DORA is the Digital Operational Resilience Act — Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector. It establishes uniform requirements for the security of network and information systems supporting the business processes of financial entities, and imposes specific contractual-arrangement requirements (Articles 28–30) and an oversight framework for designated critical ICT third-party service providers (Articles 31–44). DORA entered into force on 16 January 2023 and applies from 17 January 2025 (Article 64). It is accompanied by Directive (EU) 2022/2556 which amends several sectoral financial-services directives in light of DORA.

Who must comply with DORA?

DORA Article 2(1) lists the financial entities in scope by reference to the entity type (not by size cap), including credit institutions, payment institutions, account information service providers, electronic money institutions, investment firms, crypto-asset service providers and issuers of asset-referenced tokens, central securities depositories, central counterparties, trading venues, trade repositories, managers of alternative investment funds, management companies, data reporting service providers, insurance and reinsurance undertakings, insurance and reinsurance intermediaries, institutions for occupational retirement provision, credit rating agencies, administrators of critical benchmarks, crowdfunding service providers, securitisation repositories, and ICT third-party service providers. Article 2(3) carves out specific entity types from DORA's scope. Article 2(4) provides exclusions and exemptions for specific cases.

When does DORA apply?

Article 64 of DORA fixes a single application date: DORA applies from 17 January 2025. Entry into force was 16 January 2023, twenty days after publication in OJ L 333 of 27 December 2022. Eight Commission Delegated and Implementing Regulations (the Level 2 acts) flesh out the detailed obligations and have their own entry-into-force dates within 2024 and 2025.

What are DORA's main pillars?

DORA's operative obligations sit in five chapters: Chapter II (Articles 5–16) on ICT risk management, with Article 16 providing a simplified framework for specific smaller entities; Chapter III (Articles 17–23) on ICT-related incident management, classification, and reporting; Chapter IV (Articles 24–27) on digital operational resilience testing, including threat-led penetration testing under Articles 26–27; Chapter V Section I (Articles 28–30) on managing ICT third-party risk including the register of information under Article 28(3); Chapter V Section II (Articles 31–44) on the EU oversight framework for ICT third-party service providers designated as critical. Chapter VI (Article 45) addresses information-sharing arrangements.

What is the DORA register of information?

Article 28(3) requires financial entities to maintain and update a register of information in relation to all contractual arrangements on the use of ICT services provided by ICT third-party service providers, distinguishing between ICT services that support critical or important functions and other ICT services. Commission Implementing Regulation (EU) 2024/2956 of 29 November 2024 lays down implementing technical standards for the standard templates of the register of information. Financial entities must report the register to competent authorities at the cadence set by national supervisory practice; the European Supervisory Authorities collect aggregated register data.

How does DORA relate to NIS2?

DORA Article 1(2) is structured to operate as a sector-specific Union legal act for the purposes of Article 4 of the NIS2 Directive. In relation to financial entities that would otherwise be essential or important entities under the national NIS2 transposition, DORA's specialised provisions apply on the matters DORA covers (ICT risk management, ICT-related incident reporting, digital operational resilience testing, ICT third-party risk). NIS2 obligations remain relevant in areas DORA does not cover or where the national NIS2 transposition extends further. See the [NIS2 vs DORA comparison](/frameworks/comparison/nis2-vs-dora) for a structured walk-through.

What are the DORA Level 2 acts?

Eight Commission Delegated (RTS) and Implementing (ITS) Regulations flesh out DORA's detailed obligations: Delegated Regulation (EU) 2024/1772 on criteria for classification of major ICT-related incidents (under Article 18(3)); Delegated Regulation (EU) 2024/1773 on the policy on ICT services supporting critical or important functions (under Article 28(10)); Delegated Regulation (EU) 2024/1774 on the ICT risk management framework and simplified framework (under Articles 15 and 16(3)); Implementing Regulation (EU) 2024/2956 on standard templates for the register of information (under Article 28(9)); Delegated Regulation (EU) 2025/301 on content and time limits for incident notifications and reports (under Article 20(a)); Implementing Regulation (EU) 2025/302 on forms and templates for incident reporting (under Article 20(b)); Delegated Regulation (EU) 2025/532 on elements of subcontracting (under Article 30(5)); Delegated Regulation (EU) 2025/1190 on threat-led penetration testing (under Article 26).

DORA — Digital Operational Resilience Act

The Digital Operational Resilience Act — Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 (DORA) — is the European Union's binding operational-resilience regulation for the financial sector. It establishes uniform requirements for the security of network and information systems supporting the business processes of financial entities, and imposes specific contractual and oversight obligations on ICT third-party service providers serving those financial entities. DORA entered into force on 16 January 2023 and applies from 17 January 2025.

This page is a Modulos compliance guide. The Article references and key dates are drawn from the published OJ text; the platform mapping references real Modulos surfaces.

