Quick view: DORA compliance – regulatory requirements, technical standards and guidelines (EU)

Introduction

This Quick view offers a high-level overview of the regulatory requirements, technical standards and guidelines under the Digital Operational Resilience Act, Regulation (EU) 2022/2054 (DORA). It is designed to assist legal and compliance teams, in-house counsel and private practitioners. Additionally, it provides guidance to information and communication technology (ICT) third-party service providers who may now fall within the scope of DORA.

This Quick view covers:

Digital operational resilience and ICT risk management
Key elements of DORA compliance
Tracking the Level 2 rules

This Quick view can be used in conjunction with the following Quick views: Understanding the application and scope of DORA.

1. Digital operational resilience and ICT risk management

1.1 Risk mitigation and resilience

DORA establishes a unified regulatory framework to enhance digital operational resilience and ICT risk management across the entire financial system. DORA’s goal is to ensure that the financial sector across the EU can remain resilient in the face of severe operational disruption. DORA forms part of the EU’s Digital finance package to support the digital transformation of finance while regulating associated risks to ensure consumer protection and financial stability.

In their 2024 statement on the application of DORA, the European Supervisory Authorities (made up of the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA) and the European Insurance and Occupational Pensions Authority (EIOPA)) (commonly known as the ESAs) emphasised:

the importance of financial entities adopting a robust, structured approach to meet their obligations in a timely manner; and
the need for ICT third-party service providers that consider they may meet the criticality criteria to assess their operational set up against DORA requirements.

1.2 Financial entities

DORA applies to a wide range of financial entities including banks, insurance companies, investment firms, payment service providers and electronic money institutions (among others). For a full list of in-scope entities and those that are excluded please refer to article 2, DORA. If an exemption does not apply and the financial entity is on the list, then the DORA requirements are likely to apply.

Prior to the implementation of DORA, financial entities had to adhere to existing regulatory expectations for ICT risk management, incident reporting and outsourcing rules, such as the EBA’s Guidelines on outsourcing arrangements. However, the scope of DORA is broader and may impact financial entities that were not previously subject to these regulatory requirements such as smaller firms. This expansion in scope addresses perceived gaps in existing frameworks and aims to mitigate potential systemic risks arising from increased outsourcing practices, ICT third-party concentration and heightened exposure to cyberattacks and threats.

Financial entities must align their practices and policies to enhance digital operational resilience under DORA. This includes conducting thorough operational resilience testing, identifying and reporting ICT-related incidents; maintaining comprehensive registers of information by 30 April 2025 (prioritise critical providers); and reviewing and updating ICT contracts to comply with DORA’s mandatory clause requirements. Note contracts with third-party providers supporting critical or important functions are subject to more detailed requirements.

Board directors and senior management must actively participate in the risk management framework. In-scope financial entities should review existing internal governance arrangements and provide adequate training to the board and senior management. Overall responsibility for defining, approving and overseeing the ICT risk management framework rests with them. Failure to comply could result in regulatory sanctions for financial entities and critical ICT third-party service providers (see section 1.3 below). DORA outlines specific administrative penalties and remedial measures that regulators can impose in the event of non-compliance (see article 50). Potential penalties include substantial fines, operational restrictions, reputational damage and risk of personal liability for board members.

1.3 ICT third-party service providers

1.3.1 Direct impact

A new area of direct regulation applies to certain ICT third-party service providers (CTTPs) if identified as critical to the European financial system by the ESAs. These providers will be subject to an EU oversight framework, facing significant penalties for non-compliance. CTTPs (not yet established in the EU) must set up an EU subsidiary. For the first time, this will bring these firms within the EU regulatory perimeter and subject them to EU-wide supervision. The ESAs have far-reaching powers to request information, undertake investigations and to impose significant financial penalties in the event of non-compliance.

