DORA,explained
DORA, the EU Digital Operational Resilience Act, sets harmonised rules for the digital resilience of EU financial entities and their critical ICT providers. It has applied since January 2025 and is built on five pillars: ICT risk management, incident reporting, resilience testing, third-party risk, and information sharing.
What DORA is
DORA (Regulation EU 2022/2554) is an EU regulation, enforced by competent authorities, not a voluntary standard or a certification. It exists because the financial sector depends heavily on technology and third-party providers, and the EU wanted a single, consistent resilience regime across member states.
Who it applies to
DORA applies to a broad range of EU financial entities, such as banks, insurers, investment firms, and payment institutions, and to the critical ICT third-party providers that serve them. If you sell ICT or SaaS into EU finance, your customers will expect you to support their DORA obligations, which flows the requirements down to you.
The five pillars
- ICT risk management: a governed framework owned by the management body, with protection, detection, response, and recovery.
- ICT incident management and reporting: classify incidents and report major ones to the authority within set timelines.
- Digital operational resilience testing: a risk-based testing programme, including threat-led penetration testing for significant entities.
- ICT third-party risk: a register of ICT arrangements, contractual requirements, and oversight of critical providers.
- Information sharing: optional participation in trusted arrangements to share cyber threat intelligence.
The third-party register
One of the most concrete DORA obligations is maintaining a register of information about your ICT third-party arrangements, including which support critical functions, and ensuring contracts contain the required resilience, audit, and exit terms. This is often where financial entities and their vendors put the most work.
How it relates to security frameworks
Much of DORA overlaps an information-security programme: risk management, incident handling, testing, and third-party risk all have direct analogues in ISO 27001 and SOC 2. So if you already run one of those, a large part of the control work carries across, and DORA mainly adds the financial-sector specifics and the reporting obligations.
Frequently asked questions
Who has to comply with DORA?
EU financial entities, such as banks, insurers, investment firms, and payment institutions, and the critical ICT third-party providers that serve them. Vendors selling ICT services into EU finance are pulled in through their customers contracts and oversight obligations.
Is DORA a certification?
No. DORA is an EU regulation enforced by competent authorities, not a certificate. The expectation is a governed, evidenced resilience programme, including incident reporting and a register of ICT third-party arrangements.
How does DORA relate to ISO 27001?
They overlap substantially on risk management, incident handling, testing, and third-party risk, so ISO 27001 work carries across. DORA adds financial-sector specifics, mandatory incident reporting timelines, and detailed ICT third-party requirements that ISO 27001 does not impose.
Do this in a fraction of the time
Diligio centralises your approved answers, drafts each response grounded in your sources, and independently verifies it before you review. RFPs, DDQs, and security questionnaires, answered from one knowledge base.