Digital Operational Resilience Act (DORA)

Regulation 2022/2554 on digital operational resilience for the financial sector

Background and Scope

The Digital Operational Resilience Act (DORA) is an EU regulation designed to enhance the digital operational resilience of financial institutions. Effective from 17 January 2025, DORA ensures that banks, insurance companies, investment firms, and other financial entities can withstand, respond to, and recover from ICT (Information and Communication Technology)-related disruptions, including cyberattacks and system failures.

DORA establishes comprehensive cybersecurity requirements across the EU financial sector, applying to a broad range of financial entities, including banks, investment firms, and payment service providers. Additionally, the regulation establishes a supervisory framework for critical ICT third-party providers, such as cloud service providers, ensuring oversight of the technology infrastructure supporting financial services. Implementation of DORA will be complemented by a set of delegated regulations that provide detailed technical standards and operational requirements.

Digital Omnibus Regulation Proposal

In its Digital Omnibus Regulation Proposal, the Commission proposed that ENISA shall establish an EU-wide entry point for incident reporting under several EU regulations, including eIDAS, DORA, NIS2, CER Directive, and GDPR. The purpose is to reduce administrative burdens for businesses and enable a more focused approach to incident reporting.

Key Obligations

  • ICT risk management: DORA mandates financial entities to establish robust frameworks to protect their operations and sensitive data from cyber threats. This includes implementing comprehensive measures such as ICT risk assessments, ICT governance policies and adequate security controls.
  • Incident management: Financial entities must establish comprehensive incident management processes to detect, manage, and notify ICT-related incidents. Additionally, all ICT-related incidents and significant cyber threats must be systematically recorded and documented.
  • Incident reporting: Financial entities must report ICT-related incidents to relevant authorities, enabling swift response and mitigation efforts. Timely reporting is intended to help minimise the impact of such incidents and enhance overall sector resilience.
  • Third-party risk management: DORA establishes comprehensive rules on third-party risk management requirements. With the exception of micro-enterprises, all financial entities must implement a vendor risk strategy meeting specific regulatory criteria, maintain a comprehensive registry of ICT services utilised, and submit annual reports to supervisory authorities detailing new contracts and planned ICT service agreements for critical functions.
  • Due diligence: Prior to entering into contractual arrangements with third-party ICT providers, financial entities must conduct comprehensive due diligence evaluations and ensure such providers comply with appropriate information security standards.
  • Contractual requirements: DORA establishes minimum key contractual elements that financial entities must include in all contractual arrangements with third-party ICT providers.
2025 November 19, 2025

The European Commission introduced the Digital Omnibus Regulation, proposing a EU-wide incident reporting entry point via ENISA.

2025 January 17, 2025

DORA began to apply fully across the EU. Financial entities were expected to be compliant.

2024 July 17, 2024

The European Supervisory Authorities (ESAs) published the second round of RTS/ITS and guidelines, including templates for incident reporting, TLPT and supervisory conditions.

2024 March 13, 2024

The European Commission adopted the first round of technical standards (RTS) concerning, among other things, ICT risk management and incident classification.

2023 January 16, 2023

The DORA Regulation entered into force.

Discover more
Till toppen

© Delphi 2026

Meny

Kontakt

Företaget

Advokatfirman Delphi är en progressiv affärsjuridisk advokatbyrå med erkända specialister inom de flesta av affärsjuridikens områden. Vi är totalt cirka 220 medarbetare, varav ungefär 150 jurister. Våra kontor finns i Stockholm, Göteborg, Malmö och Linköping.

© Delphi 2026

Advokatfirman Delphi vill använda Googles analyscookies för att analysera hur vår hemsida används, i syfte att optimera hemsidan

Ditt samtycke innebär att vi samlar in information om din enhet och om hur du använder hemsidan vilket kopplas ihop med det som Google känner till. Du kan återkalla ditt samtycke genom att t.ex. klicka på ”Hantera kakor” i sidfoten längst ned på sidan eller kontakta oss på privacy@delphi.se.

När du använder hemsidan placeras även ”funktionella” cookies som inte kräver ditt samtycke. Här kan du läsa om hur vi använder cookies. Där hittar du information om din rätt att återkalla ditt samtycke. Placeringen av vissa cookies innebär att vi behandlar dina personuppgifter. Advokatfirman Delphi i Stockholm AB är personuppgiftsansvarig för behandlingen som du kan läsa mer om här. Där hittar du information om dina rättigheter vid vår behandling av dina personuppgifter, nämligen rätt att återkalla ditt samtycke, rätt att invända mot vår behandling, rätt till tillgång, rätt till rättelse, rätt till radering och begränsning, rätt till dataportalitet och rätt att inge klagomål.