The ESAs will collaborate to oversee CTTPs and have now issued a roadmap to the designation of CTPPs under DORA. The ESAs plan to organise an online workshop with ICT third-party providers in the second quarter of 2025 to offer the market guidance on preparatory activities, the designation process and on the ESAs’ oversight approach. Details on the exact date are awaited – see here.

1.3.2 Indirect impact

DORA applies indirectly to ICT service providers providing services to EU financial entities (including non-EU ICT service providers such as those in the United States and the United Kingdom), as their EU financial entity customers will be seeking contractual changes to align with DORA requirements.

1.4 Timeline

DORA entered into force on 16 January 2023 and applies directly to in-scope financial entities across all EU member states as of 17 January 2025. There is no transition period to full compliance. See Quick view: Understanding the application and scope of DORA.

2. Key elements of DORA compliance

2.1 DORA Level 1

DORA includes Level 1 primary legislation and Level 2 rules (these are like UK secondary legislation).

Level 1 DORA requirements represent the primary obligations established by the Regulation and Directive. Regulations are generally applicable, whereas Directives are not directly applicable and require member state transposition. The Regulation gives the Commission the power to adopt delegated and implementing acts to specify how competent authorities and market participants need to comply with the obligations (see section 3.2 below).

Level 1 texts are summarised briefly in the table below:

Name

Description

Status

Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector

(Regulation)

The DORA regulatory framework is structured under five key headings:

ICT risk management
ICT-related incident management, classification and reporting
Digital operational resilience testing
ICT third-party risk and oversight framework
Information and intelligence sharing arrangements on cyber threats and vulnerabilities

In force – as a regulation requires no transposition into national law

Directive (EU) 2022/2556 of the European Parliament and of the Council of 14 December 2022 as regards digital operational resilience for the financial sector

(Directive)

The Directive amends certain existing European financial services directives (including MiFID II) to incorporate cross-references to DORA and digital operational resilience.

In force – requires member states to transpose provisions into national law by 17 January 2025

3. Tracking the Level 2 rules

While the Level 1 legislation establishes the legislative framework, it does not provide the complete picture. To address this, the main text of DORA is supplemented by various Level 2 rules, which include detailed rules and guidance. These take the form of regulatory technical standards (RTS), implementing technical standards (ITS), delegated acts (DACs) and guidelines offering more granular detail on DORA’s requirements. Adhering to DORA requires compliance with these Level 2 rules.

3.1 Phased approach

The ESAs implemented a phased approach for developing RTS and ITS, releasing them in two tranches:

The first batch of consultations on policy mandates was published in June 2023. This covered ICT risk management frameworks, classifying ICT-related incidents, templates for the register of information and including a policy on ICT services performed by ICT third-party service providers. The ESAs produced their final report on the first batch of RTS and ITS on 17 January 2024.
The second batch of consultations on policy mandates was published on 8 December 2023. The ESAs published their final report on the second batch on 17 July 2024. However, the RTS on subcontracting ICT services supporting critical or important functions remains subject to Commission approval has just been adopted on 24 March 2025. Additionally, a further two RTS are still under scrutiny - see tracker at section 3.3.
Topics covered by this second batch of RTS and ITS included the content and timing for reporting major ICT-related incidents, threat-led penetration testing and regulatory oversight of critical ICT third-party service providers.
Two sets of draft guidelines (1) on the estimation of aggregated annual costs and losses caused by major ICT-related incidents and (2) on the oversight cooperation and information exchange between the ESAs and the competent authorities were also included in the second batch and final guidelines were published on 17 July 2024.

3.2 Process to adoption

Level 2 rules are specific to financial services and follow a detailed procedure, which is outside scope of this guide. In summary, the ESAs produce preliminary drafts subject to a review process that may include public consultations with stakeholders. Based on the feedback received, the legal instruments are finalised and submitted to the Commission by the ESAs for review and possible adoption.

In addition, once the Commission receives the draft RTS, they must be sent to the European Parliament and the Council for further scrutiny. As mandated by article 20 DORA, the ESAs also consulted with the European Central Bank (ECB) and European Union Agency for Cybersecurity (ENISA) on the technical standards for ICT-related incident reporting.

