Understanding DORA: The Digital Operational Resilience Act
In effect since January 2025, DORA imposes strict digital resilience requirements on European financial institutions. Here is what you need to know.
What is DORA?
The DORA regulation (Digital Operational Resilience Act) is a European Union regulation that came into application on January 17, 2025. It aims to consolidate and harmonize ICT risk resilience requirements across the entire European financial sector.
Before DORA, ICT risk requirements varied by financial sub-sector and member state. DORA creates a single, coherent and binding framework applicable to more than 22,000 financial entities and ICT providers in the EU.
For Canadian organizations, DORA is relevant if you operate in Europe, provide ICT services to European financial institutions, or have banking or insurance partners subject to the regulation.
Who does DORA apply to?
- Credit institutions (banks)
- Payment and electronic money institutions
- Investment firms
- Insurance and reinsurance companies
- Alternative investment fund managers
- Central counterparties and central securities depositories
- Critical third-party ICT service providers
The 6 pillars of DORA
ICT risk management
Implement a documented ICT risk management framework, regularly reviewed and tested.
ICT incident management
Classify, document and notify major ICT incidents to competent authorities within prescribed timeframes: initial report within 4 hours, final report within 72 hours.
Operational resilience testing
Conduct annual resilience tests. Institutions designated as 'significant' must also conduct threat-led penetration tests (TLPT) every 3 years.
Third-party ICT risks
Assess, monitor and manage risks associated with third-party ICT service providers — particularly cloud providers. Mandatory contracts with resilience clauses.
Information sharing
Participate in cyber threat information sharing arrangements between financial institutions to strengthen the sector's collective resilience.
Governance and accountability
Management bodies are personally responsible for DORA implementation. Leadership must approve digital resilience strategies and receive regular reports.
DORA Timeline
January 2023
Official entry into force of the DORA regulation in the EU
January 2025
Application date — all EU financial institutions must be compliant
Ongoing
Publication of regulatory technical standards (RTS/ITS) by EBA, EIOPA and ESMA
DORA vs NIS2: what is the difference?
| Criterion | DORA | NIS2 |
|---|---|---|
| Sector | Financial sector only | All critical sectors |
| Nature | Regulation (directly applicable) | Directive (national transposition) |
| Third-party ICT | Direct oversight of critical providers | Third-party risk management obligation |
| Testing | TLPT mandatory for significant entities | Testing recommended |
| Governance | Personal liability of management | Organizational accountability |
CapGRC and DORA
CapGRC covers all 6 pillars of DORA with its specialized modules. Request a demonstration tailored to your financial context.
Request a demoSee also: NIS2In effect since January 2025
Financial institutions operating in the EU are now subject to DORA obligations. Fines can reach 1% of global daily turnover for 6 months.