EuroComply
Konto erstellen

Digital Operational Resilience Act

Die Verordnung über die digitale operationale Resilienz im Finanzsektor (Verordnung (EU) 2022/2554, DORA) ist das europäische ICT-Risiko-Regelwerk für Finanzunternehmen, unmittelbar anwendbar seit 17. Januar 2025. Sie verpflichtet Banken, Versicherer, Zahlungsdienstleister, Wertpapierfirmen und Krypto-Anbieter zu IKT-Risikomanagement, Klassifikation und Meldung wesentlicher Vorfälle, regelmäßigen Belastungstests (einschließlich bedrohungsgesteuerter Penetrationstests), und Überwachung kritischer Drittanbieter durch schriftliches Informationsregister und Vertragsgarantien. Deutsche Behörden: Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) und Deutsche Bundesbank.

Free DORA Scope Checker

What does DORA require and when does it apply?

DORA applies to Banking and Insurance organisations across all EU member states. The key deadline is January 17, 2025. Non-compliance carries a maximum penalty of CTPPs: 1% of daily global turnover (up to 6 months); Financial entities: per national law. Core obligations include implement ict risk management framework and conduct digital operational resilience testing.

  • Implement ICT risk management framework
  • Conduct digital operational resilience testing
  • Manage third-party ICT risk
  • Report major ICT-related incidents
  • Share threat intelligence
DeadlineJanuary 17, 2025
Max fineCTPPs: 1% of daily global turnover (up to 6 months); Financial entities: per national law
Primary sectorsBanking, Insurance, Investment Firms
Source: Official Journal of the EU — Digital Operational Resilience ActReviewed:
TL;DR

DORA: CTPPs: 1% of daily global turnover (up to 6 months); Financial entities: per national law max fine

DORA applies to Banking and Insurance organisations in all EU member states. Key deadline: January 17, 2025.

Source: Official Journal of the European Union — Digital Operational Resilience Act

Who does DORA apply to?

DORA gilt für eine breite Palette von Finanzunternehmen und — als Novum — unmittelbar auch für IKT-Drittdienstleister, die als kritisch für das EU-Finanzsystem eingestuft werden.

  • Kreditinstitute, Zahlungsinstitute, E-Geld-Institute, Wertpapierfirmen
  • Krypto-Dienstleister (im Sinne der MiCA-Verordnung), Zentralverwahrer, zentrale Gegenparteien, Handelsplätze
  • Versicherungs- und Rückversicherungsunternehmen, Einrichtungen der betrieblichen Altersversorgung (EbAV), Ratingagenturen, Abschlussprüfungsgesellschaften (eingeschränkte Bestimmungen)
  • Kritische IKT-Drittdienstleister (CTPP), die von den Europäischen Aufsichtsbehörden benannt werden
Source: Regulation (EU) 2022/2554 (DORA) — EUR-Lex Official Journal — Artikel 2 (Persönlicher Anwendungsbereich)Reviewed:

What are the penalties for DORA non-compliance?

Die Sanktionen gegenüber Finanzunternehmen werden auf nationaler Ebene festgelegt; in Deutschland geahndet durch die BaFin im Rahmen ihrer aufsichtsrechtlichen Befugnisse nach KWG, ZAG, KAGB und VAG sowie durch die Deutsche Bundesbank. Kritische IKT-Drittdienstleister unterliegen einem harmonisierten EU-Aufsichtsregime mit einem in DORA selbst geregelten Mechanismus periodischer Zwangsgelder.

Maximum fineCTPPs: up to 1% of average daily global turnover, applied daily for up to six months. Financial entities: per national law.
Source: Regulation (EU) 2022/2554 (DORA) — EUR-Lex Official Journal — Artikel 35 (Befugnisse des federführenden Aufsehers) und Artikel 50Reviewed:

When does DORA apply?

DORA ist am 16. Januar 2023 in Kraft getreten und gilt unmittelbar in der gesamten EU seit dem 17. Januar 2025. Die zuständigen nationalen Behörden — in Deutschland die BaFin gemeinsam mit der Deutschen Bundesbank — haben Ende 2024 mit den aufsichtlichen Dialogen mit den in den Anwendungsbereich fallenden Unternehmen begonnen.

  • 2023-01-16 — Entry into force
  • 2025-01-17 — Direct application across the EU
Source: Regulation (EU) 2022/2554 (DORA) — EUR-Lex Official Journal — Artikel 64 (Inkrafttreten und Anwendung)Reviewed:

Wie führen Sie ein DORA-konformes Informationsregister über IKT-Drittdienstleister

Art. 28 Abs. 3 DORA verpflichtet Finanzunternehmen zur Führung eines Informationsregisters über alle vertraglichen Vereinbarungen mit IKT-Drittdienstleistern. Das Register ist der zuständigen Behörde auf Anforderung vorzulegen.