Various time frames for decision-making and review must be adhered to, resulting in the drafts being either:

amended by the Commission and sent back to the ESAs together with reasons for the amendments. The ESAs have six weeks to amend and resubmit drafts to the Commission. Failure to respond within this time frame may result in the Commission adopting the drafts as amended or rejecting them completely; or
adopted by the Commission as drafted (without amendment). The European Parliament and Council then have one month to raise any objections (extendable); and
if there are no objections from the Parliament and Council then the RTS will be published in the Official Journal on the date specified in the RTS; or
if there are objections from the Parliament or the Council, the RTS will not enter into force.

3.3 Status tracker

This table provides an overview of the status of RTS, ITS and guidelines under DORA. There have been delays, and the review process has taken longer than anticipated meaning that several RTS remain to be finalised and published in final form. These should be kept under review given the risk of entities being deemed non-compliant now that the date for DORA implementation has passed.

ICT Risk Management and testing

Title	Summary title	Legal basis (DORA)	Status	Link
Commission Delegated Regulation (EU) 2024/1774 of 13 March 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying ICT risk management tools, methods, processes, and policies and the simplified ICT risk management framework	RTS on ICT risk management framework and simplified framework	Article 15 and Article 16(3)	In force from 15 July 2024. Published in Official Journal – 25 June 2024.	Link
Commission Delegated Regulation (EU) 2024/1773 of 13 March 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying the detailed content of the policy regarding contractual arrangements on the use of ICT services supporting critical or important functions provided by ICT third-party service providers	RTS to specify the policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers	Article 28(10)	In force from 15 July 2024. Published in Official Journal – 25 June 2024.	Link
Commission Implementing Regulation (EU) 2024/2956 of 29 November 2024 laying down implementing technical standards for the application of Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to standard templates for the register of information	ITS to establish standard templates for the register of information	Article 28(9)	In force from 22 December 2024. Published in Official Journal – 2 December 2024.	Link
Draft Delegated Regulation supplementing Regulation (EU) 2022/2554 with regard to Regulatory Technical Standards to specify the elements which a financial entity needs to determine and assess when subcontracting ICT services supporting critical or important functions	RTS on subcontracting ICT services supporting critical or important functions	Article 30(5)	Not yet in force. Adopted by the Commission on 24 March 2025. Now with European Parliament and Council for scrutiny; if neither objects the delegated act will be published in the Official Journal.	Link
Joint Guidelines on the estimation of aggregated annual costs and losses caused by major ICT incidents under Regulation (EU) 2022/2554	GL on the estimation of aggregated annual costs and losses caused by major ICT-related incidents	Article 11(11)	Awaiting final publication in the Official Journal. Apply from 19 May 2025.	Link
Commission Delegated Regulation supplementing Regulation (EU) 2022/2554 of the European Parliament and Council with regard to regulatory technical standards specifying the criteria used for identifying financial entities required to perform threat-led penetration testing, the requirements and standards governing the use of internal testers, the requirements in relation to the scope, testing methodology and approach for each phase of the testing, results, closure and remediation stages and the type of supervisory and other relevant cooperation needed for the implementation of TLPT ;and for the facilitation of mutual recognition	RTS specifying criteria to perform threat-led penetration testing	Article 26(11)	Not yet in force. Adopted by the Commission on 13 February 2025. Now with European Parliament and Council for scrutiny; if neither objects the delegated act will be published in the Official Journal.	Link

