What does DORA stand for?

DORA stands for the Digital Operational Resilience Act, formally Regulation (EU) 2022/2554. It is binding EU law on the operational resilience of financial entities and their critical ICT third-party providers. The acronym is sometimes confused with the Colorado Department of Regulatory Agencies (also DORA), which is unrelated to EU financial regulation.

When did DORA come into force?

DORA was adopted on 14 December 2022 and entered into force on 16 January 2023. The two-year preparation period ended on 17 January 2025, when the regulation became applicable under Article 64. Financial entities have been required to comply since 17 January 2025; designated critical ICT third-party providers (CTPPs) become directly subject to the Chapter V oversight framework only after Article 31 designation and notification, which the European Supervisory Authorities began on 18 November 2025.

Yes, for in-scope entities. DORA is a binding EU regulation that applies directly across all 27 member states without national transposition. Financial entities listed in Article 2 must comply with the Chapter II to V obligations and the Chapter VI information-sharing conditions where they participate. Designated critical ICT third-party providers are subject to the Chapter V oversight framework directly following Article 31 designation.

What is DORA compliance?

DORA compliance means meeting the obligations across the five substantive chapters of the regulation: ICT risk management under Chapter II (Articles 5 to 16), ICT-related incident management and reporting under Chapter III (Articles 17 to 23), digital operational resilience testing including threat-led penetration testing under Chapter IV (Articles 24 to 27), management of ICT third-party risk and the oversight framework for designated critical providers under Chapter V (Articles 28 to 44), and information-sharing arrangements under Chapter VI (Article 45).

What are the five pillars of DORA?

DORA does not formally use the term "pillars". The five substantive obligation areas live in Chapters II to VI. Chapter II covers the ICT risk-management framework (Articles 5 to 16). Chapter III covers ICT-related incident management, classification, and reporting (Articles 17 to 23). Chapter IV covers digital operational resilience testing, including threat-led penetration testing under Article 26 for entities identified by competent authorities (Articles 24 to 27). Chapter V covers management of ICT third-party risk and the oversight framework for designated critical ICT providers (Articles 28 to 44). Chapter VI covers voluntary information-sharing arrangements (Article 45).

Who does DORA apply to?

Article 2(1)(a)–(t) lists over 20 categories of financial entities, including credit institutions, payment and e-money institutions, investment firms, crypto-asset service providers and issuers of asset-referenced tokens, central securities depositories, central counterparties, trading venues, trade repositories, alternative investment fund managers, management companies, data reporting service providers, insurance and reinsurance undertakings, insurance and reinsurance intermediaries, IORPs, credit rating agencies, administrators of critical benchmarks, crowdfunding service providers, and securitisation repositories. Article 2(3) sets exclusions and Article 2(4) gives Member States options. ICT third-party providers are listed separately at Article 2(1)(u) and are directly subject to DORA only after Article 31 designation as critical.

What are the DORA incident reporting requirements?

Under Article 19 and Commission Delegated Regulation (EU) 2025/301 Article 5, financial entities submit an initial notification within 4 hours after classifying a major ICT-related incident (and no later than 24 hours after becoming aware of it), an intermediate report within 72 hours of the initial notification, and a final report within one month of the latest updated intermediate report. Entities can also report significant cyber threats voluntarily under Article 19(2).

What are the penalties for DORA non-compliance?

For financial entities, Article 50 requires member states to set effective, proportionate, and dissuasive administrative penalties in national law; sanctions are not harmonised into one EU-wide cap. For designated critical ICT third-party providers under the Chapter V oversight framework, Article 35(7) and (8) allow the lead overseer to impose periodic penalty payments of up to 1% of the average daily worldwide turnover in the preceding business year, for a maximum of six months.

How does Modulos help with DORA compliance?

Modulos automates the governance, risk, and compliance workflow across DORA’s five substantive chapters (II to VI): ICT risk-management framework documentation, incident records, resilience-testing evidence, third-party risk registers and contracts, and audit trails for supervisory reviews. Controls map across DORA, NIS2, ISO/IEC 27001, ISO/IEC 42001, the EU AI Act, and SOC 2 simultaneously, which matters for financial entities running multi-framework compliance programs.

For financial entities, risk leaders, and compliance teams

Digital Operational
Resilience Act
(DORA) Compliance

Operationalize the Digital Operational Resilience Act (DORA) across ICT risk management, major incident reporting, resilience testing, and third-party oversight with one accountable workflow.

Book a DORA Demo Explore Platform Capabilities

(EU) 2022/2554

Regulation

20+

Entity Types

Jan 2025

Applicable Since

II–VI

Substantive Chapters

What is the Digital Operational Resilience Act (DORA)?

DORA (Regulation (EU) 2022/2554) is the EU's regulation ensuring that financial entities can withstand, respond to, and recover from ICT-related disruptions. It became fully applicable on 17 January 2025 and covers over 20 categories of financial entities, from banks and insurers to crypto-asset service providers.

DORA also establishes an EU oversight framework for designated critical ICT third-party providers and acts as lex specialis to NIS2 for financial-sector ICT risk and incident reporting obligations.

