Regulation
DORA — Digital Operational Resilience Act
The EU's comprehensive framework for ICT risk management in financial services. In force since January 2025 — compliance is no longer optional.
What is DORA?
The Digital Operational Resilience Act (Regulation (EU) 2022/2554) entered into force in January 2025. It creates a unified EU framework for managing ICT risk in financial services — replacing the patchwork of national approaches and sectoral guidelines that preceded it.
DORA applies directly to a broad range of financial entities and establishes binding requirements across five pillars: ICT risk management, incident reporting, digital operational resilience testing, third-party risk management and information sharing.
Who is affected?
| Entity type | Applies | Tier |
|---|---|---|
| Credit institutions (banks) | Yes | Significant entities: enhanced requirements |
| Insurance undertakings | Yes | Standard requirements |
| Investment firms | Yes | Proportionate to size/complexity |
| Pension funds (IORP II) | Partial | Member state discretion |
| Payment institutions | Yes | Standard requirements |
| ICT third-party service providers | Yes | Critical providers: enhanced oversight |
Key requirements
1. ICT risk management framework
A comprehensive ICT risk management framework is mandatory. It must cover identification, protection, detection, response and recovery — with clear governance, roles and board-level oversight. Annual review is required.
2. ICT incident reporting
Major ICT incidents must be reported to the competent authority (DNB in the Netherlands) within defined timelines: initial notification within 4 hours of classification, intermediate report within 72 hours, and a final report within one month. A standardised reporting template applies across the EU.
3. Digital operational resilience testing
All in-scope entities must conduct basic resilience testing annually. Significant financial entities must additionally conduct Threat-Led Penetration Testing (TLPT) at least every three years, following the TIBER-EU framework.
4. Third-party ICT risk management
Entities must manage ICT risk from third-party providers throughout the contract lifecycle. Critical ICT third-party providers (CTTPPs) are subject to EU-level oversight by ESAs. Contracts with third parties must include specific mandatory provisions.
5. Information sharing
DORA encourages voluntary sharing of cyber threat intelligence between financial entities. Participation in information sharing arrangements is permitted within EU data protection rules.
Key timelines
| Date | Milestone |
|---|---|
| January 2023 | DORA entered into force |
| January 2025 | Compliance required — all requirements apply |
| Ongoing | TLPT cycle: every 3 years for significant entities |
| Ongoing | Annual ICT risk management framework review |
How Arcens helps
Horizon scanning: We track EBA/EIOPA technical standards and guidelines under DORA and surface amendments before they affect you.
NFR management: We build the ICT risk management framework, governance structure and third-party risk processes that DORA requires.
Remediation: If you have received a DORA-related finding from DNB, we manage the root-cause analysis, remediation planning and closure.
Quick facts
Full name: Regulation (EU) 2022/2554
In force: January 2025
Regulator (NL): DNB
Scope: Banks, insurers, investment firms, payment institutions
Penalty: Up to 1% of average daily global turnover (for CTTPPs)
Ask our advisor about DORA
Get instant answers on DORA applicability, ICT risk framework requirements, incident reporting timelines or TLPT obligations — tailored to your institution type.