Incident Reporting

Title	Summary title	Legal basis (DORA)	Status	Link
Commission Delegated Regulation (EU) 2024/1772 of 13 March 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying the criteria for the classification of ICT-related incidents and cyber threats, setting out materiality thresholds and specifying the details of reports of major incidents	RTS specifying the criteria for the classification of ICT-related incidents and major cyber threats	Article 18(3)	In force from 15 July 2024. Published in Official Journal – 25 June 2024.	Link
Commission Delegated Regulation (EU) 2025/301 of 23 October 2024 supplementing Regulation (EU) 2022/2554 with regard to regulatory technical standards specifying the content and time limits for the initial notification of, and intermediate and final report on, major ICT-related incidents, and the content of the voluntary notification for significant cyber threats	RTS on reporting of major ICT-related incidents and notification of significant cyber threats	Article 20(a)	In force from 12 March 2025. Published in Official Journal – 20 February 2025.	Link
Commission Implementing Regulation (EU) 2025/302 of 23 October 2024 laying down implementing technical standards for the application of Regulation 2022/2554 of the European Parliament and of the Council with regard to the standard forms, templates and procedures for financial entities to report a major ICT-related incident and to notify significant cyber threats	ITS on standard forms, templates and procedures for financial entities reporting of major ICT-related incidents and notification of significant cyber threats	Article 20(b)	In force from 12 March 2025. Published in Official Journal – 20 February 2025.	Link
Joint report on the feasibility for further centralisation of reporting of major ICT-related incidents	Report on potential further centralisation of reporting of major ICT-related incidents	Article 21	Published by the ESAs on 17 January 2025. Report submitted to the European Parliament, European Council and the European Commission to consider findings for future developments.	Link

Oversight framework

Title	Summary title	Legal basis (DORA)	Status	Link
Joint Guidelines on the oversight cooperation and information exchange between the ESAs and the competent authorities under Regulation (EU) 2022/2554	GL on oversight cooperation and information exchange between ESAs and competent authorities	Article 32(7)	Applicable. See link for GL and compliance table.	Link
Commission Delegated Regulation (EU) 2024/1502 of 22 February 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council by specifying the criteria for the designation of ICT third-party service providers as critical for financial entities	DAC specifying criteria for the designation of ICT third-party service providers as critical for financial entities	Article 31	In force from 19 June 2024. Published in Official Journal – 30 May 2024.	Link
Commission Delegated Regulation (EU) 2024/1505 of 22 February 2024 supplementing Regulation (EU) 2022/2054 by determining the amount of the oversight fees to be charged by the Lead Overseer to critical ICT third-party service providers and the way in which those fees are to be paid	DAC on oversight fees charged by the Lead Overseer to critical third-party service providers	Article 43	In force from 19 June 2024. Published in Official Journal – 30 May 2024.	Link
Commission Delegated Regulation (EU) 2025/295 of 24 October 2024 supplementing Regulation (EU) 2022/2054 with regard to regulatory technical standards on harmonisation of conditions enabling the conduct of the oversight activities	RTS on harmonisation of conditions for oversight conduct (except for JET – see below)	Article 41	In force from 5 March 2025. Published in Official Journal – 13 February 2025.	Link
Commission Delegated Regulation supplementing Regulation (EU) 2022/2554 with regard to regulatory technical standards to specify the criteria for determining the composition of the joint examination team ensuring a balanced participation of staff members from the ESAs and from the relevant competent authorities, their designation, tasks, and working arrangements	RTS on criteria for determining the composition of the joint examination team (JET)	Article 41(1)(c)	Not yet in force. Adopted by the European Commission on 16 December 2024. Now with European Parliament and Council for scrutiny; if neither objects the delegated act will be published in the Official Journal.	Link

Key: DAC: Delegated Act, IAC: Implementing Act, ITS: Implementing Technical Standard, RTS: Regulatory Technical Standard, GL: Guideline

3.4 Additional guidance

The ESAs issue informative guidance in the form of Q&As developed by fielding questions from relevant stakeholders such as the public, financial market participants and competent authorities. To ask a question in relation to the application of DORA please click here. Questions under review and their final answers will be published in the Joint Q&A Register which undergoes regular updates to integrate new Q&As whenever there is an update of the file.

Additional resources

Eur-Lex – Digital operational resilience for the financial sector, Summary of Regulation (EU) 2022/2554 on digital operational resilience for the financial sector