Quick view: Understanding the application and scope of DORA (EU)

Introduction

This Quick view provides an overview of the application and scope of the Digital Operational Resilience Act, Regulation (EU) 2022/2054 (DORA) on digital operational resilience for the financial sector (DORA).

This Quick view is relevant for in-house counsel, private practice lawyers and compliance teams who need to assess the legal and operational impact of DORA on their organisations.

This Quick view covers:

What is DORA?
Why is DORA needed?
Legislation and technical standards
Scope of application
Additional points to note

This Quick view can be used in conjunction with the following Quick view: DORA compliance - regulatory requirements, technical standards and guidance.

1. What is DORA?

DORA is a key component of the EU’s Digital finance package aiming to encourage technological innovation in the financial sector while ensuring consumer protection and financial stability. DORA establishes a framework to enhance the digital operational resilience of financial entities such as banks, insurance companies and investment firms and certain information and communication technology (ICT) third-party service providers across the EU. DORA applies from 17 January 2025, there is no transition period for compliance and the process of implementation is ongoing.

1.1 What does DORA aim to do?

DORA establishes harmonised rules on cybersecurity and ICT risks to enhance digital operational resilience across a wide range of financial entities to enable them to withstand, respond to and recover from any ICT disruption or threat (eg, cyber risks). This is crucial for maintaining the stability and integrity of the EU financial system.

DORA includes specific provisions for in-scope financial entities on:

ICT risk management;
ICT-related incident management, classification and reporting;
digital operational resilience testing;
third-party ICT risk management including an oversight framework for critical ICT third-party service providers (see section 4.2.2); and
information and intelligence sharing on cyber threats and vulnerabilities.

In-scope financial entities must be aware of and anticipate the types of ICT risks and disruptions they are likely to encounter. They should be aware of the DORA requirement to implement an ICT risk management framework and digital operational resilience strategy to establish risk tolerance. In addition, financial entities need to ensure ICT service contracts are updated to contain the mandatory DORA contractual clauses and prepare a list of ICT services provided by ICT third-party service providers in the standard templates provided for the registers of information by the end of April 2025. See European Banking Authority – Preparations for reporting of DORA registers of information.

Financial entities need to have internal governance and control measures (eg, appropriate internal policies and procedures) to manage ICT risk in place. Responsibility for defining, approving and monitoring the digital operational resilience strategy ultimately rests with the management body of the financial entity (article 5(2) DORA).

Many of the requirements reflect existing best practice. This is particularly relevant for larger firms who may already be complying with sectoral guidelines (eg, on outsourcing or cloud computing). The European Supervisory Authorities (ESAs) acknowledge that the efforts to comply may be higher for some financial entities that have been subject to less sectoral requirements.

1.1.1 What is ICT risk?

Under article 3 of DORA, ‘ICT risk’ means:

any reasonably identifiable circumstance in relation to the use of network and information systems which, if they materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment.

Financial entities typically face several types of ICT risk when using network and information systems, including software or hardware system failures that disrupt operations and cyber threats. Additionally, human error also poses a risk factor, such as mishandling sensitive personal information or failing to secure data appropriately, which can lead to data breaches resulting in fines, penalties and reputational damage.

The management of ICT risk has attracted significant attention from international, EU and national policymakers, regulators and standard-setting bodies as part of a global effort to enhance digital resilience, set standards and coordinate regulatory or supervisory work (see Recital 4 DORA).

1.2.1 What is digital operational resilience?

Under article 3 of DORA, ‘digital operational resilience’ is defined as:

the ability of a financial entity to build, assure and review its operational integrity and reliability by ensuring, either directly or indirectly through the use of services provided by ICT third-party service providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity uses, and which support the continued provision of financial services and their quality, including through disruptions.

Technological advances in the financial sector and increased digitalisation mean that the scope and significance of operational risk has broadened and resulted in increased digital risk exposures.

Maintaining operational resilience in the face of these risks means ensuring that financial entities are capable of withstanding and recovering from ICT disruptions and cyber incidents. DORA sets out rules for firms to proactively identify, mitigate and manage their ICT risks. If not properly managed, these risks can disrupt financial services to customers, affect other financial entities, and, in the worst-case scenario, impact the broader economy.

1.2 Timeline

2. Why is DORA needed?

The financial sector has become increasingly reliant on technology and there has been a corresponding increase in risks of digital disruptions, operational failures and cyber threats. Although the financial world is already covered by various laws and regulations, these are mainly aimed at the financial aspects of risks such as credit and anti-fraud.

The reason for implementing DORA was driven by several factors.

2.1 Increased use of technology in financial services

The EU recognises that ICT usage has gained a ‘pivotal role in the provision of financial services’ supporting complex systems used for everyday activities as well as by enhancing the functioning of the internal market. This use of ICT has now acquired (as noted in the recital to DORA) a ‘critical importance in the operation of typical daily functions of all financial entities’.