  1. 1

    Alle IKT-Drittdienstleister identifizieren

    Erfassen Sie jede vertragliche Vereinbarung über die Erbringung von IKT-Diensten — unabhängig davon, ob der Dienstleister konzernintern oder extern ist.

  2. 2

    Felder gemäß ITS erfassen

    Erfassen Sie die durch die Durchführungsverordnung (EU) 2024/2956 (ITS zum Informationsregister) vorgegebenen Felder: Vertragsmetadaten, Funktionsbeschreibung, Kritikalität, Datenstandort, Subunternehmerkette usw.

  3. 3

    Vereinbarungen kritischer oder wichtiger Funktionen markieren

    Kennzeichnen Sie, welche Vereinbarungen Funktionen unterstützen, die als kritisch oder wichtig eingestuft sind — diese lösen strengere Vertrags- und Ausstiegsstrategie-Anforderungen aus (Art. 28 Abs. 2).

  4. 4

    Mindestens jährlich der zuständigen Behörde übermitteln

    Übermitteln Sie das Register mindestens einmal jährlich im vorgeschriebenen Format an die BaFin; aktualisieren Sie es, sobald sich eine wesentliche Vereinbarung zur Unterstützung einer kritischen oder wichtigen Funktion ändert.

1 % des täglichen weltweiten Umsatzes

Maximale tägliche Zwangsgeldhöhe, die der federführende EU-Aufseher gegen einen kritischen IKT-Drittdienstleister bei Nichtbeachtung der DORA-Aufsichtsmaßnahmen verhängen kann (auf sechs Monate begrenzt).

Verordnung (EU) 2022/2554, Art. 35 Abs. 6

Deadline

January 17, 2025

Max Fine

CTPPs: 1% of daily global turnover (up to 6 months); Financial entities: per national law

Sectors Affected

Banking, Insurance, Investment Firms

1 % des täglichen weltweiten Umsatzes

Maximale tägliche Zwangsgeldhöhe, die der federführende EU-Aufseher gegen einen kritischen IKT-Drittdienstleister bei Nichtbeachtung der DORA-Aufsichtsmaßnahmen verhängen kann (auf sechs Monate begrenzt).

Verordnung (EU) 2022/2554, Art. 35 Abs. 6

Key regulatory facts: Digital Operational Resilience Act
Official nameRegulation (EU) 2022/2554 of the European Parliament and of the Council on digital operational resilience for the financial sector
Reg. No.(EU) 2022/2554
CELEX32022R2554
Typeregulation
In force2023-01-16
Applies from2025-01-17
Max fineCTPPs: up to 1% of average daily global turnover, applied daily for up to six months. Financial entities: per national law.
Authorities
European Banking Authority (EBA) (EU)
European Securities and Markets Authority (ESMA) (EU)
European Insurance and Occupational Pensions Authority (EIOPA) (EU)
National competent authorities (member-state)
ESAs Lead Overseer for CTPPs (EU)
Source(EU) 2022/2554 — EUR-Lex Official Journal

How do I comply with DORA?

  • Implement ICT risk management framework
  • Conduct digital operational resilience testing
  • Manage third-party ICT risk
  • Report major ICT-related incidents
  • Share threat intelligence

Does DORA apply to your business?

Find out in 2 minutes with our free regulation checker.

Check now — free

DORA by Country

🇩🇪

Germany

🇫🇷

France

🇳🇱

Netherlands

🇪🇸

Spain

🇮🇹

Italy

🇦🇹

Austria

🇧🇪

Belgium

🇵🇱

Poland

🇸🇪

Sweden

🇮🇪

Ireland

🇵🇹

Portugal

🇩🇰

Denmark

🇫🇮

Finland

🇨🇿

Czech Republic

🇷🇴

Romania

🇭🇺

Hungary

🇸🇰

Slovakia

🇧🇬

Bulgaria

🇭🇷

Croatia

🇬🇷

Greece

🇱🇺

Luxembourg

🇪🇪

Estonia

🇱🇻

Latvia

🇱🇹

Lithuania

🇸🇮

Slovenia

🇲🇹

Malta

Explore DORA in depth

Penalties & Fines

Maximum fine tiers, Article-by-Article breakdown, and mitigation factors.

Enforcement Timeline

Key dates, application milestones, and per-Member-State transposition status.

