. A bank operating in Germany, Ireland, and the Netherlands was navigating three different sets of requirements for the same problem. That created inconsistency, confusion, and — more importantly — gaps.
DORA closes those gaps. It replaces a fragmented, capital-focused approach with a single, consistent standard for digital resilience across the entire EU financial sector.
So What Is DORA?
DORA stands for the Digital Operational Resilience Act. It is Regulation (EU) 2022/2554, adopted by the European Parliament and Council in December 2022, and it became enforceable on 17 January 2025.
DORA is the EU's rulebook for making sure financial institutions can handle technology failures and cyberattacks — and keep functioning through them.
It applies to banks, insurance companies, investment firms, payment institutions, crypto-asset service providers, and more. In total it covers around 22,000 regulated financial entities across the EU. It also extends — and this is important — to the technology companies that provide critical services to those financial entities.
The Five Things DORA Requires
DORA organises its requirements into five areas. Think of them as five questions every financial institution must now be able to answer with evidence, not just policy documents.
Every financial institution must have a formal framework for identifying, assessing, and managing technology-related risks. This is not a one-time exercise — it requires continuous monitoring and documented strategies for both known and emerging threats. Crucially, DORA places this responsibility directly on the management body. Senior leadership cannot delegate accountability for ICT risk downward and walk away from it.
When a significant technology incident occurs, DORA requires it to be reported to regulators in a structured, timely way. That means clear internal processes for classifying incidents, defined timelines for initial notification and follow-up, and standardised reporting formats. Before DORA, incident reporting varied widely across institutions and jurisdictions. Now it does not.
Saying your systems are resilient is not enough. DORA requires regular testing to prove it. This ranges from basic vulnerability assessments to, for the most significant institutions, threat-led penetration testing — controlled cyberattacks carried out by independent testers to see if defences actually hold.
Financial institutions depend heavily on third-party technology providers — cloud platforms, data services, payment processors. DORA requires those relationships to be formally assessed, contractually governed, and continuously monitored. Contracts with critical providers must include incident notification obligations, audit rights, business continuity requirements, and clear exit arrangements. A standard commercial contract is no longer sufficient.
DORA encourages financial institutions to share information with each other about cyber threats and vulnerabilities. If one institution detects a new attack method, the whole sector is stronger if that intelligence is shared rather than siloed. Structured frameworks exist to enable this exchange while maintaining confidentiality.
The Part Most People Miss — Oversight of Technology Providers
One of DORA's most significant innovations is that it does not stop at the financial institution. It reaches into the technology supply chain.
Regulators — specifically the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA), and the European Securities and Markets Authority (ESMA), collectively the ESAs — have the authority to designate certain technology providers as Critical Third-Party Providers, or CTPPs.
In November 2025, the ESAs published their first list of designated CTPPs. Once designated, a provider is subject to direct EU-level oversight. A cloud provider or data platform serving EU financial institutions is no longer just a commercial vendor — it becomes a regulated participant in the financial system's resilience framework.
Who Does It Apply To?
DORA applies to financial entities operating within the European Union. If you are a non-EU company providing technology services to EU financial institutions, DORA still affects you — through the contract obligations your clients must now impose on you.
Technology providers operating outside the EU but servicing EU financial entities must establish a local subsidiary within the EU to ensure regulatory accountability.
What Happens If You Do Not Comply?
- Financial entities that fail to meet DORA's requirements can face fines of up to 2% of their total annual worldwide turnover.
- Designated critical technology providers can face fines of up to 1% of their average daily global turnover — applied per day of non-compliance.
- Beyond financial penalties, regulators can require remediation plans, restrict activities, or publicly name non-compliant institutions.
The Simple Version
DORA exists because the financial system runs on technology, and technology fails. Cyberattacks happen. Vendors go down. Systems break. The question DORA asks is not whether your institution has money to absorb losses — it is whether your institution can keep running, recover quickly, and not take the rest of the financial system down with it.
That is digital operational resilience. And as of January 2025, it is a legal requirement.