The Digital Operational Resilience Act (DORA) is a mandatory European Union (EU) regulation that entered into force on January 16,  2023 and will apply as of January 17, 2025. 

The regulation aims at strengthening the IT security of financial entities such as banks, insurance companies and investment firms. The goal is to help ensure that the financial sector in Europe can stay resilient in the event of a severe operational digital disruption. 

DORA requirements bring harmonization of the rules relating to operational resilience for the financial sector applying to 20 different types of financial entities and ICT third-party service providers. 

The financial sector is increasingly dependent on technology and on tech companies to deliver financial services. This makes financial entities vulnerable to cyber-attacks or cybersecurity incidents. 

When not managed properly, ICT risks can lead to disruptions of financial services offered across borders. They can have an impact on other companies, sectors, and even on the rest of the economy, which underlines the importance of the digital operational resilience of the financial sector. 

DORA primarily applies to digital services providers, including online platforms, cloud computing services, and search engines, operating within the EU. Specific institutions include but are not limited to: 

• Credit or payment institutions​ 
• Account information service providers 
• Investment firms.​ 
• Crypto-asset service providers.​ 
• Data reporting service providers​ 
• ICT third-party service providers

DORA aims to ensure the resilience of digital services and the protection of users’ interests by covering various topics, including: 

• ICT risk management: Principles and requirements on ICT risk management framework 
• ICT third-party risk management: Monitoring third-party risk providers, and key contractual provisions 
• Digital operational resilience testing: Basic and advanced testing 
• ICT-related incidents General requirements and reporting of major ICT-related incidents to competent authorities 
• Information sharing: Exchange of information and intelligence on cyber threats 
• Oversight of critical third-party providers: Oversight framework for critical ICT third-party providers