--- url: https://eurocomply.app/regulations/dora canonical: https://eurocomply.app/regulations/dora title: Regulation (EU) 2022/2554 of the European Parliament and of the Council on digital operational resilience for the financial sector — EuroComply shortName: DORA alternateNames: [Digital Operational Resilience Act] regulationNumber: (EU) 2022/2554 celex: 32022R2554 instrumentType: regulation status: in-force inForceDate: 2023-01-16 applicationDate: 2025-01-17 extraterritorialReach: true sourceUrl: https://eur-lex.europa.eu/eli/reg/2022/2554/oj officialJournalRef: OJ L 333, 27.12.2022, p. 1–79 lastReviewed: 2026-05-12 author: EuroComply Team license: CC-BY-4.0 --- # Regulation (EU) 2022/2554 of the European Parliament and of the Council on digital operational resilience for the financial sector The Digital Operational Resilience Act (Regulation (EU) 2022/2554) is the EU's ICT-risk regulation for the financial sector. It requires financial entities to manage ICT risk, classify and report major incidents, regularly test their digital resilience, and oversee critical ICT third-party providers. It harmonises rules previously fragmented across banking, insurance, and investment legislation. ## Who does DORA apply to? DORA applies to a broad set of financial entities and — uniquely — directly to ICT third-party service providers designated as critical to the EU financial system. - Credit institutions, payment institutions, electronic-money institutions, investment firms - Crypto-asset service providers (under MiCA), central securities depositories, central counterparties, trading venues - Insurance and reinsurance undertakings, IORPs, credit-rating agencies, audit firms (limited provisions) - Critical third-party ICT service providers (CTPPs) designated by the European Supervisory Authorities *Source: DORA Article 2 (Personal scope).* ## What are the penalties for DORA non-compliance? Sanctions are set at national level for financial entities; CTPPs face a harmonised EU-level oversight regime with a specific periodic-penalty mechanism set in DORA itself. **Maximum fine:** CTPPs: up to 1% of average daily global turnover, applied daily for up to six months. Financial entities: per national law. *Source: DORA Article 35 (Powers of the Lead Overseer) and Article 50.* **Tier detail:** - Critical ICT Third-Party Providers (periodic penalty payment): 1% of global turnover (daily, max 6 months) — Article 35(6) - Financial entities: national law (set by national law) — Article 50 ## When does DORA apply? DORA entered into force on 16 January 2023 and applied directly from 17 January 2025 across the EU. National competent authorities began supervisory dialogues with in-scope entities in late 2024. *Source: DORA Article 64 (Entry into force and application).* **Key dates:** - 2023-01-16 — Entry into force (Article 64) - 2025-01-17 — Direct application across the EU (Article 64(2)) ## How to maintain a DORA-compliant ICT third-party register Article 28(3) requires financial entities to keep a Register of Information on all contractual arrangements with ICT third-party service providers and to make it available to the competent authority on request. 1. **Identify all ICT third-party service providers** — Map every contractual arrangement that involves the provision of ICT services, regardless of whether the provider is intra-group or external. 2. **Record the Implementing Technical Standards (ITS) fields** — Capture the fields prescribed by the ITS on the Register of Information (Commission Implementing Regulation (EU) 2024/2956): contract metadata, function description, criticality, location of data and service, sub-contracting chain, etc. 3. **Flag arrangements supporting critical or important functions** — Mark which arrangements support functions classified as critical or important — these trigger stricter contractual and exit-strategy requirements (Article 28(2)). 4. **Submit annually to the competent authority** — Submit the Register at least annually in the prescribed format; update it whenever a material change to an arrangement supporting a critical or important function occurs. ## Key statistic **1% of daily global turnover** — Maximum daily periodic penalty payment the EU Lead Overseer can impose on a Critical Third-Party Provider for non-compliance with DORA's oversight measures (capped at six months). *Source: Regulation (EU) 2022/2554, Article 35(6).* ## Supervising authorities - European Banking Authority (EBA) *(EU)* — [https://www.eba.europa.eu/](https://www.eba.europa.eu/) - European Securities and Markets Authority (ESMA) *(EU)* — [https://www.esma.europa.eu/](https://www.esma.europa.eu/) - European Insurance and Occupational Pensions Authority (EIOPA) *(EU)* — [https://www.eiopa.europa.eu/](https://www.eiopa.europa.eu/) - National competent authorities *(member-state)* - ESAs Lead Overseer for CTPPs *(EU)* ## Sector applicability - financial services sector — full scope across banking, payments, securities, insurance, crypto ## Primary articles - **scope:** Article 2 - **proportionality:** Article 4 - **ictRiskFramework:** Article 5 - **simplifiedFramework:** Article 16 - **majorIncidentReporting:** Article 19 - **thirdPartyRegister:** Article 28 - **tlpt:** Article 26 - **ctppOversight:** Article 35 - **penalties:** Article 50 - **entryIntoForce:** Article 64 ## Related EuroComply resources - Hub: [/regulations/dora](https://eurocomply.app/regulations/dora) - Penalties: [/regulations/dora/penalties](https://eurocomply.app/regulations/dora/penalties) - Timeline: [/regulations/dora/timeline](https://eurocomply.app/regulations/dora/timeline) - SME guide: [/regulations/dora/persona/sme-financial-entity](https://eurocomply.app/regulations/dora/persona/sme-financial-entity) - Decision trees: [/decide/dora/applies](https://eurocomply.app/decide/dora/applies), [/decide/dora/in-scope](https://eurocomply.app/decide/dora/in-scope) ## Source Authoritative text: [(EU) 2022/2554 — EUR-Lex](https://eur-lex.europa.eu/eli/reg/2022/2554/oj) (OJ L 333, 27.12.2022, p. 1–79). --- Informational only. Not legal advice — consult qualified legal counsel for your specific situation. Last reviewed: 2026-05-12 by the EuroComply Team. License: CC-BY-4.0.