Summary
DORA (Digital Operational Resilience Act) is an EU regulation that entered into force in January 2025, requiring financial institutions and their critical ICT third-party service providers to meet unified standards for digital operational resilience.
What is DORA?
DORA is an EU financial sector regulation, not to be confused with the DevOps DORA Metrics framework used to measure software delivery performance. This regulation specifically targets banks, insurance companies, investment firms, payment providers, and their ICT suppliers operating in the European Union.
The regulation establishes requirements across five pillars: ICT risk management, ICT-related incident reporting, digital operational resilience testing, ICT third-party risk management, and information sharing. Organizations must demonstrate that their critical systems can withstand, respond to, and recover from ICT-related disruptions.
A key element is the designation of Critical ICT Third-Party Providers (CTPPs), which the European Supervisory Authorities can directly oversee. This means cloud providers, data centers, and software vendors serving financial institutions may face direct regulatory scrutiny.
Why is DORA relevant?
- Financial sector focus: Applies specifically to banks, insurers, and fintech companies operating in the EU
- Third-party accountability: Extends requirements to ICT suppliers and cloud service providers
- Mandatory testing: Organizations must conduct threat-led penetration testing (TLPT) on critical systems
- Incident reporting: ICT-related incidents must be reported to regulators within defined timeframes
- Enforcement: Non-compliance can result in significant fines and supervisory measures