[ FRAMEWORK · EUROPEAN UNION ]
DORA, tracked end to end.
The Digital Operational Resilience Act (DORA) is the EU's harmonised regime for ICT risk management, incident reporting, resilience testing and third-party risk oversight across the financial sector. It applies to roughly 22,000 financial entities and their critical ICT providers.
[ LEGISLATION ]
DORA at a glance.
- Full name
- Digital Operational Resilience Act
- Jurisdiction
- European Union
- Legal basis
- Regulation (EU) 2022/2554
- In force
- 17 January 2025
[ WHO IT COVERS ]
Who has to comply with DORA.
- •Credit institutions, payment institutions, EMIs and account-information service providers
- •Investment firms, trading venues, central counterparties, central securities depositories
- •Insurance and reinsurance undertakings and insurance intermediaries
- •UCITS and alternative investment fund managers
- •Crypto-asset service providers authorised under MiCA
- •Critical third-party ICT service providers designated by the ESAs
[ KEY REQUIREMENTS ]
What DORA requires.
- 01ICT risk-management framework proportionate to size, nature and risk profile
- 02Major ICT-related incident classification, notification and reporting to NCAs
- 03Digital operational resilience testing programme, including threat-led penetration testing (TLPT) for significant entities
- 04Third-party ICT risk management including registers, concentration-risk monitoring and exit strategies
- 05Contractual provisions with ICT service providers aligned with DORA Article 30
- 06Oversight arrangements for critical ICT third-party providers (CTPPs) coordinated by the ESAs
[ TRY IT ]
See every DORA obligation in your workspace.
14-day trial across up to 8 jurisdictions. DORA Level 2 standards, guidance, and enforcement — all tracked.
[ WHAT XHS™ MONITORS ]
DORA surface area, in one workspace.
- •Level 2 Regulatory and Implementing Technical Standards from the ESAs
- •Level 3 Guidelines and Q&A from EBA / ESMA / EIOPA
- •Joint Committee publications on CTPP oversight
- •National competent authority guidance on DORA supervision
- •Cross-references with MiCA, PSD2/PSD3, CRD/CRR and the NIS2 Directive
- •Practical supervisory expectations from the ECB, EIOPA-led colleges and joint examinations
[ TIMELINE ]
DORA milestones.
- ›27 December 2022 — DORA published in the Official Journal
- ›17 January 2023 — DORA entered into force (start of the 24-month transition)
- ›17 January 2025 — DORA fully applicable across the EU
- ›2025–2026 — rolling ESAs technical standards and Guidelines package
[ QUESTIONS ]
DORA, answered.
How does XHS™ Copilot help with DORA compliance?
XHS™ Copilot tracks every ESAs Level 2 and Level 3 deliverable, joint committee publication and NCA guidance under DORA. Lens™ AI maps each change to your firm type and flags obligations where the implementation window is tight.
When did DORA come into force?
DORA entered into force on 17 January 2023 and became fully applicable on 17 January 2025 after a 24-month transition period. Firms in scope were expected to be DORA-compliant by that application date.
Who does DORA apply to?
DORA applies to approximately 22,000 financial entities in the EU — credit institutions, investment firms, payment institutions, EMIs, insurers, fund managers, trading venues, CCPs, CSDs and MiCA-authorised CASPs — plus critical ICT third-party service providers designated by the ESAs.
What is threat-led penetration testing (TLPT) under DORA?
TLPT is advanced resilience testing modelled on real-world threat scenarios, carried out on live production systems by independent testers. Under DORA it is required for significant entities at least every three years, using a methodology aligned with the EU TIBER framework.
How does DORA relate to NIS2?
DORA is lex specialis for the financial sector — where DORA and NIS2 both cover a topic, DORA prevails for in-scope financial entities. However, NIS2 remains relevant for ICT service providers and adjacent entities that are not themselves regulated financial firms.
See every DORA change in your workspace.
14-day free trial. Up to 8 jurisdictions. Cancel any time. No credit card.