EU - DORA

Name: Digital Operational Resilience Act (DORA)

Type: Statutory (Law)

Authoritative Source: EU Regulation 2022/2554

Certification Available: No. There is no official certification for DORA. However, the Secure Controls Framework Conformity Assessment Program (SCF CAP) can provide a path to demonstrate conformity with DORA through a third-party conformity assessment.

Too Long / Didn’t Read (TL/DR): The Digital Operational Resilience Act (DORA) is a significant leap in EU regulation that embeds operational resilience as a compliance expectation, not an optional security benefit. For financial entities and Information and Communication Technology (ICT) providers, it sets a high bar that is enforceable, with costly non-compliance ramifications. Organizations are expected to align their ICT risk management, incident reporting, resilience testing and third-party oversight practices to DORA.

GRC-Focused Overview of DORA

The EU Digital Operational Resilience Act (DORA) is a regulation adopted by the European Union that sets out comprehensive rules for ensuring that financial institutions can withstand, respond to, and recover from information and communication technology (ICT) disruptions and cyberattacks. It officially became law as Regulation (EU) 2022/2554, entered into force in January 2023, and will be fully enforceable on January 17, 2025.

DORA creates a unified cybersecurity and operational resilience framework across the EU financial sector. Its goal is to reduce fragmentation in how financial organizations manage ICT risks and to increase the overall digital resilience of the European financial system.

DORA’s broad scope covers tens of thousands of financial entities and their ICT vendors operating in or serving the EU, where DORA applies to nearly all entities regulated under EU financial services law, including:

  • Banks, credit institutions, and investment firms;
  • Insurance and reinsurance companies;
  • Payment and e-money institutions;
  • Crypto-asset service providers;
  • Financial market infrastructure (e.g., stock exchanges); and
  • ICT third-party providers deemed "critical" to financial institutions.

This page provides a cybersecurity-focused summary of DORA from a GRC practitioner's perspective, including:

  • The history of these laws;
  • The consequences of non-compliance;
  • Practical compliance strategies;
  • High-profile enforcement actions; and
  • The role of high-quality documentation in audit readiness and breach resilience.

DORA - Origins and Purpose

Before DORA, EU financial regulation around digital and ICT risk was fragmented where banks, insurers, payment services and asset managers operated under different national or sectoral rules. The rise in technology reliance, cross-border services and cyber threats in the financial sector highlighted a clear need for an EU-wide harmonized framework for digital resilience.

From Proposal to Regulation

  • September 2020: The European Commission launched the initiative for DORA as part of its Digital Finance Package, aiming to modernize digital oversight in finance;
  • November 2022: The Parliament and Council gave their approval; Regulation (EU) 2022/2554 was signed and published, entering into force in January 2023; and
  • A two-year transition followed, with full application required from 17 January 2025.

Purpose and Scope

At its core, DORA is designed to ensure that financial entities and their ICT service providers:

  • Withstand, respond and recover from ICT-related disruptions;
  • Harmonize ICT risk governance across Europe; and
  • Strengthen digital resilience for systemic stability.

DORA’s scope includes approximately 20 categories of financial entities and ICT third-party providers.

Core Pillars of DORA Compliance

DORA organizes obligations into several thematic blocks of requirements:

  • ICT Risk Management. Entities must implement a comprehensive ICT risk management framework that covers governance, policies, mapping of ICT assets, threat monitoring and controls integration with business continuity;
  • ICT Incident Reporting. Organizations must deploy detection, classification and timely reporting processes for ICT incidents. This includes categorization and workflows for notification to competent authorities;
  • Digital Operational Resilience Testing. Entities are required to carry out regular ICT resilience testing, including threat-led penetration tests and scenario-based continuity exercises;
  • ICT Third‑Party Risk Management. DORA mandates robust oversight for outsourced ICT, including pre-contract due diligence, ongoing monitoring, contractual safeguards and escalation protocols, especially for critical third-party providers;
  • Information Sharing. While voluntary, DORA encourages threat intelligence and incident data sharing among peers and authorities to enhance collective resilience; and
  • Oversight and Implementation Technical Standards. ESAs have developed Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS), which are now in force or pending, covering aspects from reporting templates to penetration testing protocols.

