What Is DORA Regulation? The Digital Operational Resilience Act Explained

The Digital Operational Resilience Act (DORA) is an EU regulation covering the financial services sector.

DORA came into application on 17 January 2025, and it's the new operational floor for any financial entity in Europe. But it’s also landing in security questionnaires and addendums for third-party, B2B technologies providers that have nothing to do with financial transactions. In this guide, we’ll explain what DORA is, and what you should do if your customer is asking about it.

What DORA Is

Before DORA, the EU's rules around financial-sector tech risk were scattered across various financial services directives and rules. Now, it's all unified under DORA, which covers ICT risk management, incident reporting, resilience testing, third-party oversight, and threat intelligence sharing. 

DORA was put in place as a response to the banking and financial sectors increasingly reliant on digital services. It’s made up of two pieces of EU Law Regulation (EU) 2022/2554 includes the DORA rules and Directive (EU) 2022/2556 sits alongside the regulation in order to go back through older EU directives and update them to match. 

If you're a financial entity in the EU, DORA is live and you're already on the hook. If you're a tech vendor supplying the financial sector in the EU, it's the reason you may start seeing more questions coming up during procurement. 

Who DORA Applies To

DORA applies to 20 categories of EU financial entities, plus the ICT third-party providers that serve them. The financial-entity list is broad:

• Credit institutions (banks)
• Insurance and reinsurance undertakings
• Investment firms
• Payment institutions and e-money institutions
• Crypto-asset service providers
• Central securities depositories and central counterparties
• Trading venues and trade repositories
• Credit rating agencies
• Crowdfunding service providers
• Institutions for occupational retirement provision (IORPs)

The part that catches people off guard is how broadly DORA defines ICT services. The regulation applies to any digital and data services provided through ICT systems on an ongoing basis, which includes SaaS services, cloud providers, and managed services. 

DORA’s broad application means it’s showing up in places you might not expect. For example, we work with a number of B2B tech companies who have partners in the EU banking secretary and some have started to see DORA-related questions pop up in security addendums. None of these companies are processing payments or touching financial infrastructure, but their financial customers still need to ask questions related to DORA because the regulation makes the financial entity responsible for managing third-party risk across its entire supply chain.

DORA also has extraterritorial reach for one specific group: Critical Third-Party Providers (CTPPs). These are ICT providers designated by the European Supervisory Authorities, the EBA (European Banking Authority), ESMA (European Securities and Markets Authority), and EIOPA (European Insurance and Occupational Pensions Authority) based on systemic importance to the EU financial system. A non-EU CTPP is required to establish an EU subsidiary within 12 months of designation, or its financial-entity customers may be required to terminate the contract. The ESAs published the first list of 19 designated CTPPs in November 2025, and the list is expected to expand as more data flows in through the annual Register of Information submissions.

What DORA Requires

DORA is organized around five key coverage pillars:

1. ICT Risk Management and Governance: Financial entities must maintain a comprehensive risk management framework that the management body is ultimately responsible for, meaning it can’t wholly be delegated to a CISO.
2. ICT-Related Incident Management, Classification, and Reporting: Says that entities must classify, log, and report ICT-related incidents. 

• Digital Operational Resilience Testing: Testing comes in two tiers. Basic testing for vulnerability assessments, scenario testing, network security assessments and advanced Threat-Led Penetration Testing (TLPT) is required every three years for select entities.
• ICT Third-Party Risk Management: This is where most SaaS and cloud vendors are pulled into DORA. Financial institutions have an obligation to do due diligence on all third-parties they work with across their supply chain. 
• Information Sharing Arrangements: Voluntary cyber threat intelligence sharing among financial entities, subject to data protection and competition law.

Incident Reporting Under DORA

The reporting of cybersecurity incidents is a key aspect or DORA, requiring covered financial entities must report major incidents within select timeframes:

• Initial notification must happen no later than four hours after the incident is classified as major. 
• An immediate report should be shared within 72 hours.
• A final report within one month covering the cause, remediation, and costs. 

There’s also a crossover between DORA incident reporting and the GDPR personal data breach notifications. Though each has different timelines and thresholds, any incident response plan for a financial institution within the EU needs to map to both DORA and GDPR requirements. 

The Critical or Important Functions Threshold

DORA features tiered third-party rules with the strictest requirements only kicking in when an ICT agreement or partnership supports what DORA calls a critical or important function.

A function is deemed critical or important if its disruption would materially impair the financial entity's financial performance, the soundness or continuity of its services, or its ability to comply with regulatory obligations. 

However, most third-party SaaS or cloud services are unlikely to be deemed critical or important. For example, any downtime in a note taking app or sales CRM shouldn’t have implications for the bank's performance or continuity of its services.

Penalties Under DORA

For financial entities and Critical Third-Party Providers (CTPPs), non-compliance with DORA can result in penalties and fines. 

For financial entities, sanctions are set at Member State level and generally include public statements identifying the breach and the responsible party, cease-and-desist orders, disgorgement of profits, and administrative fines. Criminal sanctions are also possible at Member State discretion for serious breaches.

For CTPPs, DORA sets the penalty directly at EU level. Penalties can include periodic payments of up to 1% of the provider's average daily worldwide turnover in the preceding business year, applied daily for up to six months, until compliance is restored.

What to Do If a Customer Asks About DORA

If you're a B2B SaaS company selling to EU financial customers and DORA is starting to show up in your security questionnaires or security addendums on contracts, you likely don't need to comply with DORA in the way a financial institution does. But you do need an informed response, because if you don't have the procurement process may stall.

There are two scenarios: 

1. DORA doesn't apply to you directly 

If you’re not a financial institution or designated as a CTPP, this is the most likely scenario. In this case, you’ll need to send your prospect (or customer) a written response that shows you understand the DORA regulations and explains clearly why DORA's direct obligations don't reach your service. 

The documents should explain what security frameworks you have in place (like SOC 2 or ISO 27001) and any other relevant policies you have like incident response or business continuity plans. This shows that even though DORA obligations don’t impact your business, you have a clear understanding of what it is and highlights that you take security seriously. We've drafted a lot of these papers for companies in the last twelve months and they're becoming standard sales-enablement material for any B2B vendor selling into EU financial customers.

2. DORA does impact your contract

If you're an ICT provider supporting a critical or important function for a financial-entity customer, the process is a lot more complicated and involved. You should expect financial institutions’ security and procurement teams to push for DORA-defined mandatory clauses to be added to contractors covering audit rights, subcontracting, exit strategies, incident assistance, cooperation — most of these will be non-negotiable. 

If your organization provides software or services likely to be deemed a critical or important function under DORA, you’ll need to build DORA-specific  contract templates and ensure your policies and procedures are compliant with DORA. 

Where to Start

If you're a third-party vendor selling to EU financial customers, the starting point is a one-page DORA position paper you can attach to any security questionnaire or addendum. It's a small piece of work that prevents a lot of friction in your sales cycle. 

If you’d like to learn more about DORA, how it may apply to your business, or how to craft a letter explaining your position on DORA, get in touch with our team here.