DORA Regulation Explained: EU Digital Operational Resilience Act
Sep 14, 2025
·
12 min read
Contents
The DORA Regulation has become one of the most significant new rules for financial services operating in Europe. It establishes a uniform framework to strengthen how banks, fintechs, and other regulated entities prepare for and manage technology-related disruptions.
This article explains what the regulation covers, who must comply, and the specific requirements firms need to implement. It also highlights common compliance challenges, misconceptions that trip up founders and compliance officers, and the latest regulatory updates shaping supervisory expectations.
Our goal is to make the regulation practical and understandable. By the end, you’ll have a clear view of how DORA fits into the EU’s regulatory landscape, what it demands from financial entities, and where fintech companies in particular should focus their attention.
InnReg is a global regulatory compliance and operations consulting team serving financial services companies since 2013. If you need assistance with compliance or fintech regulations, click here.
What Is the DORA Regulation?
The DORA Regulation is the European Union’s Digital Operational Resilience Act. It came into force in January 2025 and applies across all EU member states. Its purpose is to create a consistent rulebook for how financial institutions handle risks linked to technology and cyber incidents.
At its core, the regulation is about operational continuity. It requires financial entities to be able to withstand, respond to, and recover from technology-related events, including:
Cyberattacks
Software failures
Cloud outages
Cascading incidents at third-party providers
Before DORA, requirements for managing IT disruptions were scattered across multiple directives and national rules. Some firms followed European Banking Authority (EBA) guidelines, others relied on general data protection rules, and many fintechs operated in a patchwork of local expectations. DORA consolidates these into a single framework that applies uniformly across the EU.
Who Must Comply with the DORA Regulation
The scope of the DORA Regulation is intentionally broad. It applies to nearly all regulated financial entities in the EU, regardless of size. That means traditional institutions and newer fintech models are both covered.
Financial entities in scope include:
Banks and credit institutions
Asset managers, UCITS managers, and AIFMs
Insurance and reinsurance firms
Payment institutions and electronic money institutions (EMIs)
Crypto-asset service providers (CASPs)
A major feature of DORA is its focus on third-party ICT service providers. Cloud platforms, SaaS vendors, and other technology partners that financial entities depend on must be contractually bound to meet DORA requirements. The regulation also allows EU supervisors to designate certain vendors as “critical ICT providers,” bringing them under direct oversight.
Importantly, DORA also affects non-EU companies. A US cloud provider, for example, may not be directly regulated by Brussels, but if it serves EU financial institutions, its clients will require contracts and processes aligned with DORA. In this way, the regulation extends its influence well beyond the EU’s borders.
Key Requirements Under the DORA Regulation
DORA sets out several pillars that financial entities must implement. These cover how firms manage ICT risk, respond to incidents, test their systems, work with vendors, and govern resilience at the leadership level.
ICT Risk Management Framework
Every covered entity must build a documented framework for managing technology risks. This includes identifying ICT assets, assessing vulnerabilities, defining controls, and maintaining business continuity and disaster recovery plans.
For smaller firms, the regulation allows simplified frameworks, but the expectation is that risk management remains proportionate and active.
Incident Reporting Rules and Timelines
DORA introduces mandatory reporting for major ICT incidents. A financial entity must notify its regulator within hours of classifying an event as “major.” Reports must follow set templates and include impact details such as customer numbers affected and service downtime. This short timeline means firms need tested incident response playbooks ready in advance.
Digital Operational Resilience Testing
Entities are required to conduct regular testing of their ICT systems. For most firms, this will mean:
Penetration testing
Vulnerability assessments
Recovery drills
Threat-led penetration testing (applicable to large institutions)
ICT Third-Party Risk Management
Firms must maintain an inventory of ICT service providers and assess their risk. Contracts with vendors must include specific DORA-required clauses covering audit rights, incident notification, subcontracting conditions, and exit strategies. Regulators expect firms to monitor ongoing performance and consider concentration risk, particularly in reliance on cloud providers.
See also:
Information Sharing Provisions
DORA encourages voluntary sharing of cyber threat intelligence among financial entities. The aim is to build sector-wide awareness of emerging risks and vulnerabilities.
While not mandatory, participation in industry groups or information exchange platforms can strengthen preparedness.
Need help with fintech compliance?
