The Digital Operational Resilience Act (DORA) is the EU's landmark regulation requiring financial entities to manage their ICT risks and ensure operational resilience. It entered into force on January 16, 2023 and applies from January 17, 2025.
If you're a financial institution, insurance company, payment provider, or a critical ICT third-party service provider operating in the EU — DORA applies to you.
What Is DORA?
DORA (Regulation (EU) 2022/2554) creates a unified framework for digital operational resilience across the EU financial sector. Unlike a directive, DORA is a regulation — meaning it applies directly without requiring national transposition.
DORA's five pillars:
- ICT Risk Management — Comprehensive framework for identifying, protecting, detecting, responding to, and recovering from ICT risks
- ICT-related Incident Reporting — Standardized classification and reporting of major ICT-related incidents
- Digital Operational Resilience Testing — Regular testing including threat-led penetration testing (TLPT)
- ICT Third-Party Risk Management — Managing risks from outsourcing and third-party ICT providers
- Information Sharing — Voluntary sharing of cyber threat intelligence between financial entities
Who Must Comply with DORA?
| Category | Entities |
|---|---|
| Financial Entities | Banks, investment firms, insurance companies, payment institutions, fund managers, credit rating agencies, crypto-asset service providers, crowdfunding platforms |
| ICT Third-Party Providers | Cloud providers, data analytics, software vendors, and other critical ICT service providers designated by European Supervisory Authorities |
ICT Risk Management Requirements
DORA requires financial entities to establish a comprehensive ICT risk management framework that includes:
- Governance — The management body is ultimately responsible for ICT risk management
- ICT risk management framework — Documented strategies, policies, and procedures
- Identification — Inventory of ICT assets, systems, and dependencies
- Protection and prevention — Security measures, access controls, patch management
- Detection — Monitoring and anomaly detection capabilities
- Response and recovery — Incident response plans, business continuity plans, disaster recovery
- Learning and evolution — Post-incident reviews and continuous improvement
Business Continuity Under DORA
Articles 11 and 12 of DORA specifically address business continuity:
- Comprehensive ICT business continuity policy with clear objectives and priorities
- Business Impact Analysis (BIA) assessing the impact of severe disruptions
- Response and recovery plans covering all critical ICT-supported business functions
- Annual testing of BCPs and DR plans
- Crisis communication plans for both internal and external stakeholders
- Regular reviews and updates based on testing results and incidents
DORA vs NIS2
| Aspect | DORA | NIS2 |
|---|---|---|
| Type | Regulation (directly applicable) | Directive (requires national transposition) |
| Scope | Financial sector specifically | Broad — essential and important sectors |
| Focus | ICT/digital operational resilience | General cybersecurity |
| Third-party oversight | Direct regulatory oversight of critical ICT providers | Supply chain risk management requirements |
| Testing | Mandatory TLPT every 3 years for significant entities | General testing requirements |
| Relationship | DORA is lex specialis — it takes precedence over NIS2 for financial entities | |
Getting Started with DORA Compliance
- Assess your scope — Confirm whether your organization falls under DORA
- Gap analysis — Compare current ICT risk practices against DORA requirements
- ICT asset inventory — Map all systems, dependencies, and third-party providers
- Business Impact Analysis — Assess the impact of ICT disruptions on business functions
- Update BCP and DR plans — Ensure they meet DORA's specific requirements
- Third-party risk assessment — Evaluate and manage ICT provider dependencies
- Establish incident reporting — Implement classification and reporting procedures
- Testing program — Plan and execute resilience testing
- Train management — The management body must understand ICT risks
- Document everything — DORA requires comprehensive documentation
How Sohvo Supports DORA Compliance
DORA's business continuity requirements align directly with Sohvo's core capabilities:
- ICT asset mapping — Document all technology resources and their interdependencies
- Business Impact Analysis — Set criticality scores, RTO/MTD targets, and assess disruption impact
- Risk assessment — Evaluate ICT risks linked to specific resources and processes
- Incident management — Track and manage ICT-related incidents
- Compliance dashboards — Monitor your operational resilience posture at a glance