Compliance Resource Center

DORA: Understanding the Digital Operational Resilience Act

Crack the code of DORA compliance with this hub of all useful resources on the regulation — your ultimate guide to the Digital Operational Resilience Act.

What Is DORA?

The Digital Operational Resilience Act (DORA) is a regulation (no. 2022/2554) adopted by the European Union in December 2022 to govern the cybersecurity of financial entities, such as banks and credit institutions.

When Will DORA Come into Force?

The Digital Operational Resilience Act will come into force on January 17, 2025. This effective date is set at 24 months after publication of the regulation in the Official Journal of the EU, as stipulated in Article 64.

Why Is DORA Necessary?

The purpose of DORA, as stated in its Recital 105, is to achieve a high level of digital operational resilience for regulated financial entities.

Digital operational resilience is defined as the ability of a financial entity to build, assure, and review its operational integrity and reliability. This includes ensuring the security of network and information systems, whether through direct means or indirectly by using services provided by ICT third-party service providers.

The ultimate goal is to maintain the operational continuity of financial services within the European Union, even in the face of disruptions, incidents, or attacks. DORA marks a paradigm shift from a defensive vision of security to a global resilience of the financial sector. It’s no longer a question of defending, but of resisting.

Which Financial Organizations Are Regulated by DORA?

The Digital Operational Resilience Act applies to 21 types of entities. Here they are as described in Article 2:

  • Credit institutions;
  • Payment institutions, including payment institutions exempted pursuant to Directive (EU) 2015/2366;
  • Account information service providers;
  • Electronic money institutions, including electronic money institutions exempted pursuant to Directive 2009/110/EC;
  • Investment firms;
  • Crypto-asset service providers and issuers of asset-referenced tokens;
  • Central securities depositories;
  • Central counterparties;
  • Trading venues;
  • Trade repositories;
  • Managers of alternative investment funds;
  • Management companies;
  • Data reporting service providers;
  • Insurance and reinsurance undertakings;
  • Insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries;
  • Institutions for occupational retirement provision;
  • Credit rating agencies;
  • Administrators of critical benchmarks;
  • Crowdfunding service providers;
  • Securitisation repositories;
  • ICT third-party service providers.

DORA: All Useful Resources

Our DORA Compliance Guides

Below you can download our two free compliance guides to help DORA-regulated organizations navigate the requirements introduced by the regulation.

DORA: A Complete Guide to Compliance for the Financial Sector

A 50-page guide to walk CISOs, DPOs and legal departments through the EU regulation. No mumbo jumbo, only useful and actionable insights.


DORA: A Guide to Security Testing for Regulated Entities

A 60-page compliance guide to walk security managers of DORA-regulated entities through the regulation's security testing obligations: the resilience testing program, and Threat-Led Penetration Testing (TLPT).


Need to conduct security testing for DORA compliance?

Contact us or schedule an appointment to learn more about our Offensive Security tests for DORA-regulated entities — Pentest as a Service (PtaaS), Red Teaming and TLPT, etc.