Timeline and Compliance Milestones

The Digital Operational Resilience Act (DORA) became fully applicable on 17 January 2025 after a two-year preparation period. Technical standards and CTPP designations are now in place, with ongoing oversight and testing obligations. Use this timeline to sequence readiness work against supervisory expectations.

You are here

September 2020

European Commission proposes DORA as part of the Digital Finance Package

December 2022

Regulation published in the Official Journal on 27 December 2022; entered into force on 16 January 2023 under Article 64; 24-month preparation period begins

January 2025

DORA becomes fully applicable under Article 64. Compliance is now mandatory for in-scope financial entities listed in Article 2

November 2025

ESAs designate first 19 Critical Third-Party Providers including AWS, Google Cloud, and Microsoft

2026 onward

Annual Register of Information reporting enters a recurring cycle under ESA implementing standards and national authority timelines

January 2028

Commission review deadline for key DORA provisions, including oversight and reporting framework effectiveness (Article 58)

September 2020

European Commission proposes DORA as part of the Digital Finance Package

December 2022

Regulation published in the Official Journal on 27 December 2022; entered into force on 16 January 2023 under Article 64; 24-month preparation period begins

January 2025

DORA becomes fully applicable under Article 64. Compliance is now mandatory for in-scope financial entities listed in Article 2

November 2025

ESAs designate first 19 Critical Third-Party Providers including AWS, Google Cloud, and Microsoft

2026 onward

Annual Register of Information reporting enters a recurring cycle under ESA implementing standards and national authority timelines

January 2028

Commission review deadline for key DORA provisions, including oversight and reporting framework effectiveness (Article 58)

September 2020

European Commission proposes DORA as part of the Digital Finance Package

You are here

December 2022

Regulation published in the Official Journal on 27 December 2022; entered into force on 16 January 2023 under Article 64; 24-month preparation period begins

January 2025

DORA becomes fully applicable under Article 64. Compliance is now mandatory for in-scope financial entities listed in Article 2

November 2025

ESAs designate first 19 Critical Third-Party Providers including AWS, Google Cloud, and Microsoft

2026 onward

Annual Register of Information reporting enters a recurring cycle under ESA implementing standards and national authority timelines

January 2028

Commission review deadline for key DORA provisions, including oversight and reporting framework effectiveness (Article 58)

Who is Subject to DORA?

Article 2(1)(a) to (t) lists more than 20 categories of financial entities, from banks and insurers to crypto-asset service providers. Article 2(3) sets exclusions and Article 2(4) gives Member States options. DORA also reaches into the technology supply chain through its oversight framework for designated critical ICT third-party providers under Article 31.

Banking & Credit

Credit institutions
Payment institutions
Electronic money institutions
Account information service providers

Investment & Trading

Investment firms
Trading venues
Central securities depositories
Central counterparties

Insurance & Pensions

Insurance and reinsurance undertakings
Insurance intermediaries
Institutions for occupational retirement provision

Crypto & Alternative

Crypto-asset service providers
Crowdfunding service providers
Securitisation repositories

Asset Management

Management companies
Alternative investment fund managers

Market Infrastructure

Trade repositories
Credit rating agencies
Administrators of critical benchmarks
Data reporting service providers

Proportionality Principle (Article 4)

DORA applies proportionally: requirements scale with the size, risk profile, and complexity of the entity.

Simplified Framework

Article 16(1) provides a simplified ICT risk-management framework for specific entity categories: small and non-interconnected investment firms, exempt payment and e-money institutions, credit institutions exempted under Directive 2013/36/EU where Member States exercise the Article 2(4) option, and small institutions for occupational retirement provision.

Full Framework

Other in-scope institutions must implement the full framework, and entities identified by competent authorities must perform advanced resilience testing (TLPT) under Articles 26-27.

DORA Reaches Into Your Tech Supply Chain

DORA's Chapter V brings ICT third-party service providers into scope through oversight of Critical Third-Party Providers (CTPPs). On 18 November 2025, the European Supervisory Authorities designated the first 19 CTPPs, including AWS, Google Cloud, and Microsoft.

Extraterritorial reach (Article 31(12)): Non-EU CTPPs must establish a subsidiary within the European Union within 12 months of designation. This means a US cloud provider serving EU financial institutions cannot simply comply from abroad; they must have an EU legal presence.

Contractual obligations (Article 30): Article 30(2) requires baseline contractual clauses (description of services, locations, monitoring, exit strategies) in all ICT service contracts. Article 30(3) adds enhanced provisions, including audit rights and detailed exit strategies, for services supporting critical or important functions.

The Five Substantive Chapters of the Digital Operational Resilience Act

DORA does not formally use the term “pillars”. The five substantive obligation areas live in Chapters II to VI of Regulation (EU) 2022/2554.

