Skip to main content
DORADigital Operational Resilience ActICT risk managementEU financial regulationdata governancefinancial compliance

What Is DORA (Digital Operational Resilience Act)?

DORA — the Digital Operational Resilience Act — is the European Union regulation that establishes binding requirements for ICT risk management, incident reporting, operational resilience testing, and third-party oversight across the EU financial sector. Formally Regulation (EU) 2022/2554, DORA entered into force on January 16, 2023 and became fully applicable on January 17, 2025. Its goal is to make the EU financial system structurally resilient to ICT disruptions — from cyberattacks and cloud outages to software failures and third-party provider incidents.

For the first time, DORA gives EU regulators a single, harmonized framework to supervise the operational resilience of banks, insurers, investment firms, payment providers, crypto-asset service providers, and the critical technology providers they depend on. Where previous national regimes were fragmented and largely guidance-based, DORA converts operational resilience into a directly enforceable legal obligation — with penalties up to 2% of global annual turnover for the most serious breaches.

TL;DR

DORA is the EU's binding regime for ICT and operational resilience in financial services, applicable since January 17, 2025. It mandates five pillars — ICT risk management, incident reporting, resilience testing, third-party risk management, and information sharing — and rests on data governance capabilities: an asset and dependency inventory, data lineage to support incident classification, data catalog coverage for ICT third-party registers, and clear data ownership for accountable risk responses.

DORA Defined

DORA is built on a simple premise: financial stability now depends on digital infrastructure as much as on capital adequacy. A failed cloud region, a ransomware attack against a settlement system, or a compromised supplier API can disrupt critical financial functions in hours — and traditional capital-based regulation cannot prevent or contain those events. DORA codifies the controls and reporting that EU regulators consider necessary to make digital disruption a manageable, supervised risk category.

DORA is not a guideline. It is a Regulation — directly applicable in every EU member state without the need for transposing legislation. Its detailed technical requirements are spelled out in Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS) developed by the European Supervisory Authorities (EBA, ESMA, EIOPA) and adopted by the European Commission. National competent authorities (NCAs) enforce DORA in their jurisdictions, and the Joint Supervisory Forum coordinates oversight of critical third-party providers at the EU level.

Who DORA Applies To

DORA's scope is broad. It applies to twenty categories of financial entities, including:

  • Credit institutions (banks)
  • Payment institutions and electronic money institutions
  • Investment firms, market operators, and trading venues
  • Central securities depositories and central counterparties
  • Insurance and reinsurance undertakings, intermediaries, and pension funds
  • Crypto-asset service providers under MiCA
  • Crowdfunding service providers, data reporting service providers, and credit rating agencies

DORA also reaches outside the financial sector to ICT third-party service providers that financial entities depend on. Those designated as Critical Third-Party Providers (CTPPs) — major cloud platforms, software vendors, and managed service providers — fall under direct EU-level supervision by a Joint Examination Team led by one of the European Supervisory Authorities. This is a structural shift: for the first time, EU financial regulators have direct supervisory authority over technology providers that are not themselves financial entities.

Proportionality applies. Small and non-interconnected investment firms, payment institutions, and similar entities benefit from a lighter regime. But the core requirements — an ICT risk management framework, incident reporting, and third-party oversight — apply broadly across the regulated population.

DORA's Five Pillars

DORA is organized around five operational requirements. Together they cover the lifecycle of digital risk in a financial institution.

1. ICT Risk Management

Financial entities must implement a comprehensive ICT risk management framework approved and overseen by the management body. The framework must cover identification of ICT-supported business functions, classification of supporting systems and dependencies, protection and prevention controls, detection, response and recovery procedures, learning and evolution from incidents, and communication. It must be documented, regularly reviewed, and adjusted in response to material changes.

The framework is not a checklist. DORA expects institutions to maintain a continuously updated inventory of ICT assets, dependencies, and information flows — including third-party dependencies — and to map those assets to the critical or important functions they support. Without this inventory, the other four pillars cannot function.

2. ICT-Related Incident Management, Classification, and Reporting

DORA requires processes to detect, manage, classify, and report ICT-related incidents. Major incidents must be reported to the relevant NCA within tight regulatory deadlines: an initial notification by 4 hours after classification (and no later than 24 hours after detection), an intermediate report within 72 hours, and a final report within one month. Significant cyber threats may also need to be reported voluntarily.

Meeting these deadlines requires the ability to rapidly answer questions like: which systems and data are affected, which critical functions depend on them, how many clients are impacted, and whether personal data was at risk. This is a data governance problem disguised as an incident response problem — the answer depends on how well the organization knows its data flows before an incident happens.

