Regulation guide
DORA: the Digital Operational Resilience Act
The DORA regulation sets a single framework for digital operational resilience across the EU financial sector. This guide explains what it covers and what DORA compliance means for financial entities and their ICT providers.
The basics
What is the DORA regulation?
DORA compliance is operational, not paper
DORA compliance requires you to test resilience, evidence ICT risk management and prove oversight of critical third parties — continuously, not once a year.Financial-sector focus
DORA applies to banks, insurers, investment firms and many other financial entities, plus their critical ICT third parties.
Five pillars
ICT risk management, incident reporting, resilience testing, third-party risk and information sharing form the backbone of DORA compliance.
One rulebook
The DORA regulation harmonises rules that were previously fragmented across member states and sectors.
The five pillars of DORA
ICT risk management
A governance and control framework for ICT risk.
Incident reporting
Classify and report major ICT-related incidents.
Resilience testing
Regular testing, including threat-led penetration testing.
Third-party risk
Oversight of critical ICT third-party providers.
Where to next
Tool and learn
GRC tooling
Keep DORA evidence and ICT risk data in one auditable place.
NIS2
Many obligations echo NIS2 — worth reading side by side.
DORA FAQs
What is the DORA regulation?
An EU regulation establishing uniform requirements for the digital operational resilience of the financial sector.
Who must achieve DORA compliance?
Financial entities across banking, insurance and investment, plus critical ICT third-party providers serving them.
How is DORA different from NIS2?
DORA is sector-specific to finance and, as a regulation, applies directly, whereas NIS2 is a directive transposed into national law.
Make DORA compliance operational.
Get the working read in the DORA webinar and tool it with open-source GRC.