Skip to content
FortaRisks
Back to the glossaryCompliance and regulation

DORA

DORA (Digital Operational Resilience Act) is the European regulation that imposes digital operational resilience on the financial sector. It harmonizes ICT risk management, incident reporting, resilience testing and oversight of critical ICT third-party providers, and has applied since January 2025.

Updated on July 2, 2026

What is DORA?

DORA, the Digital Operational Resilience Act, is a European regulation that came into application in January 2025. It starts from a simple observation: the financial sector now depends heavily on digital systems and third-party providers, and a technology failure can spread across the entire financial system as fast as a liquidity crisis.

DORA turns operational resilience, long treated as a technical matter, into a structured and supervised regulatory obligation.

Why it matters for your organization

For a financial entity, DORA is not optional: supervisory authorities can require evidence of compliance and sanction breaches. The regulation also holds the management body accountable, as it must approve and oversee the ICT risk-management framework.

An often underestimated point: DORA extends to the subcontracting chain. An organization remains responsible for the risk carried by its ICT providers, including its providers' providers.

The pillars of DORA

  • ICT risk management: a documented framework, governed at the highest level.
  • Incident reporting: harmonized classification and reporting of major incidents.
  • Resilience testing: regular testing, including threat-led penetration testing (TLPT) for the most critical entities.
  • Third-party risk management: a register of providers, mandatory contractual clauses, exit strategies.
  • Information sharing: voluntary exchange of cyber-threat intelligence between entities.

Where organizations most often fall short

Common gaps involve the ICT provider register, often incomplete, and contractual clauses that fail to cover notification and the right to audit. Many entities test their systems, but without the formality and frequency DORA requires, and without linking those tests to a remediation plan governed by senior management.

Frequently asked questions

Who is in scope for DORA?

A broad range of financial entities: banks, insurers, investment firms, payment service providers and crypto-asset platforms, as well as the ICT third-party providers they rely on. A cloud provider deemed critical can be placed under direct oversight by the European authorities.

What is the difference between DORA and NIS2?

NIS2 is a cross-sector directive that leaves room for national transposition. DORA is a directly applicable regulation, specific to the financial sector, and more prescriptive on resilience testing and ICT provider risk. For financial entities, DORA prevails as lex specialis.

Related resources

See your real risk in a 30-minute demo.

A member of our team walks you through FortaRisks on threats relevant to your sector. No chatbot.