What are the key DORA obligations for EU businesses?

Implement ICT risk management framework. Conduct digital operational resilience testing. Manage third-party ICT risk. Report major ICT-related incidents. Share threat intelligence.

What is the maximum fine for DORA non-compliance?

The maximum fine under DORA is Varies by member state (effective, proportionate, dissuasive).

When does DORA apply or what is the enforcement deadline?

DORA deadline: January 17, 2025.

Which sectors does DORA affect?

DORA applies to: Banking, Insurance, Investment Firms, Payment Services, Crypto-asset Providers.

Digital Operational Resilience Act

DORA creates a comprehensive framework for ICT risk management in the financial sector. It requires resilience testing, third-party risk management, and incident reporting.

What does DORA require and when does it apply?

DORA applies to Banking and Insurance organisations across all EU member states. The key deadline is January 17, 2025. Non-compliance carries a maximum penalty of Varies by member state (effective, proportionate, dissuasive). Core obligations include implement ict risk management framework and conduct digital operational resilience testing.

Implement ICT risk management framework
Conduct digital operational resilience testing
Manage third-party ICT risk
Report major ICT-related incidents
Share threat intelligence

Deadline	January 17, 2025
Max fine	Varies by member state (effective, proportionate, dissuasive)
Primary sectors	Banking, Insurance, Investment Firms

Source: Official Journal of the EU — Digital Operational Resilience ActReviewed: 2026-05-01

TL;DR

DORA: Varies by member state (effective, proportionate, dissuasive) max fine

DORA applies to Banking and Insurance organisations in all EU member states. Key deadline: January 17, 2025.

Source: Official Journal of the European Union — Digital Operational Resilience Act

Deadline

January 17, 2025

Max Fine

Varies by member state (effective, proportionate, dissuasive)

Sectors Affected

Banking, Insurance, Investment Firms

Varies by member state (effective, proportionate, dissuasive)maximum fine

The highest penalty for non-compliance with DORA in the EU.

EU Official Journal

How do I comply with DORA?

Implement ICT risk management framework
Conduct digital operational resilience testing
Manage third-party ICT risk
Report major ICT-related incidents
Share threat intelligence

Does DORA apply to your business?

Find out in 2 minutes with our free regulation checker.

Check now — free

Related Regulations

AI Act

The EU AI Act classifies AI systems by risk level and imposes obligations on providers and deployers. High-risk systems face mandatory conformity assessments, documentation, and human oversight requirements.

GDPR

GDPR governs the processing of personal data of EU residents. It requires lawful basis for processing, data subject rights, breach notification, and accountability measures.

NIS2

NIS2 expands cybersecurity obligations to essential and important entities across critical sectors. It mandates risk management, incident reporting, and supply chain security.

Next step — classify

Classify your AI systems

Use the free regulation checker to find out exactly which DORA obligations apply to your business in 2 minutes.