3. Digital Operational Resilience Testing

DORA mandates a structured program of resilience testing proportionate to the size and risk profile of the institution. All financial entities must conduct basic tests of ICT tools and systems. Larger and more significant institutions must additionally perform Threat-Led Penetration Testing (TLPT) at least every three years, following the TIBER-EU framework. Tests must be carried out by independent testers and cover live production systems with appropriate safeguards.

Tests are only useful if findings can be remediated and validated. That requires knowing which systems exist, which are critical, and what data they handle — turning the test program into a governance-driven cycle rather than a standalone IT exercise.

4. ICT Third-Party Risk Management

DORA imposes detailed requirements on contractual arrangements with ICT third-party service providers, including mandatory clauses for data access, audit rights, service levels, sub-contracting, exit strategies, and incident cooperation. Critical functions must have viable exit strategies; lock-in to a single provider for a critical service is a regulatory finding waiting to happen.

Every financial entity must maintain a Register of Information covering all contractual arrangements with ICT third-party providers — at the entity level, the group level, and per function supported. The Register is reported annually to NCAs and feeds the EU-level designation of Critical Third-Party Providers. The data fields, granularity, and structure are prescribed by the Implementing Technical Standards published by the European Supervisory Authorities.

5. Information and Intelligence Sharing

DORA encourages — and in some contexts facilitates — voluntary sharing of cyber threat information and intelligence among financial entities. Sharing arrangements must respect confidentiality, personal data protection under the GDPR, and competition law. Done well, intelligence sharing builds collective resilience faster than isolated defense; done badly, it creates new privacy and compliance exposure.

The governance prerequisite is data classification. Without clear tagging of what is shareable threat intelligence versus what is confidential business or personal data, sharing programs default to one of two failure modes: oversharing (creating GDPR risk) or undersharing (forgoing the value of the network).

DORA — Five Pillars and Data Governance DORA — FIVE PILLARS & GOVERNANCE BACKBONE Regulation (EU) 2022/2554 — fully applicable 17 Jan 2025 Enforced by national competent authorities; CTPP oversight at EU level 1. ICT Risk Management Identify · Protect Detect · Respond Recover · Learn Asset inventory 2. Incident Reporting 4h initial 72h intermediate 1 month final Data lineage 3. Resilience Testing Basic tests · TLPT Independent Every 3 years Dependency map 4. Third-Party Risk Mgmt Contracts · Exit CTPP oversight Register of Info Catalog + register 5. Info Sharing Threat intel Voluntary GDPR-safe Classification Data Governance Backbone — the same layer makes all five pillars operable Data catalog (assets & dependencies) · Lineage (system & field-level flows) · Classification (PII, criticality, materiality) Ownership (accountable parties) · Audit trail (immutable history) · Third-party register (contract metadata) Penalties & Enforcement Financial entities: up to 2% of global annual turnover · Natural persons: up to €1 million CTPPs: up to 1% of average daily worldwide turnover per day of non-compliance
Click to enlarge

Key Deadlines and Penalties

DORA's regulatory timeline is straightforward but consequential:

  • 16 January 2023 — DORA enters into force.
  • 17 January 2025 — DORA becomes fully applicable. Compliance is now actively supervised.
  • 30 April 2025 — First annual submission deadline for the Register of Information on third-party arrangements (subsequent years follow the same cycle).
  • 2026 and beyond — First wave of CTPP designations and dedicated supervisory examinations of those providers begin at EU level.

Penalties for non-compliance are calibrated to the seriousness of the breach. Administrative pecuniary penalties for financial entities can reach up to 2% of total annual worldwide turnover, with natural persons subject to fines up to €1 million. For Critical Third-Party Providers, the European Supervisory Authorities can impose periodic penalty payments up to 1% of the average daily worldwide turnover per day until compliance is achieved — a structure designed to make non-cooperation economically unviable for large cloud and software providers.

DORA is now in active supervision. NCAs have moved from awareness building to inspection. The institutions that struggle first are those whose Register of Information cannot be produced from authoritative systems — because the underlying contract and data inventory was never centralized in the first place.

DORA and Data Governance

Reading DORA's five pillars in isolation, it can look like a cybersecurity and IT operations regulation. Read together, a different picture emerges: DORA is a regulation about what financial institutions need to know about their own data and technology, and how quickly they need to know it. The five pillars all depend on the same underlying capability — a governed, machine-readable understanding of systems, data, dependencies, and ownership.

