Linkedin Instagram Facebook-f

The Digital Operational Resilience Act, officially Regulation (EU) 2022/2554, is a European Union regulation designed to strengthen the cybersecurity and operational resilience of financial entities. It mandates that firms, including banks and insurers, manage ICT risks, report incidents, and test systems to withstand digital disruptions. It establishes a harmonised digital operational resilience framework for the financial sector across all 27 EU member states. It entered into application on January 17 2025, ensuring that banks, insurance companies, investment firms, and other financial entities can withstand, respond to, and recover from ICT disruptions such as cyberattacks or system failures.

The problem DORA was designed to address is structural. Prior to DORA, the regulations governing digital risk management varied from one EU member state to another, leading to inconsistencies and complexity for financial institutions operating across multiple jurisdictions. Firms doing business across borders faced a patchwork of national requirements. DORA replaces that patchwork with a single, binding framework that applies uniformly, which means, critically, that there is no longer any regulatory arbitrage available on digital operational resilience within the EU.

The objective is specific: the financial sector is increasingly dependent on technology and on technology companies to deliver financial services. When not managed properly, ICT risks can lead to disruptions of financial services offered across borders, impacting other companies, sectors and the broader economy. DORA exists to prevent that systemic risk from materialising.

Who and What is in Scope

DORA harmonises digital operational resilience requirements for approximately 22,000 financial entities across the EU, including banks, insurance companies, investment firms, payment institutions, and crypto-asset service providers. The scope is deliberately broad. It spans both traditional and emerging categories of financial activity.

DORA applies to financial entities operating within the EU regardless of where their parent company is based. Third-party ICT service providers based outside the EU must comply if they serve EU financial entities and are designated as critical by the European Supervisory Authorities. That extraterritorial reach is significant. A US-headquartered cloud provider supplying critical infrastructure to a Frankfurt bank is not outside DORA’s reach by virtue of its location.

A proportionality principle applies: smaller entities with lower risk profiles may implement simplified frameworks rather than the full set of requirements. But proportionality does not mean optional. Every in-scope entity carries the obligation to demonstrate appropriate controls, scaled to its size and risk, and to evidence that its framework functions as designed.

Key Obligations: The Five Pillars

DORA structures its requirements around five interconnected components. They are not a menu from which institutions choose. They are cumulative obligations, each of which is subject to supervisory review.

  • ICT Risk Management: Financial entities must establish comprehensive ICT risk management frameworks covering clear board-level governance and senior management accountability, independent ICT risk management functions with adequate resources, and documented policies covering the full lifecycle from identification through to recovery. The emphasis on documentation and governance is deliberate. Regulators expect to see not only that frameworks exist, but that they are embedded in how decisions are actually made, and that senior leadership is demonstrably accountable for their effectiveness.
  • Incident Management, Classification and Reporting: Major ICT-related incidents must be classified according to defined criteria and reported to competent authorities within specified timeframes. Reporting major ICT-related incidents is now mandatory within specified timeframes. Firms must have processes to detect, manage, and recover from incidents. The classification process is not discretionary. Firms must be able to demonstrate that their incident triage and reporting mechanisms are consistent, traceable, and defensible.
  • Digital Operational Resilience Testing: Financial entities must conduct regular resilience testing, including, for entities designated by their national competent authority, advanced threat-led penetration testing. Institutions must regularly test their systems through threat-led penetration testing and scenario-based drills to assess their ability to withstand cyberattacks. The results of these tests must be documented, and any identified vulnerabilities must be addressed promptly. Testing is not a one-time exercise conducted for regulatory comfort. It is a recurring operational discipline, with remediation obligations attached to findings.
  • ICT Third-Party Risk Management: Where financial entities outsource ICT services or rely on third-party providers, they must ensure due diligence, contractual safeguards, ongoing monitoring, and documented exit strategies. DORA requires financial institutions to ensure their third-party ICT service providers comply with the regulation’s standards. This includes conducting due diligence, continuously monitoring compliance, and setting clear contractual obligations related to security and incident reporting. Institutions must also have exit strategies in place to handle the termination of third-party contracts without compromising operational continuity.
  • Information-Sharing Arrangements: Entities are expected to have arrangements for sharing cyber threat intelligence and vulnerability information across the sector. This pillar is largely voluntary in its operational expression but reflects a broader regulatory expectation that financial institutions contribute to collective resilience, not only their own.

Why This Matters in Regulated Financial Services

For risk and compliance leaders, the significance of DORA is not primarily technical. It is structural.

Before DORA, the accountability for digital operational resilience sat implicitly with technology functions. Boards and senior management were expected to have oversight, but the governance architecture was rarely tested against a standard that required it to be operational rather than nominal. DORA changes that. Senior management can face personal fines of up to €1 million for compliance failures, and financial institutions found in breach may face penalties of up to 2% of total annual worldwide turnover for the most serious violations. The personal liability dimension is not incidental. It is the regulatory mechanism by which accountability is anchored at the level where it must sit.

