EuroComply
Sign up

Digital Operational Resilience Act

The Digital Operational Resilience Act (Regulation (EU) 2022/2554) is the EU's ICT-risk regulation for the financial sector, applying since 17 January 2025. It requires financial entities โ€” banks, insurers, payment service providers, investment firms, crypto-asset service providers โ€” to manage ICT risk, classify and report major incidents, regularly test their digital resilience (including threat-led penetration testing), and oversee critical ICT third-party providers via a written register and contractual safeguards. It harmonises rules previously fragmented across banking, insurance, and investment legislation.

Free DORA Scope Checker

What does DORA require and when does it apply?

DORA applies to Banking and Insurance organisations across all EU member states. The key deadline is January 17, 2025. Non-compliance carries a maximum penalty of CTPPs: 1% of daily global turnover (up to 6 months); Financial entities: per national law. Core obligations include implement ict risk management framework and conduct digital operational resilience testing.

  • Implement ICT risk management framework
  • Conduct digital operational resilience testing
  • Manage third-party ICT risk
  • Report major ICT-related incidents
  • Share threat intelligence
DeadlineJanuary 17, 2025
Max fineCTPPs: 1% of daily global turnover (up to 6 months); Financial entities: per national law
Primary sectorsBanking, Insurance, Investment Firms
Source: Official Journal of the EU โ€” Digital Operational Resilience ActReviewed:
TL;DR

DORA: CTPPs: 1% of daily global turnover (up to 6 months); Financial entities: per national law max fine

DORA applies to Banking and Insurance organisations in all EU member states. Key deadline: January 17, 2025.

Source: Official Journal of the European Union โ€” Digital Operational Resilience Act

Who does DORA apply to?

DORA applies to a broad set of financial entities and โ€” uniquely โ€” directly to ICT third-party service providers designated as critical to the EU financial system.

  • Credit institutions, payment institutions, electronic-money institutions, investment firms
  • Crypto-asset service providers (under MiCA), central securities depositories, central counterparties, trading venues
  • Insurance and reinsurance undertakings, IORPs, credit-rating agencies, audit firms (limited provisions)
  • Critical third-party ICT service providers (CTPPs) designated by the European Supervisory Authorities
Source: Regulation (EU) 2022/2554 (DORA) โ€” EUR-Lex Official Journal โ€” Article 2 (Personal scope)Reviewed:

What are the penalties for DORA non-compliance?

Sanctions are set at national level for financial entities; CTPPs face a harmonised EU-level oversight regime with a specific periodic-penalty mechanism set in DORA itself.

Maximum fineCTPPs: up to 1% of average daily global turnover, applied daily for up to six months. Financial entities: per national law.
Source: Regulation (EU) 2022/2554 (DORA) โ€” EUR-Lex Official Journal โ€” Article 35 (Powers of the Lead Overseer) and Article 50Reviewed:

When does DORA apply?

DORA entered into force on 16 January 2023 and applied directly from 17 January 2025 across the EU. National competent authorities began supervisory dialogues with in-scope entities in late 2024.

  • 2023-01-16 โ€” Entry into force
  • 2025-01-17 โ€” Direct application across the EU
Source: Regulation (EU) 2022/2554 (DORA) โ€” EUR-Lex Official Journal โ€” Article 64 (Entry into force and application)Reviewed:

How to maintain a DORA-compliant ICT third-party register

Article 28(3) requires financial entities to keep a Register of Information on all contractual arrangements with ICT third-party service providers and to make it available to the competent authority on request.

  1. 1

    Identify all ICT third-party service providers

    Map every contractual arrangement that involves the provision of ICT services, regardless of whether the provider is intra-group or external.

  2. 2

    Record the Implementing Technical Standards (ITS) fields

    Capture the fields prescribed by the ITS on the Register of Information (Commission Implementing Regulation (EU) 2024/2956): contract metadata, function description, criticality, location of data and service, sub-contracting chain, etc.

  3. 3

    Flag arrangements supporting critical or important functions

    Mark which arrangements support functions classified as critical or important โ€” these trigger stricter contractual and exit-strategy requirements (Article 28(2)).

  4. 4

    Submit annually to the competent authority

    Submit the Register at least annually in the prescribed format; update it whenever a material change to an arrangement supporting a critical or important function occurs.