Fill out the form below and our experts will get back to you.
Governance and Accountability Expectations
Boards and senior management are responsible for operational resilience. Leadership must approve the ICT risk framework, receive regular updates on incidents, and allocate resources to resilience measures. This governance layer makes operational risk a strategic issue, not just a technical one.
Regulators and Oversight
The DORA Regulation is directly applicable across all EU member states, but a combination of national and EU-level authorities carries out supervision. Firms should understand how oversight is structured, as it determines who they report to and what guidance they follow.
Role of National Competent Authorities
Each EU member state’s financial regulator is responsible for the day-to-day supervision of DORA compliance. For example, BaFin in Germany or the AMF in France will oversee firms licensed in their jurisdictions. These authorities receive incident reports, review ICT frameworks, and impose penalties for non-compliance.
Role of the European Supervisory Authorities
At the EU level, three supervisory bodies coordinate DORA’s implementation. They do not supervise individual firms directly but instead create technical standards, coordinate across member states, and oversee critical ICT providers. Their work translates DORA’s broad principles into practical obligations for firms.
Authority | Scope | Contribution to DORA |
|---|---|---|
Banks, credit institutions, and payment services | Drafts technical standards on ICT risk management, incident reporting, and testing requirements for banking and payments firms. | |
Investment firms, broker-dealers, and trading venues | Develops RTS/ITS covering incident classification, reporting templates, and resilience testing for securities markets. | |
European Insurance and Occupational Pensions Authority (EIOPA) | Insurance and pensions providers | Issues technical standards for ICT third-party risk, resilience frameworks, and sector-specific guidance. |
Together, the ESAs issue Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS). These set out details such as reporting templates, requirements for penetration testing, and rules for managing third-party ICT providers.
Oversight of Critical ICT Third-Party Service Providers
A defining feature of DORA is direct oversight of certain technology vendors. If a cloud provider, payments processor, or core banking software vendor is deemed “critical,” it can be designated for EU-level supervision.
Made up of experts from the ESAs, Joint Examination Teams will monitor these providers directly. This structure reflects the systemic risk that a failure at one major vendor could pose across multiple financial institutions.
DORA Timeline and Current Status
The DORA Regulation has been years in development, moving from proposal to adoption to enforcement. Understanding the timeline helps compliance teams place themselves in the present and anticipate what comes next.
Effective Date and Compliance Deadlines
2020–2022: The European Commission proposed and negotiated DORA.
December 2022: DORA was formally adopted and published in the EU’s Official Journal.
January 2023: The regulation entered into force, starting a two-year implementation period.
January 17, 2025: DORA became fully applicable across all EU member states. Firms were expected to have frameworks, policies, and reporting structures in place by this date.
Recent Regulatory Updates and Technical Standards
Since adoption, the European Supervisory Authorities have been busy translating DORA into practical rules. For instance, the Regulatory Technical Standards (RTS) set criteria for classifying ICT incidents, templates for incident reporting, and detailed requirements for testing.
On the other hand, Implementing Technical Standards (ITS) provide instructions on reporting formats and processes to harmonize supervision across member states. During 2024-2025, authorities have issued additional guidance on subcontracting arrangements, ICT concentration risk, and oversight of critical providers.
Regulators are treating 2025 as a transition year. While DORA is already in effect, supervisors are focusing on reviewing firms’ new frameworks, identifying gaps, and setting expectations before moving toward stricter enforcement.
See also:
Common Compliance Challenges
Even well-prepared firms are finding that DORA brings new operational and organizational hurdles. The regulation surpasses traditional IT risk management, demanding coordination across compliance, legal, operations, and technology teams.
Resourcing and Expertise Gaps
Many fintechs operate with lean teams and may not have in-house resilience or cybersecurity specialists. Building out the skills to design risk frameworks, run testing programs, and meet reporting timelines can stretch already limited resources.
Vendor Dependency Risks
A large share of fintechs rely on third-party providers for infrastructure, payments, or compliance tools. Mapping these dependencies and renegotiating contracts to meet DORA’s requirements is a heavy lift. Smaller firms may struggle to influence larger cloud or SaaS providers to amend agreements.
Incident Detection and Reporting Speed
DORA requires notification within hours of classifying an incident as “major.” Without robust monitoring, firms may not detect issues quickly enough. Even when detected, escalation and data gathering must happen fast to meet reporting obligations.