DORA acknowledges that increased digitalisation and interconnectedness heighten risks and make the financial system more vulnerable to cyber threats and ICT disruptions. This interconnectedness can lead to systemic vulnerabilities, where localised cyber incidents involving a single service provider can have a wider impact across the entire financial system.

2.2 Harmonising standards across sectors

DORA targets financial entities and third-party ICT service providers and complements existing EU cyber security and resilience laws, for example, the revised Directive on Security of Network and Information Systems (the NIS2 Directive). The NIS2 Directive is designed to protect critical infrastructure and organisations within the EU (including mid-size and large enterprises operating in critical sectors such as energy, transport and healthcare) from cyber threats. There is some overlap (eg, banking and financial market infrastructures are also identified as being within scope of NIS2). For a full list of sectors within scope of NIS2, please see reference guide here. In cases of overlap, the European Commission has provided guidelines to clarify the application of the provisions noting that as DORA is a sector-specific act it should take precedence over NIS2 for in-scope financial entities. For more detail on the cross-sectoral application of DORA, refer to Central Bank of Ireland – frequently asked questions (see scope of application).

3. Legislation and technical standards

3.1 Regulation and directive

DORA is accompanied by a directive that amends certain EU financial services legislation, including the Markets in Financial Instruments Directive (MiFID II) to align with the requirements for digital operational resilience for financial entities under DORA. Together, they aim to standardise and harmonise the rules for financial entities operating in the EU.

3.2 Technical standards and guidelines

Various regulatory technical standards (RTS), implementing technical standards (ITS) and guidelines support the implementation of DORA. These have been drafted by the ESAs, made up of the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA) and the European Securities and Markets Authority (ESMA).

At the time of writing, not all the RTS are in force, and this has created uncertainty around topics such as mandatory provisions between the financial entity and ICT third-party service providers, including the subcontractors engaged by the provider. For further information, please see Quick view: DORA compliance - regulatory requirements, technical standards and guidelines.

4. Scope of application

4.1 Financial entities

DORA applies directly to almost all financial entities regulated in the EU (subject to limited exclusions) – see articles 2 (1(a)-(t)) DORA. Certain smaller entities and micro-enterprises (as defined in article 3(60) DORA) benefit from simplified regimes in the application of DORA (eg, see Recital 43, article 28(2) DORA).

*^ DORA applies to:**
credit institutions (ie, banks) payment and e-money institutions account information service providers investment firms crypto-asset service providers (CASPs) that will be authorised under the Markets in Crypto-Assets Regulation (MiCA) as well as issuers of asset-referenced tokens central securities depositories (CSDs) central counterparties (CCPs) trading venues trade repositories data reporting service providers	alternative investment fund managers (AIFMs) management companies insurance and reinsurance undertakings insurance and reinsurance intermediaries ancillary insurance intermediaries institutions for occupational retirement pensions (IORPs) credit rating agencies statutory audit and audit firms administrators of critical benchmarks crowdfunding service providers securitisation repositories
*^ DORA does not apply to:**
small AIFMs (article 3(2) of Directive 2011/61/EU on Alternative Investment Fund Managers)(AIFMD) small insurance and re-insurance undertakings (article 4 of Directive 2009/138/EC on the taking-up and pursuit of the business of Insurance and Reinsurance (Solvency II))	small institutions for occupational retirement provision exempt natural or legal persons under articles 2 and 3 of MiFID II insurance intermediaries (including reinsurance and ancillary insurance intermediaries) that are SMEs certain post-office giro institutions
^* Refer to article 3 DORA for all definitions

All in-scope firms need to understand the key requirements of DORA and assuming that scoping assessments have been undertaken, address gaps in their internal set-ups, update policies, procedures and ICT contracts to be DORA compliant. Firms should closely monitor any updates from EU regulatory authorities and have a clear plan of action on how to address DORA implementation.

4.2 ICT services

ICT third-party service providers are defined widely in DORA as ‘an undertaking providing ICT services’. To understand the term more fully and assess from a contracting perspective, financial entities need to understand the definition of ‘ICT services’.

4.2.1 What are ICT services?

DORA adopted a broad definition of ICT services under article 3(21) DORA as:

digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis including hardware as a service and hardware services which include the provision of technical support via software or firmware updates by the hardware provider and excluding traditional analogue telephone services.

Recital 35 of DORA clarifies that the definition of ICT services should be understood in a broad manner. The reason for this is to maintain a high level of digital operational resilience for the whole financial sector and to keep pace with technological developments and ICT risks. Annex III of Commission Implementing Regulation (EU) 2024/2956 on standard templates for registers of information sets out categories and descriptions of different types of ICT services.

