The Digital Operational Resilience Act (Regulation (EU) 2022/2554) is the EU's mandatory cybersecurity and operational resilience framework for the financial sector. Directly applicable across all member states since 17 January 2025, DORA applies to a broad range of financial entities including credit institutions, payment institutions, electronic money institutions, investment firms, insurance and reinsurance undertakings, crypto-asset service providers, central counterparties, trade repositories, and many others. Critically, it also applies to ICT third-party providers — cloud platforms, data analytics providers, and software vendors — that are designated as critical by the European Supervisory Authorities. DORA is structured around five pillars. The first is ICT risk management: financial entities must implement a comprehensive ICT risk management framework under Chapter II that includes policies for protection, detection, response, recovery, and learning from incidents. The second pillar is ICT-related incident management, classification, and reporting under Chapter III, with mandatory reporting timelines to competent authorities for major incidents. The third pillar, Chapter IV, covers digital operational resilience testing — including basic testing annually and advanced threat-led penetration testing (TLPT) at least every three years for significant entities. The fourth pillar manages ICT third-party risk under Chapter V, requiring due diligence, contractual provisions, and exit strategies for all ICT service providers. The fifth pillar addresses information sharing arrangements among financial entities. For an EU SME in the financial sector, DORA's most immediate practical demands are a documented ICT risk management framework, a register of all ICT third-party service providers (Article 28), contractual clauses in every ICT provider agreement covering audit rights, security standards, and termination rights, and a tested incident response and recovery plan. Regulators can impose administrative sanctions — the specific penalty regime is set by member states and sector-specific supervisory authorities, but supervisory powers include requiring remediation, suspending activities, and imposing fines calibrated to the severity and duration of the breach. See the DORA compliance guide at eurocomply.app/regulations/dora