Skip to content
On this page
  1. Key Takeaways
  2. What It Is: DORA Digital Operational Resilience
  3. The Intuition
  4. How It Works
  5. Worked Example
  6. Common Mistakes
  7. Frequently Asked Questions
  8. Sources
  9. Disclaimer
← All concepts
International FinanceAdvanced5 min read

DORA: EU Digital Operational Resilience Rules

DORA, the Digital Operational Resilience Act, is the EU regulation that forces financial firms to withstand, respond to, and recover from technology failures and cyber attacks. Formally Regulation (EU) 2022/2554, the DORA digital operational resilience framework became applicable on 17 January 2025 and covers more than 20 types of financial entity. It treats a bank's ability to keep its systems running as a supervised obligation, not just an IT housekeeping task.

Key Takeaways

  • DORA digital operational resilience rules make financial firms manage and survive technology and cyber disruptions.
  • It became applicable on 17 January 2025 across more than 20 types of EU financial entity.
  • A common mistake is treating DORA as IT policy rather than a board-level legal duty.
  • Resilience failures can halt trading and settlement, so DORA directly affects market continuity.

Key Takeaways

  • DORA digital operational resilience rules make financial firms manage and survive technology and cyber disruptions.
  • It became applicable on 17 January 2025 across more than 20 types of EU financial entity.
  • A common mistake is treating DORA as IT policy rather than a board-level legal duty.
  • Resilience failures can halt trading and settlement, so DORA directly affects market continuity.

What It Is: DORA Digital Operational Resilience

DORA is a single EU rulebook for information and communication technology (ICT) risk in finance. Before it, operational-resilience expectations were scattered across national rules and sector guidance. DORA replaces that patchwork with one regulation that applies directly in every member state.

Its scope is wide. Banks, insurers, investment firms, payment institutions, crypto-asset service providers, and trading venues are all in. So are critical ICT third-party providers, such as major cloud platforms, which face a new EU oversight regime when many financial firms depend on them.

The Intuition

A modern bank is a software company that happens to hold deposits. If its core systems go down, customers cannot pay, trades cannot settle, and confidence drains fast. Capital rules protect against credit losses, but they do nothing if the systems simply stop.

DORA fills that gap. It says resilience to outages and attacks is part of being a sound financial firm, and it puts the board, not just the IT department, on the hook. The intuition is that operational failure can threaten the system as surely as a bad loan book.

How It Works

DORA rests on five pillars. The first is ICT risk management: each firm must run a documented framework with board-level accountability for identifying, protecting against, and recovering from ICT risk. The second is incident reporting: major ICT incidents must be classified and reported to supervisors on set timelines, with initial notification of major incidents required quickly after detection.

The third pillar is digital operational resilience testing. Firms test their systems regularly, and significant entities must run threat-led penetration testing (TLPT), which simulates real attacker behavior, at least every three years. The fourth is ICT third-party risk: firms must map their providers, manage concentration risk, and include specific contract terms, while critical providers face direct EU oversight. The fifth is information sharing, which lets firms exchange cyber-threat intelligence.

Supervision runs through the national regulators and the European Supervisory Authorities, with the new oversight layer for critical third-party providers.

Worked Example

Suppose a mid-sized investment firm runs its order management on an external cloud platform. Under DORA, the firm first maps that dependency and classifies the cloud provider as a critical ICT service in its register of information.

It then writes resilience terms into the contract, covering audit rights, exit plans, and incident cooperation. It runs scenario tests, and because it is a significant entity, it commissions threat-led penetration testing against its trading stack. When a major outage hits, the firm classifies the incident and files an initial report to its supervisor within the required window, then follows up with intermediate and final reports. Every step is a DORA obligation, not a voluntary best practice.

Common Mistakes

  1. Treating DORA as an IT-only matter. The regulation puts ICT risk on the board. Delegating it entirely to technology staff misreads where accountability sits.

  2. Ignoring third-party concentration. Relying on one dominant cloud provider creates concentration risk that DORA expects firms to map and manage, not assume away.

  3. Skipping the contract terms. DORA requires specific clauses in ICT contracts. A standard vendor agreement that omits audit, exit, and incident terms can breach the rules.

  4. Underestimating incident timelines. Major incidents must be classified and reported on tight deadlines. Discovering the process during a live outage is too late.

  5. Assuming testing is optional. Resilience testing is mandatory, and significant entities must run advanced threat-led penetration testing periodically.

Frequently Asked Questions

What is DORA digital operational resilience in simple terms? DORA is an EU regulation that requires financial firms to keep their technology running through outages and cyber attacks. It makes resilience a supervised legal duty rather than an internal IT goal.

How does DORA affect investment decisions? DORA raises the operational standard for banks, brokers, and trading venues. Firms that handle ICT risk poorly face supervisory action and outage risk, which is a real factor when assessing a financial company's quality.

What is a real-world example of DORA in action? An investment firm that relies on a cloud provider must register that dependency, add resilience clauses to the contract, run threat-led penetration tests, and report major outages to its supervisor on a deadline.

How can firms comply with DORA effectively? Start with a board-owned ICT risk framework, map every critical third-party provider, fix contract terms early, and rehearse incident reporting before an incident happens rather than during one.

How is DORA different from MiCA? DORA governs operational and cyber resilience across the financial sector. MiCA governs the issuance and service provision around crypto-assets. A crypto firm can be subject to both at once.

Sources

  1. EUR-Lex. "Regulation (EU) 2022/2554 (DORA)." https://eur-lex.europa.eu/eli/reg/2022/2554/oj/eng
  2. EIOPA. "Digital Operational Resilience Act (DORA)." https://www.eiopa.europa.eu/digital-operational-resilience-act-dora_en
  3. CSSF. "ICT and cyber risk for DORA entities." https://www.cssf.lu/en/ict-and-cyber-risk-for-dora-entities/
  4. LSEG. "Digital Operational Resilience Act (DORA), European Union." https://www.lseg.com/en/operational-resilience/digital-operational-resilience-act

Disclaimer

This article is educational content only and is not financial advice. Nothing here is a recommendation to buy, sell, or hold any security. Consult a licensed advisor before making investment decisions.

The IWP Substack

You understand the concept. Now see it applied.

The Investing With Purpose Substack turns ideas like this into research and risk-managed trade plans on real stocks, updated every week.

Read on Substack (opens in a new tab)

Related concepts