DORA
RTS ICT Risk Management RTS ICT Incident classification RTS Third Party ICT service policy ITS Register of Information RTS Harmonization of conditions
enabling the conduct of oversight activities RTS Joint examination teams RTS & ITS Major incident reporting RTS Subcontracting ICT services RTS Threat-led penetration testing GUIDELINES Estimation of aggregated
annual costs and losses GUIDELINES Oversight cooperation
and information exchange

Regulation EU 2022/2554

Welcome to our DORA regulation, consultation platform

Welcome to our platform for interactive consultation of the DORA Regulation. This web version presents the original legal text of REGULATION (EU) 2022/2554 from EUR-Lex.

The regulation entered into force on 17 January 2025 for financial entities and ICT third-party service providers in scope.

Please note that this page is provided for informational purposes only and should not be considered an authoritative source. For official reference, we recommend consulting the Official Journal of the European Union.

DORA Regulation overview

The Digital Operational Resilience Act (DORA) was established in response to the growing risks associated with information and communication technology (ICT) and the increasing digitalization and interconnectedness of the financial sector. DORA strengthens digital operational resilience by introducing a common legal framework across the EU financial sector. It establishes comprehensive rules related to:

  • ICT risk management
  • ICT-related incident management
  • Digital operational resilience testing
  • ICT third-party risks

DORA history and evolution

DORA was introduced as part of the EU's Digital Finance Package with the objective of addressing the fragmented legal landscape surrounding ICT risks within the financial sector. The regulation aims to enhance the digital operational resilience of financial entities and mitigate risks that could impact financial stability.

The following table provides a continuous update on the latest developments related to DORA.

Date Update

27/12/2022

Publication of REGULATION (EU) 2022/2554 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011

19/06/2023

ESAs consult on the first batch of DORA policy products

29/09/2023

ESAs specify criticality criteria and oversight fees for critical ICT third-party providers under DORA in response to the European Commission’s call for advice

17/01/2024

ESAs publish first set of rules under DORA for ICT and third-party risk management and incident classification

18/04/2024

ESAs consult on technical standards for joint examination teams under DORA

25/06/2024

Publication of three additional Commission Delegated Regulations supplementing Regulation (EU) 2022/2554 in the Official Journal (eur-lex.europa.eu)

Commission Delegated Regulation (EU) 2024/1774RTS ICT Risk Management

Commission Delegated Regulation (EU) 2024/1772RTS ICT Incident Classification

Commission Delegated Regulation (EU) 2024/1773 RTS Third Party ICT service policy

17/07/2024

Publication of the second batch of policy products under DORA by the ESAs

JC 2024-35 - Final report on RTS on harmonisation of conditions for OVS conduct
JC 2024 54 - Final Report RTS on JET
JC 2024-33 - Final report on the draft RTS and ITS on incident reporting
JC 2024-29 - Final report RTS on TLPT
JC 2024-36 - Final report on GL on oversight cooperation
JC 2024-34 - Final report GL on costs and losses

26/07/2024

Publication of joint final Report on the draft technical standards on subcontracting under DORA by ESAs

JC 2024-53 - Final report RTS on subcontracting

03/09/2024

The European Commission notified the ESAs of the rejection of the ITS on the basis of the envisaged mandatory use of the LEI to identify ICT third-party service providers under Article 3(5) and (6) of the draft ITS

15/10/2024

ESAs respond to the European Commission’s rejection of the technical standards on registers of information under the Digital Operational Resilience Act and call for swift adoption

15/11/2024

The ESAs announce timeline to collect information for the designation of critical ICT third-party service providers under the Digital Operational Resilience Act

05/12/2024

Publication of Commission Implementing Regulation (EU) 2024/2956 (ITS on the Register of Information - RoI) in the Official Journal (eur-lex.europa.eu)

17/12/2024

Summary report published by the ESAs with the key findings from the 2024 Dry Run exercise on reporting the registers of information under the Digital Operational Resilience Act (DORA).

20/12/2024

The EBA published version 4.0 of the reporting technical package

15/01/2025

Publication by the ESA of all information and instructions related to the register of information including the latest FAQ

24/02/2025

Rejection letter received by the ESA on RTS on subcontracting

07/03/2025

The ESAs acknowledge the European Commission's amendments to the technical standard on subcontracting under the Digital Operational Resilience Act

Explore the DORA technical standards

In addition to the legal text of the DORA regulation, we invite you to explore the section dedicated to the technical standards related to DORA. These standards are key to understanding and complying with the regulation. Access the technical standards consultation pages through the menu at the top of the page.

This page provides a comprehensive, structured look at the DORA Regulation, from its legal text to updates, as well as links to the technical standards consultation for enhanced understanding.

We are committed to providing continuous improvements to this page, ensuring that it remains the go-to resource for DORA compliance.

Cerca...