Regulation guide

DORA: the Digital Operational Resilience Act

The DORA regulation sets a single framework for digital operational resilience across the EU financial sector. This guide explains what it covers and what DORA compliance means for financial entities and their ICT providers.

The basics

What is the DORA regulation?

DORA compliance is operational, not paper

DORA compliance requires you to test resilience, evidence ICT risk management and prove oversight of critical third parties — continuously, not once a year.

Financial-sector focus

DORA applies to banks, insurers, investment firms and many other financial entities, plus their critical ICT third parties.

Five pillars

ICT risk management, incident reporting, resilience testing, third-party risk and information sharing form the backbone of DORA compliance.

One rulebook

The DORA regulation harmonises rules that were previously fragmented across member states and sectors.

The five pillars of DORA

ICT risk management

A governance and control framework for ICT risk.

Incident reporting

Classify and report major ICT-related incidents.

Resilience testing

Regular testing, including threat-led penetration testing.

Third-party risk

Oversight of critical ICT third-party providers.

Where to next

Tool and learn

Compare open-source GRC tooling and read the NIS2 guide for the overlap.

GRC tooling

Keep DORA evidence and ICT risk data in one auditable place.

NIS2

Many obligations echo NIS2 — worth reading side by side.

DORA FAQs

What is the DORA regulation?

An EU regulation establishing uniform requirements for the digital operational resilience of the financial sector.

Who must achieve DORA compliance?

Financial entities across banking, insurance and investment, plus critical ICT third-party providers serving them.

How is DORA different from NIS2?

DORA is sector-specific to finance and, as a regulation, applies directly, whereas NIS2 is a directive transposed into national law.

Make DORA compliance operational.

Get the working read in the DORA webinar and tool it with open-source GRC.