Quick decision

Financial entity in the Article 2(1) scope → read Applicability and governance first to confirm scope and proportionality, then work through the five operative chapters via the spokes below.
Eligible for the Article 16 simplified ICT risk management framework → see Applicability and governance — the simplified regime is reserved for specific entity types listed in Article 16(1), not a general SME carve-out.
ICT third-party service provider that may be designated critical → Articles 31–44 set out the oversight framework; designation criteria are in Article 31. The financial-entity contractual obligations in Articles 28–30 apply to your relationships with financial entities regardless of designation.
Subject to NIS2 in addition to DORA → apply DORA Article 1(2) — on matters DORA covers, DORA's specialised provisions apply for financial entities that would otherwise be essential or important entities under the national NIS2 transposition. See NIS2 vs DORA.
Found a major ICT-related incident → Articles 17–19 establish the classification and reporting regime; Delegated Regulation 2025/301 sets content and time limits; Implementing Regulation 2025/302 sets the standard forms and templates. Article 19(4) sequences the initial notification, intermediate report, and final report.

TL;DR

DORA = Regulation (EU) 2022/2554, published in OJ L 333, 27 December 2022. Adopted 14 December 2022, entered into force 16 January 2023, applies from 17 January 2025 (Article 64).
Five operative chapters: Articles 5–16 (ICT risk management), Articles 17–23 (incident reporting), Articles 24–27 (testing including TLPT), Articles 28–30 (ICT third-party risk), Articles 31–44 (oversight of critical TPPs).
Eight Level 2 acts (Delegated + Implementing Regulations) flesh out the obligations — incident classification (2024/1772), TPP policy (2024/1773), ICT RMF (2024/1774), register of information template (2024/2956), incident report content (2025/301), incident report forms (2025/302), subcontracting (2025/532), TLPT (2025/1190).
DORA Article 1(2) is structured to operate as a sector-specific Union legal act for the purposes of NIS2 Article 4 on the matters DORA covers; NIS2 obligations remain relevant where DORA does not extend.
Companion Directive (EU) 2022/2556 amends several sectoral financial-services directives in light of DORA, also applying from 17 January 2025.

Primary source

Regulation (EU) 2022/2554 on EUR-Lex (CELEX 32022R2554) · OJ L 333, 27.12.2022, pp. 1–79 · Directive (EU) 2022/2556 (amending directive) · the eight Level 2 acts (see Information sharing and Level 2 acts)

What DORA changes

Before DORA, ICT risk management for EU financial entities was a patchwork — ESA guidelines (EBA, EIOPA, ESMA), national supervisory expectations, and sector-specific provisions in the CRD, MiFID, Solvency II, PSD2, and adjacent acts. DORA replaces this patchwork with a single binding Regulation. The structural changes:

Single uniform RMF. Article 6 establishes the baseline ICT risk management framework that every in-scope financial entity must implement.
Single uniform incident regime. Articles 17–19 set classification and reporting obligations across all in-scope financial entities, with the operational detail in Level 2 acts 2024/1772, 2025/301, and 2025/302.
Resilience testing including TLPT. Articles 24–25 require general digital operational resilience testing; Articles 26–27 add advanced threat-led penetration testing for entities meeting Article 26(1) criteria, with the methodology in Delegated Regulation 2025/1190.
Direct EU oversight of critical ICT TPPs. Articles 31–44 introduce a new oversight framework run by the ESAs over ICT third-party service providers designated as critical, including a Lead Overseer regime, oversight plans, and pecuniary penalties.
Register of information. Article 28(3) requires every in-scope financial entity to maintain a register of all contractual arrangements on the use of ICT services, with the template laid down by Implementing Regulation 2024/2956.

DORA structure

Regulation (EU) 2022/2554 (DORA)

Chapter I — General provisionsArticles 1–4: subject matter, scope, definitions, proportionality

Chapter II — ICT risk managementArticles 5–16: governance, RMF, identification, protection, detection, response, business continuity, learning, communication; simplified framework at Art 16

Chapter III — ICT-related incidentsArticles 17–23: incident management process, classification, reporting, harmonised reports, supervisory cooperation, payment incidents

Chapter IV — Digital operational resilience testingArticles 24–27: general testing, types and frequency, threat-led penetration testing (TLPT), TLPT requirements for testers

Chapter V Section I — Managing ICT third-party riskArticles 28–30: general principles, register of information (Art 28(3)), preliminary assessment, key contractual provisions

Chapter V Section II — Oversight of critical TPPsArticles 31–44: designation as critical, Lead Overseer regime, oversight tasks, conduct of oversight, penalties

Chapter VI — Information-sharing arrangementsArticle 45: cyber-threat information and intelligence sharing among financial entities

Chapter VII — Competent authoritiesArticles 46–56: designation of competent authorities, cross-border cooperation, supervisory measures

Chapter VIII — Delegated acts, transitional, final provisionsArticles 57–64: implementing powers, delegated-act exercise, transitional, application from 17 January 2025 (Art 64)

Article 1(2) — interaction with NIS2

Article 1(2) of DORA is structured as the operative provision that allocates competence between DORA and the NIS2 Directive for financial entities. In relation to financial entities that would otherwise also be essential or important entities under the national NIS2 transposition, DORA's specialised provisions apply on the matters DORA covers. The NIS2 obligations remain relevant for areas DORA does not cover and where the national NIS2 transposition extends further. The cooperation channels between competent authorities under DORA and CSIRTs / competent authorities under NIS2 are established in Chapter VII of DORA and Article 47 of NIS2.