Testing Obligations and Capacity Constraints
Regular penetration testing, recovery drills, and vulnerability assessments are expected. Larger players may also face mandatory threat-led penetration testing. Smaller entities often lack the internal staff to manage these exercises and must budget for external support.
Cost and Prioritization Issues
Compliance requires investment in new processes, tools, and external expertise. For startups, the challenge is deciding what to prioritize first. Regulators allow proportionality, but firms still need to show tangible progress across all areas.
Misconceptions About the DORA Regulation
Despite extensive coverage, many firms still misinterpret what DORA does and does not require. Addressing these misconceptions early can save compliance teams from missteps.
Here are the four most common misconceptions about DORA:
Applicability to Non-EU Firms
Some assume DORA applies only to EU-based companies. In reality, any non-EU service provider working with EU financial institutions will feel its impact. Contracts with European clients must include DORA-mandated clauses, and those clients will expect their vendors to align with DORA standards.
Here’s an example: a US-based cloud hosting provider supplies infrastructure to several EU digital banks. The banks are required under DORA to have audit rights, incident notification clauses, and exit strategies in their vendor contracts. Even though the cloud provider is outside the EU, it must accept these contractual terms or risk losing its EU clients.
Proportionality for Small Firms
Founders at smaller fintechs sometimes believe they are exempt. That’s not the case. While the regulation allows for “simplified” frameworks, the basic requirements like incident reporting, vendor oversight, and governance still apply. Small size may affect the depth of controls, but not the obligation itself.
“We’re Already Compliant via ISO/NIST” Assumptions
International frameworks like ISO 27001 or NIST CSF provide a solid base, but they are not the same as DORA. For example, they don’t impose strict deadlines for incident reporting to regulators, nor do they require specific contractual clauses with ICT providers. A gap analysis is needed to bridge the difference.
Outsourcing and Accountability Misunderstandings
A frequent error is assuming responsibility shifts to the vendor once services are outsourced. DORA makes clear that accountability remains with the financial entity. Even if a cloud provider experiences a disruption, regulators will look to the financial firm for compliance with reporting and continuity obligations.
Practical Steps to Prepare for DORA Compliance
Meeting DORA requirements is less about one-time projects and more about building ongoing capabilities. The following steps help compliance teams structure their approach and demonstrate progress to regulators.
Perform a Gap Analysis
Start by mapping existing policies, controls, and vendor arrangements against DORA’s requirements. A structured gap analysis identifies what is already in place and where remediation is needed. Many firms use external consultants for this stage to speed up the review and get an independent perspective.
Update ICT Risk Management Policies
Firms should update risk frameworks to reflect DORA’s expectations. That means documenting ICT assets, risk assessment processes, continuity plans, and governance procedures at the board level. Even firms with strong cybersecurity practices often find they need more structured reporting lines and board involvement than before.
Review and Amend Vendor Contracts
Vendor agreements must now include specific DORA clauses. These cover:
Incident reporting obligations
Subcontracting conditions
Exit strategies
For fintechs that depend heavily on cloud providers or API-based vendors, reviewing and renegotiating contracts can take time and requires legal and compliance teams to work closely together.
Build Incident Response and Reporting Workflows
Incident response plans need to be more detailed and faster than many firms are used to. Once firms classify an incident as “major,” the regulation requires notification within hours. That means escalation procedures must be tested so teams can quickly gather facts, classify the event, and prepare the required report under pressure.
See also:
Plan Proportionate Testing Cycles
Testing obligations vary by size and systemic importance, but all firms must show they are actively validating their defenses. For smaller entities, that may mean scheduling regular penetration tests and recovery drills. Larger players may face threat-led penetration testing, a more advanced and resource-intensive process supervised by regulators.
Train Leadership and Staff
Boards and senior management are accountable for resilience under DORA. Training programs should cover both cyber hygiene for employees and governance duties for executives. Many firms are adding DORA-focused workshops for their boards to make sure directors understand the reporting deadlines and the expectation of oversight.
How the DORA Regulation Interacts with Other Rules
The DORA Regulation is only one piece of the broader regulatory puzzle. Financial services firms rarely deal with a single rule in isolation. Most operate under multiple regimes that touch on cybersecurity, data protection, outsourcing, or operational resilience.