1% of daily global turnover

Maximum daily periodic penalty payment the EU Lead Overseer can impose on a Critical Third-Party Provider for non-compliance with DORA's oversight measures (capped at six months).

Regulation (EU) 2022/2554, Article 35(6)

Deadline

January 17, 2025

Max Fine

CTPPs: 1% of daily global turnover (up to 6 months); Financial entities: per national law

Sectors Affected

Banking, Insurance, Investment Firms

1% of daily global turnover

Maximum daily periodic penalty payment the EU Lead Overseer can impose on a Critical Third-Party Provider for non-compliance with DORA's oversight measures (capped at six months).

Regulation (EU) 2022/2554, Article 35(6)

Key regulatory facts: Digital Operational Resilience Act
Official nameRegulation (EU) 2022/2554 of the European Parliament and of the Council on digital operational resilience for the financial sector
Reg. No.(EU) 2022/2554
CELEX32022R2554
Typeregulation
In force2023-01-16
Applies from2025-01-17
Max fineCTPPs: up to 1% of average daily global turnover, applied daily for up to six months. Financial entities: per national law.
Authorities
European Banking Authority (EBA) (EU)
European Securities and Markets Authority (ESMA) (EU)
European Insurance and Occupational Pensions Authority (EIOPA) (EU)
National competent authorities (member-state)
ESAs Lead Overseer for CTPPs (EU)
Source(EU) 2022/2554 โ€” EUR-Lex Official Journal

How do I comply with DORA?

  • Implement ICT risk management framework
  • Conduct digital operational resilience testing
  • Manage third-party ICT risk
  • Report major ICT-related incidents
  • Share threat intelligence

Does DORA apply to your business?

Find out in 2 minutes with our free regulation checker.

Check now โ€” free

DORA by Country

๐Ÿ‡ฉ๐Ÿ‡ช

Germany

๐Ÿ‡ซ๐Ÿ‡ท

France

๐Ÿ‡ณ๐Ÿ‡ฑ

Netherlands

๐Ÿ‡ช๐Ÿ‡ธ

Spain

๐Ÿ‡ฎ๐Ÿ‡น

Italy

๐Ÿ‡ฆ๐Ÿ‡น

Austria

๐Ÿ‡ง๐Ÿ‡ช

Belgium

๐Ÿ‡ต๐Ÿ‡ฑ

Poland

๐Ÿ‡ธ๐Ÿ‡ช

Sweden

๐Ÿ‡ฎ๐Ÿ‡ช

Ireland

๐Ÿ‡ต๐Ÿ‡น

Portugal

๐Ÿ‡ฉ๐Ÿ‡ฐ

Denmark

๐Ÿ‡ซ๐Ÿ‡ฎ

Finland

๐Ÿ‡จ๐Ÿ‡ฟ

Czech Republic

๐Ÿ‡ท๐Ÿ‡ด

Romania

๐Ÿ‡ญ๐Ÿ‡บ

Hungary

๐Ÿ‡ธ๐Ÿ‡ฐ

Slovakia

๐Ÿ‡ง๐Ÿ‡ฌ

Bulgaria

๐Ÿ‡ญ๐Ÿ‡ท

Croatia

๐Ÿ‡ฌ๐Ÿ‡ท

Greece

๐Ÿ‡ฑ๐Ÿ‡บ

Luxembourg

๐Ÿ‡ช๐Ÿ‡ช

Estonia

๐Ÿ‡ฑ๐Ÿ‡ป

Latvia

๐Ÿ‡ฑ๐Ÿ‡น

Lithuania

๐Ÿ‡ธ๐Ÿ‡ฎ

Slovenia

๐Ÿ‡ฒ๐Ÿ‡น

Malta

Explore DORA in depth

Penalties & Fines

Maximum fine tiers, Article-by-Article breakdown, and mitigation factors.

Enforcement Timeline

Key dates, application milestones, and per-Member-State transposition status.

DORA by Industry

๐Ÿ’ป

SaaS & Software

๐Ÿ’ณ

Fintech & Financial Services

๐Ÿฅ

Healthcare & MedTech

๐Ÿญ

Manufacturing & Industry

๐Ÿ›’

E-commerce & Retail

๐ŸŽ“

EdTech & Education

๐Ÿšš

Logistics & Transport

โšก

Energy & Utilities

๐Ÿ“ก

Telecoms & Media

๐Ÿ‘ฅ

HR & Recruitment

โš–๏ธ

Legal & Professional Services

๐Ÿ›๏ธ

Public Sector & NGOs

DORA by Role

Small Financial Entities

DORA applies a proportionality principle (Article 4): the depth and granularity of an entity's ICT risk-management framework should reflect its size, overall risk profile, and the nature, scale, and complexity of its services. Article 16 sets a simplified ICT risk-management framework for specific small or non-interconnected entities.