Chapter II

ICT Risk Management

Articles 5-16

-Comprehensive ICT risk management framework
-Management body accountability and oversight
-Identify, protect, detect, respond, and recover
-Business continuity and disaster recovery plans

Chapter III

Incident Reporting

Articles 17-23

-Classify incidents based on severity criteria
-Initial notification within 4 hours of classification (and within 24 hours of awareness)
-Intermediate report within 72 hours of the initial notification
-Final report within 1 month of the latest updated intermediate report

Chapter IV

Resilience Testing

Articles 24-27

-Regular testing of ICT tools and systems
-Threat-Led Penetration Testing (TLPT) at least every 3 years for entities identified by competent authorities
-If internal testers are used, external testers are required every third TLPT; significant credit institutions use external testers only
-Testing on live production systems with safeguards
-Follow DORA TLPT RTS (Commission Delegated Regulation (EU) 2025/1190) for execution and closure

Chapter V

Third-Party Risk

Articles 28-44

-Article 28(3) Register of Information for all ICT service arrangements
-Due diligence before onboarding providers
-Continuous monitoring of provider performance
-Direct oversight of designated critical ICT third-party providers by the lead overseer

Chapter VI

Information Sharing

Article 45

-Voluntary cyber threat intelligence sharing
-Within trusted financial sector communities
-Compliant with data protection rules
-Collective defense across the sector

Incident Reporting Timeline

Article 19 of DORA and Commission Delegated Regulation (EU) 2025/301 Article 5 set a three-stage reporting timeline for major ICT-related incidents.

4 hours

Initial Notification

Report within 4 hours of classifying a major ICT incident and no later than 24 hours after becoming aware of it.

72 hours

Intermediate Report

Submit an updated assessment within 72 hours from the initial notification.

1 month

Final Report

Deliver the final report within one month of the latest updated intermediate report.

Penalties for Non-Compliance

DORA sets the enforcement framework, but sanctions for most financial entities are defined by Member State law rather than a single EU-wide fine table.

National

sanctions framework

Financial Entities

Member States must provide effective, proportionate, and dissuasive penalties for breaches by in-scope financial entities.

of average daily worldwide turnover per day

Critical ICT Providers

Lead overseers can impose periodic penalty payments on designated critical ICT third-party providers under Article 35.

6 months

maximum duration

Periodic Penalty Window

The periodic penalty payment for designated critical ICT providers can run daily for up to six months.

How Modulos Helps with DORA Compliance

Modulos gives risk and compliance teams one workflow for requirements, controls, evidence, reviews, and exports. This helps you operationalize DORA with clearer accountability and defensible audit trails.

Book a DORA Demo

Break DORA obligations into structured requirements and mapped controls with clear ownership, implementation status, and evidence expectations.

FAQ about the Digital Operational Resilience Act

The Digital Operational Resilience Act (DORA), Regulation (EU) 2022/2554, is the EU regulation governing the operational resilience of financial entities. It applies to banks, investment firms, insurance and reinsurance undertakings, payment and e-money institutions, crypto-asset service providers, and other financial entities listed in Article 2, plus their ICT third-party service providers under the Chapter V oversight framework. DORA entered application on 17 January 2025.

How DORA fits with other frameworks

Most financial entities run DORA alongside other regimes rather than instead of them.

For financial entities subject to both DORA and the NIS2 Directive, DORA is lex specialis: DORA Article 1(2) and NIS2 Article 4 disapply equivalent NIS2 provisions where DORA covers the same matter. NIS2 governance and supply-chain provisions outside DORA may still apply alongside.

ICT risk management under DORA Chapter II maps directly onto ISO/IEC 27001 controls, with ISO/IEC 42001 supporting the AI-management portion where the financial entity uses AI in its ICT systems. Risk operating models such as NIST AI RMF support the AI risk-analysis duty inside DORA.

When financial entities deploy AI systems that touch personal data or fall under high-risk categories, the EU AI Act and GDPR apply alongside DORA without substituting for any of them.

For US-attestation work, SOC 2 control sets often share evidence with DORA Chapter II ICT risk-management controls, especially around access, change, and incident management.

Comparing platforms? See how 20 AI governance platforms address AI risk inside the DORA stack in our 2026 enterprise buyer’s guide.

Need a Defensible DORA Execution Workflow?

In a live walkthrough, see how teams track ICT risk controls, third-party evidence, and reporting artifacts before supervisory reviews.

Book a DORA Demo Explore Platform Capabilities

Digital OperationalResilience Act(DORA) Compliance

What is the Digital Operational Resilience Act (DORA)?

Timeline and Compliance Milestones

Who is Subject to DORA?

Banking & Credit

Investment & Trading

Insurance & Pensions

Crypto & Alternative

Asset Management

Market Infrastructure

Proportionality Principle (Article 4)

DORA Reaches Into Your Tech Supply Chain

The Five Substantive Chapters of the Digital Operational Resilience Act

ICT Risk Management

Incident Reporting

Resilience Testing

Third-Party Risk

Information Sharing

Incident Reporting Timeline

Initial Notification

Intermediate Report

Final Report

Penalties for Non-Compliance

Financial Entities

Critical ICT Providers

Periodic Penalty Window

How Modulos Helps with DORA Compliance

FAQ about the Digital Operational Resilience Act

How DORA fits with other frameworks

Need a Defensible DORA Execution Workflow?

Digital Operational
Resilience Act
(DORA) Compliance