Types of ICT services
ICT project management ICT development ICT help desk and first-level support ICT security management services provision of data data analysis ICT, facilities and hosting services (excluding cloud services) computation non-cloud data storage telecom carrier	network infrastructure hardware and physical devices software licensing (excluding software as a service (SaaS)) ICT operation management (including maintenance) ICT consulting ICT risk management cloud services (IaaS, PaaS, SaaS)

Recital 63 DORA specifies that DORA should cover a wide range of ICT third-party service providers, including financial entities providing ICT services to other financial entities. Financial entities therefore need to carry out an assessment to determine whether ICT services are being provided in connection with or as a component of financial services provided to them. On 22 January 2025, the European Commission issued Q&A guidance to clarify the approach for determining whether a regulated service with an ICT component provided by one financial entity to another financial entity is governed by DORA. The guidance confirms that if a regulated financial entity provides ICT services to other regulated financial entities in connection with their regulated financial services, these ICT services are considered predominantly financial services and do not need to be treated as ICT services under DORA.

Such services are only considered ICT services if they are unrelated or independent from the regulated activities of the financial entity. In such cases, the regulated service with an ICT component will qualify as an ICT service under article 3(21) DORA.

4.2.2 Impact of DORA on third-party ICT service providers

Broadly, financial entities must undertake an extensive review of all ICT dependencies and support functions across the supply chain. Analysis should be risk-based and proportionate and ICT providers are categorised based on their role and criticality. Contracts should be included in one written document and made available to the parties either on paper or in other downloadable, durable and accessible formats.

Non-critical ICT third-party service providers – DORA applies indirectly to these providers that support any ICT services for financial entities. Those offering services to financial entities for the first time will need to consider the potential operational impact of DORA (including cost implications) and the key DORA contractual terms in service agreements. Those already supplying financial entities are likely reviewing and amending these agreements to satisfy the mandatory contractual provisions required under article 30(2) DORA. These include ICT service description (and subcontracting), services and data location, and rights to access data in certain scenarios.
Critical or important business function providers – these ICT third-party service providers support functions that are deemed critical or important by the financial entities they serve. Disruption of these critical or important services carries significant risks on the financial performance and stability of the financial entity and may even impact the wider financial sector. In addition to the elements set out at article 30(2) DORA, additional mandatory contractual provisions are required for ICT service contracts supporting critical or important functions in article 30(3) DORA. These provide for more detailed clauses including full-service level descriptions, notice and reporting obligations, and rights to monitor performance on an ongoing basis.
Critical third-party providers – DORA will directly apply to ICT third-party service providers designated as critical. These are likely to be major technology providers, such as cloud service providers, that play a significant role in the EU financial sector. These providers will be subject to direct EU oversight. The assessment and possible designation of critical ICT third-party service providers will be conducted and coordinated by the ESAs. This designation will be based on several criteria including the scale and impact of an operational failure, the systemic character or importance of the financial entities that depend on the ICT services provided and the degree of substitutability of the ICT service provider. For more detail on the application of these criteria, see the Commission Delegated Regulation (EU) 2024/1502 of 22 February 2024.
If not established in the EU, ICT third-party service providers will have one year to set up an EU subsidiary after being designated as critical.

5. Additional points to note

5.1 Extra-territorial application

In some cases, the reach of DORA can extend beyond those who trade or operate in the EU and impact financial entities and ICT service providers established outside the EU. Non-EU financial entities that offer services into the EU may need to consider these requirements on a case-by-case basis. Similarly third-party ICT service providers will need to take DORA into consideration when entering contracts with financial entities subject to DORA, for example, where a parent company based outside the EU contracts to procure ICT services on behalf of the group or if a non-EU based ICT service provider to EU financial entities is designated as critical by the ESAs (including those in the United Kingdom and the United States).

5.2 Proportionality

DORA provides financial entities with flexibility to meet the ICT risk requirements according to the principle of proportionality. This enables compliance to be tailored focusing on resilience according to entity size, overall risk profile and the nature, scale and complexity of their services, activities and operations (see, article 4 DORA).

In practice this means:

Small and non-interconnected firms can customise their approach (eg, by adopting simplified ICT risk management rules) unlike larger, more complex financial entities (eg, banks), (see, article 16 DORA).
Firms should evaluate applicable risks by mapping and identifying all ICT services and critical functions. This will aid in decision-making regarding resource allocation and priority assessment when determining necessary adjustments or amendments. Firms must demonstrate the application of the ‘proportionality principle’ when reporting to the regulator.
Proportionality is two-sided, meaning that national regulators (eg, the Central Bank of Ireland (CBI)) shall consider the application of the proportionality principle when reviewing the consistency of the ICT risk management framework on the basis of reports submitted upon the request of competent authorities under article 6(5) and article 16(2) DORA. This means regulators will take the specific characteristics of each firm into account and evaluate whether they are effective in the context of the risk management approach taken.
Financial entities should document all decisions taken and decision-making processes to maintain comprehensive records. Keeping records in this way will explain the why and the how of certain decisions should they ever become subject to an audit or an investigation. Additionally, thorough documentation supports continuous review and analysis of past actions aiding in the identification of areas for future improvement.

Additional resources

Eur-Lex – Digital operational resilience for the financial sector, Summary of Regulation (EU) 2022/2554 on digital operational resilience for the financial sector