DORA - Digital Operational Resilience Act
DORA is an EU regulation that, starting in January 2025, will impose mandatory requirements on financial firms regarding digital operational resilience, ICT risk management, and incident reporting.
Table of Contents (4 sections)
The Digital Operational Resilience Act (DORA), officially Regulation (EU) 2022/2554, has been directly applicable in all EU member states since January 17, 2025—without the need for national implementation, as it is a regulation (not a directive). DORA requires financial firms to demonstrate and maintain their digital operational resilience against ICT-related disruptions, cyberattacks, and system failures.
Who is affected?
DORA applies to a broad range of financial firms and—for the first time in this form—also directly to their critical ICT service providers:
Directly regulated financial firms:
- Credit institutions and investment firms
- Payment institutions and e-money institutions
- Insurance companies and reinsurers
- Pension funds (EBAV)
- Capital management companies
- Crypto-asset service providers (under MiCA)
- Crowdfunding platforms
- Central counterparties (CCPs) and central securities depositories
Critical third-party ICT service providers (CTPs): Cloud providers, data centers, data analytics services, and software providers classified as systemically important to the financial sector are subject to direct supervision by European financial supervisory authorities (ESAs: EBA, ESMA, EIOPA).
Proportionality: Simplified requirements apply to small businesses (micro-enterprises with fewer than 10 employees and annual revenue below €2 million).
The Five Pillars of DORA
1. ICT Risk Management (Art. 5–16)
Financial firms must establish a comprehensive ICT risk management framework that:
- Systematically identifies, classifies, and assesses all ICT risks
- Maintains an up-to-date ICT asset inventory including all hardware, software, and data assignments
- Implements protective measures: access control, patch management, data backup, encryption
- Defines and regularly tests business continuity and emergency plans for ICT systems
- Maintains an ICT risk appetite statement approved by the board of directors
Special Feature: DORA requires that the management body (board of directors, executive management) be personally responsible for ICT risk management and demonstrate the necessary expertise—similar to NIS2.
2. Reporting of ICT-related incidents (Art. 17–23)
DORA establishes a harmonized EU-wide reporting procedure for serious ICT incidents:
| Stage | Deadline | Content |
|---|---|---|
| Initial report | 4 hours after classification as serious | Initial information, time, initial measures |
| Interim report | No later than 72 hours after initial report | Updated status, impact, containment measures |
| Final report | 1 month after initial report | Root cause, measures taken, lessons learned |
Reports are submitted to the competent national supervisory authority (BaFin for Germany).
Classification criteria for serious incidents (EBA RTS):
- Number of affected customers
- Downtime of critical services
- Geographic scope
- Data loss
- Reputational damage
3. Testing digital operational resilience (Art. 24–27)
DORA mandates regular, mandatory testing:
Basic Tests (all financial firms, at least annually):
- Vulnerability assessments
- Open-source analyses
- Network security assessments
- Scenario-based tests
Threat-Led Penetration Tests (TLPT) (significant institutions, every 3 years): TLPT is the European standard for red team testing in the financial sector, based on the TIBER-EU framework (Threat Intelligence Based Ethical Red Teaming). Conducted by accredited external service providers using genuine threat intelligence as a foundation. In Germany, TIBER-DE was introduced in 2019 and is now formally enshrined in DORA.
4. Management of Third-Party ICT Risks (Art. 28-44)
This is one of the most significant aspects of DORA, as it establishes direct regulatory requirements for cloud and software providers for the first time:
Requirements for financial firms:
- Complete register of all third-party ICT service providers with criticality ratings
- Minimum requirements for contractual clauses (audit and inspection rights, SLAs, exit strategies)
- Concentration risk analysis (dependence on individual providers)
- Exit plans in the event of service provider failure
Direct regulation of critical third-party ICT service providers (CTPs): The ESAs may designate major providers such as AWS, Microsoft Azure, or Google Cloud as CTPs. CTPs are then subject to direct supervision, including audit rights, and may be subject to fines of up to 1% of global annual turnover (per day).
5. Information Exchange (Art. 45)
DORA encourages financial firms to voluntarily exchange cyber threat intelligence within trusted communities—with appropriate data protection measures in place.
DORA vs. NIS2
| Aspect | DORA | NIS2 |
|---|---|---|
| Legal Form | EU Regulation (directly applicable) | EU Directive (national implementation) |
| Scope | Financial sector-specific | All critical sectors |
| Third-Party ICT Providers | Directly regulated | Indirectly (supply chain) |
| Penetration Tests | TLPT mandatory (significant institutions) | No specific requirement |
| Supervision | Sector-specific (BaFin, ECB, etc.) | National (BSI, etc.) |
For financial firms: DORA is the sector-specific lex specialis, NIS2 is the general regulation. Where both apply, DORA takes precedence—but most DORA requirements are also met by NIS2.
Practical Implementation Steps
- Scoping Assessment: Am I directly affected as a financial firm? Am I a potential CTP as an ICT service provider?
- Gap Analysis: Where does existing ICT risk management deviate from DORA requirements?
- Build an ICT Asset Inventory: Complete recording of all systems, dependencies, and interfaces
- Create a third-party register: All ICT service providers with criticality ratings
- Adapt contracts: Audit rights, SLAs, and exit clauses in accordance with DORA minimum requirements
- Establish reporting processes: 4-hour initial reporting requires prepared escalation paths
- Prepare TLPT (significant institutions): Identify TIBER-EU-accredited service providers
Further information: AWARE7 DORA Consulting | Free Initial Consultation
Sources & References
- [1] Verordnung (EU) 2022/2554 - DORA - Amtsblatt der Europäischen Union
- [2] EBA - DORA Technical Standards - European Banking Authority
- [3] BaFin - DORA Informationsseite - Bundesanstalt für Finanzdienstleistungsaufsicht
Questions about this topic?
Our experts advise you free of charge and without obligation.
About the Author
Dipl.-Math. (WWU Münster) und Promovend am Promotionskolleg NRW (Hochschule Rhein-Waal) mit Forschungsschwerpunkt Phishing-Awareness, Behavioral Security und Nudging in der IT-Sicherheit. Verantwortet den Aufbau und die Pflege von ISMS, leitet interne Audits nach ISO/IEC 27001:2022 und berät als externer ISB in KRITIS-Branchen. Lehrbeauftragter für Communication Security an der Hochschule Rhein-Waal und NIS2-Schulungsleiter bei der isits AG.
3 Publikationen
- Different Seas, Different Phishes — Large-Scale Analysis of Phishing Simulations Across Different Industries (2025)
- Self-promotion with a Chance of Warnings: Exploring Cybersecurity Communication Among Government Institutions on LinkedIn (2024)
- Exploring the Effects of Cybersecurity Awareness and Decision-Making Under Risk (2024)