The data governance capabilities DORA presupposes:

  • Asset and dependency inventory — A data catalog covering ICT systems, datasets, data flows, and their links to business functions. Without this inventory, ICT risk management remains a documentation exercise.
  • System-level and column-level lineageData lineage and column-level lineage turn 4-hour incident reporting from a heroic effort into a routine query. When an incident is detected, lineage answers the regulator's first questions: which systems are affected, which functions depend on them, which customer data is in scope.
  • Classification metadata — Tagging that distinguishes critical or important functions from supporting ones, personal data from non-personal, and shareable threat intelligence from confidential information. Data classification is what makes both incident triage and information sharing safe at scale.
  • Ownership and stewardship — Documented data ownership for systems and datasets, so that incident response has named accountable parties from minute one rather than waiting for an organizational chart lookup.
  • Third-party register — Structured metadata about every ICT third-party arrangement, including the data categories shared, processing locations, sub-contractors, and contractual protections. This is the substance of the Register of Information that DORA requires entities to submit annually.
  • Audit trail — Immutable history of catalog changes, classification updates, and access decisions, so that supervisory reviews can reconstruct what the institution knew and when.

Institutions that have invested in this governance backbone find DORA compliance feasible and largely additive — the same catalog and lineage they built for analytics, AI readiness, and GDPR also serves DORA. Institutions that have not are facing a parallel and expensive build-out, often under deadline pressure.

DORA vs BCBS 239 vs GDPR

DORA sits alongside two other large EU data and risk regimes that financial institutions must satisfy simultaneously. Understanding how they overlap and differ helps avoid duplicate compliance programs.

  • BCBS 239 (Principles for Effective Risk Data Aggregation and Risk Reporting) — Basel Committee guidance focused on the timeliness, accuracy, completeness, and adaptability of risk data at significant banks. BCBS 239 and DORA overlap heavily on data lineage, governance, and incident-ready reporting, but BCBS 239 is principles-based supervisory guidance while DORA is a directly enforceable Regulation. Read the deeper comparison in BCBS 239, GDPR, and the lineage problem.
  • GDPR (General Data Protection Regulation) — Personal data protection regime applicable across all sectors. GDPR Article 30 requires records of processing activities, breach notification within 72 hours, and demonstrable accountability — requirements that overlap with DORA's incident reporting and asset inventory obligations for the personal data subset of the catalog.
  • NIS2 Directive — Cybersecurity baseline directive for essential and important entities across many sectors. DORA acts as lex specialis for financial entities: where DORA and NIS2 would apply to the same entity, DORA's more specific requirements prevail.

The practical implication is that financial institutions should build their data governance and risk infrastructure once, with a multi-regime model in mind. Three separate compliance programs for the same underlying data flows is a recipe for inconsistency and cost. One governed catalog, one lineage, one ownership model, and three regulator-ready views is the goal.

Conclusion

DORA is not an IT regulation. It is a data governance regulation written for the EU financial sector — and one that the rest of the EU regulatory ecosystem will increasingly look like over the next decade. The institutions that treat it as a strategic upgrade of their data infrastructure, rather than a documentation exercise, will spend less, comply more reliably, and find their resilience improving as a genuine byproduct. The institutions that treat DORA as a one-off compliance project will be doing it again in three years, at higher cost, under closer supervision, and with the credibility of the management body on the line.

See it in action

Interactive Data Lineage

Visualizing how data moves, transforms, and connects across systems, applications, and reports.

Table of contents

DORA DefinedWho DORA Applies ToDORA's Five PillarsKey Deadlines and PenaltiesDORA and Data GovernanceDORA vs BCBS 239 vs GDPR

Related Terms

Data Governance

Learn what data governance is, how to build a framework, and why it's essential for AI-ready organizations.

Read more →

Active Metadata

Learn what active metadata is, how it differs from passive metadata, and why it's transforming data governance automation.

Read more →

What Is AI Governance?

AI governance defines the policies, frameworks, and oversight for responsible AI use. Learn about EU AI Act, NIST AI RMF, ISO 42001, and the US-China-EU regulatory divergence.

Read more →

Business Intelligence (BI) Debt

BI debt management strategies for better decision-making and reduced operational costs

Read more →

What Is a Data Catalog?

Learn what a data catalog is, how it works, and why it's the foundation of modern data governance.

Read more →
Next step

Trusted data starts here.

Pick one problem. We map the data first, fix what's broken, then help your team trust every number.

Take the product tour
Business Values
Shared understanding Data Sharing Consistent Financial Reporting AI Governance
Technical Features
Data & Analytics Catalog Business Glossary Interactive Data Lineage Data Products Unstructured Data Governance MCP (Model Context Protocol)
Platform
Connectors AI-Powered Features Enterprise Deployment
Resources
Blog Events Glossary Newsroom Case Studies Data Governance Guide Data Catalog Comparison
Company
About us Career We are hiring! Contact us Support Partners
Legal
Terms of use Privacy policy SaaS Agreement EU Project
SOC 2 Type II certified URS - Information Security Management system ISO/IEC 27018 certified G2 Reviews Gartner Peer Insights capterra badge
© Dawiso s.r.o. All rights reserved