DORA: European Digital Operational Resilience Act


DORA is one of the key elements of the European Union (EU) Digital Finance Package, the aim of which is to support the digital transformation and innovation of the financial sector, as well as the use of new financial products in the EU, while preserving market integrity, financial stability and investor protection.

What is the objective of DORA?

This European regulatory framework addresses the risks posed by the digital transformation of financial services, the number of cyberattacks suffered by financial players and the increasing interconnection of critical infrastructures and networks.

Its main objective is to harmonise requirements at EU Member State level to ensure that all financial players have the necessary safeguards to mitigate cyberattacks and other risks related to information and communication technologies (ICT).

In short, the DORA regulationsets out uniform requirements to strengthen and harmonise the management of ICT and network and information system security risks at an EU level.

This initiative is in line with the European Commission’s digital finance strategy, which aims to promote the adoption of innovative new technologies while ensuring financial stability and consumer protection.

With DORA, the approach to the concept of operational resilience is changing: all financial service providers must anticipate digital risks and disruptions. They must also prove that their organisation can withstand IT crises and that the operational stability of digital systems is ensured. They must have the ability to fight cyber risks and be able to act in case of emergency.

What does this new regulatory framework consist of?

It consists of two legislative acts, a regulation and a directive:

  • Regulation (EU) 2022/2554 of the Parliament and of the Council of 14 December 2022 on digital operational resilience (DORA).

  • Directive (EU) 2022/2556 of the Parliament and of the Council of 14 December 2022. The aim of this directive is to bring existing directives, such as CRD IV, PSD2, BRRD, Solvency 2, IORP 2, MiFID II and AIFM, into line with the DORA regulation.

For the first time in Europe, DORA provides a detailed framework on digital operational resilience for financial entities. This framework also provides for the establishment of a mechanism for directly monitoring providers of critical ICT services at EU level.

What is the timeline?

DORA came into force on 16 January 2023. In January 2025, financial institutions and third-party ICT providers will have to meet these new requirements on the operational stability of digital systems.