Related Regulations

NIS2

NIS2 expands cybersecurity obligations to essential and important entities across critical sectors. It mandates risk management, incident reporting, and supply chain security.

CRA

The CRA establishes cybersecurity requirements for products with digital elements sold in the EU. Manufacturers must ensure security by design and provide vulnerability handling.

GDPR

GDPR governs the processing of personal data of EU residents. It requires lawful basis for processing, data subject rights, breach notification, and accountability measures.

Explore DORA in depth

Penalties & Fines

See enforcement patterns, fine tier tables, and real enforcement cases across EU member states.

Deadline Timeline

Key milestones, implementation phases, and country-specific deadlines and phased rollout dates.

Industry Guides

Sector-specific DORA guidance for SaaS, fintech, healthcare, and other affected industries.

Next step โ€” classify

Classify your AI systems

Use the free regulation checker to find out exactly which DORA obligations apply to your business in 2 minutes.

Classify your AI systems

Check Your Compliance Obligations

Find out which DORA obligations apply to your organisation in under 2 minutes.

Check Your EU Compliance

Recent DORA Articles

What Is DORA? A Complete Guide for Financial Entities

8 Jun 2026

What Is DORA? A Complete Guide for Financial Entities

31 May 2026

What Is DORA? A Complete Guide for Financial Entities

31 May 2026

Frequently Asked Questions

What are the DORA compliance requirements for fintech?
DORA (Regulation 2022/2554) applies to financial entities and their ICT third-party providers from January 2025. Core requirements: (1) ICT Risk Management framework (Articles 5โ€“16) with documented policies and regular testing; (2) ICT-related incident classification and reporting to competent authorities within 4 hours for major incidents; (3) Digital Operational Resilience Testing including penetration testing every three years for significant institutions; (4) Third-party ICT risk management with DORA-compliant contractual clauses; (5) Register all critical ICT third-party providers with the relevant authority. Fintech companies under MiFID II, PSD2, or e-money licensing are in scope.
Does DORA apply to small fintech startups in the EU?
DORA applies to all financial entities as defined in Article 2, including payment institutions, e-money institutions, investment firms, and crypto-asset service providers (CASPs), regardless of size. Proportionality provisions in Article 4 allow microenterprises โ€” fewer than 10 employees and under โ‚ฌ2M annual turnover โ€” to implement a simplified ICT risk management framework. However, incident reporting obligations (Article 19) and third-party ICT risk management requirements apply to all in-scope entities regardless of size. A fintech startup that has obtained a PSD2 payment institution licence, an e-money licence, or a MiCA CASP authorisation is in scope for DORA from January 2025.
What are DORA's ICT incident reporting requirements?
DORA Article 19 requires financial entities to classify and report major ICT-related incidents to their national competent authority (NCA) โ€” e.g., BaFin for German banks, ACPR for French institutions, DNB for Dutch entities. The reporting timeline is: an initial notification within 4 hours of classifying the incident as major (or 24 hours from first detection); an intermediate report within 72 hours; and a final report within one month. An incident is classified as major based on criteria including number of clients affected, service downtime, geographic spread of impact, and data loss. Financial entities must also voluntarily notify NCAs of significant cyber threats that have not yet caused an incident.
What is a DORA-compliant ICT risk management framework?
A DORA-compliant ICT risk management framework (Articles 5โ€“16) must include: a documented ICT strategy endorsed by the management body; an ICT asset register covering hardware, software, and data; a business impact analysis for critical functions; a business continuity and disaster recovery plan with tested RTO/RPO targets; regular ICT security testing including vulnerability assessments (annually for all entities) and threat-led penetration testing every three years for significant institutions; and access control policies with privileged account management. The framework must be reviewed annually and after any major ICT incident. Management bodies are personally responsible for compliance and must maintain sufficient ICT knowledge.

For informational purposes only. This is not legal advice โ€” consult qualified legal counsel.

Last verified: ยท Source: EUR-Lex 32022R2554 ยท Editorial policy