Understanding how DORA fits alongside these other frameworks helps compliance teams avoid duplication and spot where obligations overlap.
Relationship with NIS2
The NIS2 Directive sets baseline cybersecurity rules for many critical sectors across the EU. For financial services, however, DORA is the specialized rulebook. In practice, this means that when requirements overlap, DORA takes priority. For instance, a payments firm will follow DORA’s incident reporting format rather than NIS2’s general template.
Intersection with MiCA for Crypto Firms
The Markets in Crypto-Assets (MiCA) regulation explicitly brings crypto-asset service providers under DORA’s scope. A crypto exchange licensed in the EU must therefore meet both MiCA’s conduct and capital rules, and DORA’s resilience and incident management standards.
This dual compliance burden is new for many crypto firms, which historically focused more on financial licensing than on operational resilience.
GDPR and Data Breach Reporting Overlaps
A cyber incident often triggers obligations under both GDPR and DORA. GDPR requires notifying data protection authorities within 72 hours of discovering a personal data breach. DORA, by contrast, requires ICT incident reporting to financial regulators within hours once classified as major.
The two regimes overlap but differ in focus:
GDPR: Protects personal data and centers on privacy. Reports go to data protection authorities.
DORA: Focuses on operational resilience and continuity of financial services. Reports go to financial regulators.
Firms need workflows that coordinate both obligations so they don’t miss a deadline or provide inconsistent reports.
UK Operational Resilience Regime
Since the UK is no longer bound by EU law, it has developed its own operational resilience rules. These cover impact tolerances, continuity planning, and outsourcing oversight.
While conceptually similar to DORA, the UK’s framework extends beyond ICT risks to broader operational risks. Firms operating across both jurisdictions must carefully align programs to avoid duplication while still meeting each regulator’s expectations.
What to Expect With DORA Regulation
Now that DORA is fully in effect, regulators and firms are moving from preparation to practical implementation. The first phase of supervision will focus less on punitive action and more on understanding how firms are applying the rules in practice.
Early Supervisory Focus Areas
Supervisors are likely to review:
How firms classify and escalate ICT incidents
Whether reporting workflows are workable under the short deadlines
How firms have updated vendor contracts with DORA-mandated clauses
Evidence that boards are engaged and that ICT risk frameworks are formally approved
These areas are considered foundational and give regulators a clear picture of whether firms are treating DORA as more than a box-ticking exercise.
Critical ICT Provider Designations
A major development expected in the coming years is the designation of “critical ICT third-party service providers.” DORA may extend direct EU-level oversight to cloud platforms, payment processors, and large technology vendors supporting many financial institutions.
Once designated, these providers will face coordinated examinations from Joint Examination Teams that may include cooperation from their clients.
Potential Enforcement Trends
Regulators have made it clear that 2025 is a transition year, but firms should not assume leniency will last. Early enforcement could target firms that:
Miss incident reporting deadlines
Lack adequate vendor oversight
Show weak governance engagement at the board level
Over time, penalties may escalate, potentially approaching the scale of sanctions seen in GDPR enforcement.
Key Takeaways for Fintechs and Financial Institutions
The DORA Regulation represents a shift in how the EU supervises financial services. It puts operational resilience on the same level as capital, conduct, and consumer protection. For fintechs, banks, and other regulated entities, that means resilience is no longer optional or siloed within IT. It is a regulatory obligation with board-level accountability.
At InnReg, we work with fintechs and financial institutions to translate complex rules like the DORA Regulation into practical compliance programs. Our team combines deep regulatory expertise with hands-on experience in fintech business models, helping clients build resilience without slowing innovation.
If you’re preparing for DORA or need support in managing ongoing compliance, connect with us. InnReg can act as your outsourced compliance team or provide targeted guidance where you need it most.
How Can InnReg Help?
InnReg is a global regulatory compliance and operations consulting team serving financial services companies since 2013.
We are especially effective at launching and scaling fintechs with innovative compliance strategies and delivering cost-effective managed services, assisted by proprietary regtech solutions.
If you need help with compliance, reach out to our regulatory experts today:
Published on Sep 14, 2025
Last updated on Sep 14, 2025
Related Articles
Featured LinkedIn Posts
