The Digital Operational Resilience Act — Regulation (EU) 2022/2554, commonly known as DORA — entered into force on 16 January 2023 and became fully applicable on 17 January 2025. It establishes a binding, harmonised framework for digital operational resilience across the EU financial sector, replacing the patchwork of national guidelines and EBA/EIOPA expectations that previously governed ICT risk management.
DORA's core premise is straightforward: financial institutions must be able to withstand, respond to, and recover from ICT-related disruptions and threats. The regulation translates that objective into five operational pillars — ICT risk management, ICT-related incident reporting, digital operational resilience testing, ICT third-party risk management, and information sharing — each with its own set of obligations, timelines, and reporting templates.
For compliance officers and risk managers, DORA is not simply another technology policy. It carries supervisory reporting obligations that sit alongside COREP and FINREP in the regulatory calendar, with structured data submissions to competent authorities under formats now increasingly governed by XBRL taxonomies.
