The Digital Operational Resilience Act (DORA) is a European regulation that requires financial institutions to structurally strengthen their digital resilience. This law has been applicable since 17 January 2025.
In our cheat sheet, we provide a compact overview of the most important obligations arising from DORA, such as risk management, ICT contracting, incident reporting, and audit requirements. All valuable for executives, compliance and IT teams who want to prepare for the entry into force of DORA.
Download nowDORA is a regulation of the European Union ("EU") aimed to strengthening the digital resilience of financial institutions against cyber threats and ICT-related risks. It requires financial institutions to implement measures for risk management, security of ICT systems, and incident reporting. The goal is for all EU countries to follow the same rules, so that the financial system is better protected against digital disruptions.
DORA primarily applies to "financial entities". The term "financial entities" is very broad. For example, it includes banks, payment service providers, insurance companies, electronic money institutions, and investment firms.
In addition, DORA applies to providers of ICT services to financial institutions. DORA aims to make both financial institutions and their third-party ICT systems and services more resilient. The regulation can even apply to ICT service providers outside the EU. This is the case when they provide services to financial institutions established in an EU Member State that must comply with DORA.
Non-compliance with DORA can lead to substantial fines and other measures. Supervisory authorities such as DNB (De Nederlandsche Bank) have the power to:
Request documents and data, including conducting inspections and investigations
Require that violations are ceased (temporarily or permanently)
Publicly disclose violations, including the name of the organization
Impose fines on financial institutions
Request specific data traffic overviews from telecom services
Furthermore, EU Member States may apply criminal penalties in accordance with national legislation.
Critical ICT service providers risk periodic penalty payments of up to 1% of their average daily worldwide turnover. These penalties can be imposed on a daily basis until full compliance is achieved.
17 January 2023: DORA entered into force.
17 January 2024: First batch of Regulatory Technical Standards published.
17 July 2024: Second and final batch of Regulatory Technical Standards published.
17 January 2025: Full compliance with DORA and Regulatory Technical Standards required.
DORA applies to the following financial entities:
Credit institutions
Payment institutions
Account information service providers
Electronic money institutions
Investment firms
Crypto-asset service providers
Central securities depositories
Central counterparties
Trading venues
Trade repositories
Alternative investment fund managers
Management companies
Data reporting service providers
Insurance and reinsurance undertakings
Insurance, reinsurance and ancillary insurance intermediaries
Institutions for occupational retirement provision
Credit rating agencies
Administrators of critical benchmarks
Crowdfunding service providers
Securitisation repositories
Yes, entity size is relevant for DORA. Certain types of financial institutions are subject to lighter requirements:
Micro-enterprises (a financial entity that is not a trading venue, central counterparty, trade repository, or central securities depository, employing fewer than 10 people with an annual turnover and/or balance sheet total not exceeding €2 million);
Small enterprises (a financial entity employing 10 to 50 people with an annual turnover and/or balance sheet total between €2 and €10 million); and
Medium-sized enterprises (a financial entity with 51 to 250 employees and an annual turnover not exceeding €50 million and/or an annual balance sheet total not exceeding €43 million).
DORA must be viewed in conjunction with the NIS2 Directive. NIS2 establishes obligations for cybersecurity risk management and incident reporting. NIS2 replaces the former European Network and Information Security Directive (NIS).
For this reason, there is also an overlap with the NIS2 Directive, as both contain similar obligations. However, the scope of the NIS2 Directive is broader. NIS2 applies to organizations in critical sectors, such as infrastructure, healthcare, digital infrastructure, and banking. The specific organizations that fall under this scope are specified in the annexes of NIS2. The NIS2 Directive also applies to a number of financial institutions. Therefore, the NIS2 Directive and DORA may both apply to your organization. When there is overlap or conflict between these two pieces of legislation, DORA takes prevails.
While DORA is a regulation and therefore directly applicable in all EU member states, the NIS2 Directive still needs to be transposed into national law (the Dutch Cybersecurity Act). Once the Cybersecurity Act is adopted, it will replace the current Network and Information Systems Security Act ("Wbni").