Digital Operational
Resilience Act
(DORA) Compliance

DORA stands for the Digital Operational Resilience Act, formally Regulation (EU) 2022/2554. It is binding EU law on the operational resilience of financial entities and their critical ICT third-party providers. The acronym is sometimes confused with the Colorado Department of Regulatory Agencies (also DORA), which is unrelated to EU financial regulation.

DORA was adopted on 14 December 2022 and entered into force on 16 January 2023. The two-year preparation period ended on 17 January 2025, when the regulation became applicable under Article 64. Financial entities have been required to comply since 17 January 2025; designated critical ICT third-party providers (CTPPs) become directly subject to the Chapter V oversight framework only after Article 31 designation and notification, which the European Supervisory Authorities began on 18 November 2025.

Yes, for in-scope entities. DORA is a binding EU regulation that applies directly across all 27 member states without national transposition. Financial entities listed in Article 2 must comply with the Chapter II to V obligations and the Chapter VI information-sharing conditions where they participate. Designated critical ICT third-party providers are subject to the Chapter V oversight framework directly following Article 31 designation.

DORA compliance means meeting the obligations across the five substantive chapters of the regulation: ICT risk management under Chapter II (Articles 5 to 16), ICT-related incident management and reporting under Chapter III (Articles 17 to 23), digital operational resilience testing including threat-led penetration testing under Chapter IV (Articles 24 to 27), management of ICT third-party risk and the oversight framework for designated critical providers under Chapter V (Articles 28 to 44), and information-sharing arrangements under Chapter VI (Article 45).

DORA does not formally use the term "pillars". The five substantive obligation areas live in Chapters II to VI. Chapter II covers the ICT risk-management framework (Articles 5 to 16). Chapter III covers ICT-related incident management, classification, and reporting (Articles 17 to 23). Chapter IV covers digital operational resilience testing, including threat-led penetration testing under Article 26 for entities identified by competent authorities (Articles 24 to 27). Chapter V covers management of ICT third-party risk and the oversight framework for designated critical ICT providers (Articles 28 to 44). Chapter VI covers voluntary information-sharing arrangements (Article 45).

Article 2(1)(a)–(t) lists over 20 categories of financial entities, including credit institutions, payment and e-money institutions, investment firms, crypto-asset service providers and issuers of asset-referenced tokens, central securities depositories, central counterparties, trading venues, trade repositories, alternative investment fund managers, management companies, data reporting service providers, insurance and reinsurance undertakings, insurance and reinsurance intermediaries, IORPs, credit rating agencies, administrators of critical benchmarks, crowdfunding service providers, and securitisation repositories. Article 2(3) sets exclusions and Article 2(4) gives Member States options. ICT third-party providers are listed separately at Article 2(1)(u) and are directly subject to DORA only after Article 31 designation as critical.

Under Article 19 and Commission Delegated Regulation (EU) 2025/301 Article 5, financial entities submit an initial notification within 4 hours after classifying a major ICT-related incident (and no later than 24 hours after becoming aware of it), an intermediate report within 72 hours of the initial notification, and a final report within one month of the latest updated intermediate report. Entities can also report significant cyber threats voluntarily under Article 19(2).

For financial entities, Article 50 requires member states to set effective, proportionate, and dissuasive administrative penalties in national law; sanctions are not harmonised into one EU-wide cap. For designated critical ICT third-party providers under the Chapter V oversight framework, Article 35(7) and (8) allow the lead overseer to impose periodic penalty payments of up to 1% of the average daily worldwide turnover in the preceding business year, for a maximum of six months.

Modulos automates the governance, risk, and compliance workflow across DORA’s five substantive chapters (II to VI): ICT risk-management framework documentation, incident records, resilience-testing evidence, third-party risk registers and contracts, and audit trails for supervisory reviews. Controls map across DORA, NIS2, ISO/IEC 27001, ISO/IEC 42001, the EU AI Act, and SOC 2 simultaneously, which matters for financial entities running multi-framework compliance programs.