DORA by Industry

💻

SaaS & Software

💳

Fintech & Financial Services

🏥

Healthcare & MedTech

🏭

Manufacturing & Industry

🛒

E-commerce & Retail

🎓

EdTech & Education

🚚

Logistics & Transport

Energy & Utilities

📡

Telecoms & Media

👥

HR & Recruitment

⚖️

Legal & Professional Services

🏛️

Public Sector & NGOs

DORA by Role

Small Financial Entities

DORA applies a proportionality principle (Article 4): the depth and granularity of an entity's ICT risk-management framework should reflect its size, overall risk profile, and the nature, scale, and complexity of its services. Article 16 sets a simplified ICT risk-management framework for specific small or non-interconnected entities.

Related Regulations

NIS2

NIS2 expands cybersecurity obligations to essential and important entities across critical sectors. It mandates risk management, incident reporting, and supply chain security.

CRA

The CRA establishes cybersecurity requirements for products with digital elements sold in the EU. Manufacturers must ensure security by design and provide vulnerability handling.

GDPR

GDPR governs the processing of personal data of EU residents. It requires lawful basis for processing, data subject rights, breach notification, and accountability measures.

Explore DORA in depth

Penalties & Fines

See enforcement patterns, fine tier tables, and real enforcement cases across EU member states.

Deadline Timeline

Key milestones, implementation phases, and country-specific deadlines and phased rollout dates.

Industry Guides

Sector-specific DORA guidance for SaaS, fintech, healthcare, and other affected industries.

Next step — classify

Classify your AI systems

Use the free regulation checker to find out exactly which DORA obligations apply to your business in 2 minutes.

Classify your AI systems

Check Your Compliance Obligations

Find out which DORA obligations apply to your organisation in under 2 minutes.

Check Your EU Compliance

Recent DORA Articles

What Is DORA? A Complete Guide for Financial Entities

8 Jun 2026

What Is DORA? A Complete Guide for Financial Entities

31 May 2026

What Is DORA? A Complete Guide for Financial Entities

31 May 2026

Frequently Asked Questions

What are the DORA compliance requirements for fintech?
DORA (Regulation 2022/2554) applies to financial entities and their ICT third-party providers from January 2025. Core requirements: (1) ICT Risk Management framework (Articles 5–16) with documented policies and regular testing; (2) ICT-related incident classification and reporting to competent authorities within 4 hours for major incidents; (3) Digital Operational Resilience Testing including penetration testing every three years for significant institutions; (4) Third-party ICT risk management with DORA-compliant contractual clauses; (5) Register all critical ICT third-party providers with the relevant authority. Fintech companies under MiFID II, PSD2, or e-money licensing are in scope.
Does DORA apply to small fintech startups in the EU?
DORA applies to all financial entities as defined in Article 2, including payment institutions, e-money institutions, investment firms, and crypto-asset service providers (CASPs), regardless of size. Proportionality provisions in Article 4 allow microenterprises — fewer than 10 employees and under €2M annual turnover — to implement a simplified ICT risk management framework. However, incident reporting obligations (Article 19) and third-party ICT risk management requirements apply to all in-scope entities regardless of size. A fintech startup that has obtained a PSD2 payment institution licence, an e-money licence, or a MiCA CASP authorisation is in scope for DORA from January 2025.
What are DORA's ICT incident reporting requirements?
DORA Article 19 requires financial entities to classify and report major ICT-related incidents to their national competent authority (NCA) — e.g., BaFin for German banks, ACPR for French institutions, DNB for Dutch entities. The reporting timeline is: an initial notification within 4 hours of classifying the incident as major (or 24 hours from first detection); an intermediate report within 72 hours; and a final report within one month. An incident is classified as major based on criteria including number of clients affected, service downtime, geographic spread of impact, and data loss. Financial entities must also voluntarily notify NCAs of significant cyber threats that have not yet caused an incident.
What is a DORA-compliant ICT risk management framework?
A DORA-compliant ICT risk management framework (Articles 5–16) must include: a documented ICT strategy endorsed by the management body; an ICT asset register covering hardware, software, and data; a business impact analysis for critical functions; a business continuity and disaster recovery plan with tested RTO/RPO targets; regular ICT security testing including vulnerability assessments (annually for all entities) and threat-led penetration testing every three years for significant institutions; and access control policies with privileged account management. The framework must be reviewed annually and after any major ICT incident. Management bodies are personally responsible for compliance and must maintain sufficient ICT knowledge.

For informational purposes only. This is not legal advice — consult qualified legal counsel.

Last verified: · Source: EUR-Lex 32022R2554 · Editorial policy