Industries and Entities Affected

The regulation is sector-specific, applying to a broad range of EU financial entities, including:

  • Banks, credit institutions and investment firms;
  • Insurance and reinsurance companies;
  • Payment and e-money institutions;
  • Virtual asset service providers; and
  • Financial market infrastructure and intermediaries.

While DORA itself does not apply to industries outside finance, its model is influencing regulatory design in adjacent domains. DORA also extends to ICT service providers that serve these financial entities, particularly those deemed “critical.”

Common Methods to Achieve and Maintain DORA Compliance

Achieving compliance under DORA requires a cross-functional and risk-based approach:

  • Governance and Organizational Buy-In
    • Form a cross-disciplinary resilience team spanning IT, risk, compliance and business; and
    • Establish executive oversight, board-level alignment and defined risk tolerances.
  • ICT Asset and Risk Inventory. Catalog critical systems and classify ICT assets for operational importance and third-party dependencies;
  • Incident Detection, Classification and Reporting. Use standardized criteria for incident severity and reporting thresholds, supported by the ESAs’ RTS/ITS;
  • Resilience Testing Regimen. Implement a maturity-aligned testing program: regular vulnerability scans, threat-led testing and tabletop simulations;
  • Third‑Party Risk Controls. Index and assess suppliers; embed resilience clauses in contracts; conduct ongoing audits, especially for critical ICT providers;
  • Intelligence Sharing. Participate in secure forums for sharing cyber threat data and operational lessons; and
  • Documentation and Evidence Gathering. Quality documentation is absolutely pivotal. Compliance is judged not on assertions, but on demonstrable evidence:
    • ICT Risk Management Plans. Policies, risk registers, asset inventories;
    • Incident Response Logs. Records of incident detection, classification and actions taken;
    • Testing Records. Schedules, reports, remediation logs for resilience tests;
    • Third-Party Assessments. Vendor evaluations, contractual terms, audit findings;
    • Governance Records. Board minutes, role assignments, communications; and
    • Mapping Documentation. Alignment of DORA requirements with existing frameworks (e.g. NIS2, ISO 22301, GDPR).

Strong documentation enables transparent compliance during audits and enables timely detection and correction of gaps.

Public Examples of DORA Enforcement Actions

Though enforcement under DORA had not yet materialized, the penalty framework is severe and regulators across EU member states have already signaled readiness to act aggressively. DORA empowers European Supervisory Authorities (ESAs) and national regulators to impose significant penalties:

  • Financial Entities. Fines up to 2% of annual worldwide turnover or €10 million, whichever is higher;
  • Senior Individuals. Penalties up to €1 million;
  • Critical ICT Providers. Fines up to €5 million or 1% of average daily turnover and individuals up to €500,000; and
  • Daily Fines. Authorities may issue daily fines for up to six months until compliance is restored.

Supervisory Actions and License Sanctions

Regulators can enact administrative warnings, require remediation, or even suspend operational licenses under repeated or severe non-compliance.

Reputational and Legal Risk

Failure to report ICT incidents in line with DORA timelines or inadequate resilience testing can trigger reputational harm and compensatory liabilities to clients or third parties.

Understanding The Value of Quality Cybersecurity Documentation in DORA Success

At the intersection of cyber resilience and regulation, documentation is the keystone of both preparedness and regulatory trust.

  • Audit Evidence. Demonstrates that risk management, incident handling, testing and third-party controls are not theoretical but operational;
  • Root Cause Analysis. Incident post-mortems trace failures and build institutional learning;
  • Assurance to Supervisors. Clear, versioned policies show leaders and authorities that governance is intentional and reviewed; and
  • Maturity Roadmap. Documentation supports benchmarking improvements over time.

Boilerplate policies or ad-hoc procedures increase risk. DORA demands living, role assignments and outcomes-backed documentation and not checkbox artifacts.

** SPONSORED CONTENT **

ComplianceForge GRC importable policies standards procedures

 

There are no products listed under this category.