For organisations with complex vendor landscapes, the third-party risk pillar carries immediate operational weight. The requirement is not only to have contracts in place that reference resilience standards. It is to be able to demonstrate, in a supervisory review, that vendors are being monitored, that contractual provisions are being exercised, and that the organisation has a credible, tested plan for what happens when a critical provider fails.

For change programmes and product functions, DORA introduces resilience requirements into the lifecycle of everything that touches ICT infrastructure. A product that relies on a third-party data provider, processes customer information through a cloud platform, or depends on a trading application for its operational continuity is not exempt from DORA’s requirements by virtue of being a product rather than an infrastructure component. The obligation flows through.

What Has Changed Since January 2025

The most consequential development is the designation of critical ICT third-party providers. European regulators designated 19 technology firms as critical third-party computing providers to the financial sector in November 2025, bringing them under direct supervisory oversight. The list includes the European arms of Amazon Web Services, Bloomberg, Google Cloud, IBM, the London Stock Exchange Group, Microsoft, Orange, and Tata Consultancy Services.

Cloud concentration is the dominant risk the designation reflects: over 65% of EU financial entities use at least two of the three major cloud infrastructure providers for critical functions. That concentration is now formally within the supervisory framework. The ESAs will engage directly with each designated provider, assess their governance and risk management frameworks, and issue binding recommendations.

Critically, the designation of these 19 providers does not diminish the obligations of financial institutions. Firms remain fully accountable for ensuring their outsourcing arrangements meet DORA’s standards, regardless of whether their vendor is now supervised by the ESAs. Financial entities must continue to negotiate robust contractual protections, conduct their own risk assessments, and maintain detailed contingency plans. The designation is not a safe harbour. It is an additional supervisory layer, not a substitute for institutional accountability.

For UK-based institutions, the question of DORA’s relevance is no longer ambiguous. UK regulators — the FCA, the Bank of England, and the PRA — signed a Memorandum of Understanding with the European Supervisory Authorities in January 2026 to enhance cooperation and oversight of critical third parties. The UK’s parallel critical third party regime took effect on 1 January 2025 and is designed to be compatible with DORA. While no UK CTP designations have yet been made, initial designations are anticipated within the next twelve months, with the EU’s list providing a strong indication of which providers UK authorities are likely to target.

Meanwhile, the FCA and PRA published new rules this month introducing a framework for reporting serious operational incidents and material third-party arrangements, taking effect 18 March 2027. Firms with EU-based affiliates should consider the overlap with DORA, including whether existing compliance work can be leveraged across both regimes.

Risks, Challenges, and Strategic Opportunities

The risks are specific. Non-compliance exposes firms to supervisory action, personal liability for senior management, reputational damage, and operational restrictions. The penalties are material; up to 2 per cent of total annual worldwide turnover, with daily penalty payments available for continued breach. But the more immediate risk, for most institutions, is the supervisory examination risk: being unable to produce, on request and at pace, evidence that controls are operating as documented.

The challenges are largely operational. Institutions with complex legacy technology estates, multiple third-party dependencies across geographies, and governance structures that were not designed for the pace of digital operational resilience management face implementation difficulty. The requirement to maintain a live register of ICT third-party arrangements, to classify and report incidents within prescribed timeframes, and to conduct and document resilience testing on a recurring basis is not onerous in principle. It is demanding in practice, particularly where data is fragmented and ownership is unclear.

The strategic opportunity, however, is real and should not be understated. DORA creates a single framework for ICT risk and resilience across a large set of EU financial entities. Firms that build genuine operational capability around its requirements — not documentation capability, but operational capability — gain a defensible resilience posture that functions as a competitive differentiator in an environment of increasing regulatory scrutiny. The organisations that will be best positioned in supervisory examinations over the next three to five years are not those that embedded DORA’s disciplines into how they run their operations every quarter.

The question for risk and compliance leaders is not whether DORA applies to their institution. For most, it does. The question is whether the compliance posture they have built is operational or nominal. Whether a supervisor examining your firm tomorrow would find live evidence of controls functioning as designed or documented policies and incomplete registers. That distinction is what DORA, in its enforcement phase, is designed to expose.

Aiversight works with risk and compliance leaders in regulated financial institutions on the governance architecture, accountability frameworks, and operating model conditions that turn regulatory obligations into demonstrable, defensible control. If DORA compliance in your organisation has reached a plateau and you need to understand what operational readiness actually looks like, we are available to discuss it.

Share:

More Posts

The Illusion of Velocity

Velocity is real. The efficiency gains from prompt-driven development are genuine and, used correctly, valuable. But in regulated environments, velocity that bypasses engineering rigour is

When Automation Forgets to Stop

Automation without expiry converts efficiency into waste. Every month, a magazine arrives at my house, addressed to the former occupant who moved out years ago.

Send Us A Message