DORA is the Regulation on digital operational resilience for the financial sector which entered
into force in December 2022. It introduces new ICT risk requirements, but also consolidates and
upgrades existing ones.
The compliance deadline is January 2025. In 2024, financial sector and its ICT providers are busy implementing the necessary security measures and reporting (artefacts).
The new requirements apply to the following financial entities:
(a) credit institutions;
(b) payment institutions;
(c) account information service providers;
(d) electronic money institutions;
(e) investment firms;
(f) crypto-asset service providers;
(g) central securities depositories;
(h) central counterparties;
(i) trading venues;
(j) trade repositories;
(k) managers of alternative investment funds;
(l) management companies;
(m) data reporting service providers;
(n) insurance and reinsurance undertakings;
(o) insurance intermediaries, reinsurance intermediaries, and ancillary insurance intermediaries;
(p) institutions for occupational retirement provision;
(q) credit rating agencies;
(r) administrators of critical benchmarks;
(s) crowdfunding service providers;
(t) securitization repositories;
(u) ICT third-party service providers
ICT third-party providers are, for instance, telecommunication networks, software providers,
hardware providers, cloud computing providers – all these companies, providing services to the
financial entities listed above, fall within the scope of DORA.
DORA refers to ICT risk via targeted rules on ICT risk-management capabilities, incident
reporting, operational resilience testing (including pen-testing) and ICT third-party risk
monitoring. Its key requirements focus on 5 pillars: ICT Risk Management Framework; Gather
information on vulnerabilities and cyber threats & incidents; ICT-related incident management,
classification, and reporting; Managing ICT third-party risk; and Information-sharing
On 17 January three Regulatory Technical Standards (RTS) were adopted: RTS on ICT Risk
Management Framework and on simplified ICT Risk Management Framework, RTS on
Classification of major incidents and significant cyber threats, and RTS to specify the policy on
ICT services supporting critical or important functions.
Follow us for the latest updates in the field & contact us for a free consultation at