For a structured pairwise walk-through, see NIS2 vs DORA.

How to operationalize DORA in Modulos

Modulos models DORA as two complementary framework templates:

Framework	Project type	Focus	Requirement count
OFF-16 (`DORA (org)`)	Organisation	Scope and classification, management-body duties under Article 5, ICT risk-management governance under Articles 6–16, incident-reporting governance under Articles 17–23, resilience-testing governance under Articles 24–27, ICT third-party governance under Articles 28–30, information-sharing under Article 45	28 (`ORF-361` to `ORF-388`)
MFF-16 (`DORA (app)`)	ICT system / AI application	Per-system execution of the Articles 5–30 obligations, including ICT inventory, vulnerability management, incident-reporting workflow, resilience-testing execution, TLPT participation evidence, register-of-information entries, contractual flow-down	18 (`MRF-293` to `MRF-310`)

A typical setup:

Requirements — each DORA obligation is recorded as a requirement on the relevant project (OFF-16 organisation, MFF-16 per-ICT-system). Fulfilment tracks through Not fulfilled → Fulfilled (with optional Out of scope).
Controls — implemented measures (RMF documentation, vulnerability-management programme, incident-handling SOP, BC/DR plan, ICT-TPP register, contractual templates, TLPT participation records, resilience-testing plan, key-control mapping) are documented as named controls and mapped to one or more requirements.
Evidence — RMF policy, governance minutes, ICT-asset inventory, incident postmortems, BC/DR test outputs, ICT-TPP contracts, register-of-information entries (per Implementing Regulation 2024/2956 templates), TLPT outputs (per Delegated Regulation 2025/1190 methodology), incident reports (per 2025/301 content and 2025/302 forms) are recorded once and linked to multiple controls.
Readiness + fulfilment attestation — a requirement becomes ready for review once all linked controls are in a final state; the requirement owner then attests fulfilment for the project scope.
Operationalisation gaps to call out honestly: Modulos does not provide a dedicated DORA incident-reporting UI surface (incident reports under Article 19 are stored as evidence linked to the relevant requirement); the register of information under Article 28(3) is modelled as requirements ORF-386 (governance) and MRF-309 (execution), with register entries stored as evidence rather than in a dedicated register UI; the ICT-asset inventory under Article 8 is modelled as evidence linked to MRF-295 rather than as a dedicated inventory surface.

See Operationalizing DORA in Modulos for the practical rollout sequence.

Cross-framework mapping (preview)

DORA area	NIS2 (Directive (EU) 2022/2555)	ISO/IEC 27001:2022 (Amd 1:2024)	EU AI Act (Regulation (EU) 2024/1689)
Article 5 governance	Article 20 management-body duties	Clause 5 (leadership)	Article 26 (deployer obligations)
Articles 6–16 ICT RMF	Article 21(2) ten measure categories + Article 21(3) supply chain	Clauses 4–10, Annex A.5–A.8	Article 9 (RMS), Article 15 (cybersecurity, robustness)
Articles 17–23 incident reporting	Article 23(3)–(4) significance test + staged timelines	A.5.24, A.5.25, A.5.27	Article 73 (serious incidents for high-risk AI)
Articles 24–27 testing + TLPT	(no direct equivalent; ENISA TLPT framework is voluntary)	A.5.29, A.5.30 (BC), audit clauses	Article 15 (post-market testing for high-risk AI)
Articles 28–30 ICT third-party	Article 21(2)(d) + Article 21(3) supply chain	A.5.19–A.5.22 supplier-relationship family	Article 25 (value-chain responsibility and provider reclassification)
Articles 31–44 oversight of critical TPPs	(no direct equivalent — sector-specific)	(no direct equivalent)	(no direct equivalent — Article 75 covers general regulatory cooperation)
Article 45 information sharing	Article 29 (cybersecurity information-sharing arrangements)	A.5.6 (contact with special-interest groups)	(no direct equivalent)

For the pairwise NIS2↔DORA treatment see NIS2 vs DORA; for the full hub see framework comparison.

Applicability and governance

Article 2 scope, Article 16 simplified framework, Article 5 management body

ICT risk and resilience operations

Articles 5–23 — RMF, incident process, classification, reporting

Testing and third-party risk

Articles 24–30 — testing, TLPT, register of information, subcontracting

Information sharing and Level 2 acts

Article 45 + the eight Commission Delegated / Implementing Regulations

Operationalizing in Modulos

Practical rollout sequence for OFF-16 and MFF-16

NIS2 vs DORA

Where each applies, sector-specific Union legal act interaction, incident-reporting coordination

Source attribution

Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector (DORA) is published in the Official Journal of the European Union L 333, 27.12.2022, pp. 1–79. Directive (EU) 2022/2556 of 14 December 2022 amends sectoral financial-services directives in light of DORA and is published in OJ L 333 of 27.12.2022. The eight Commission Delegated and Implementing Regulations referenced on this page (2024/1772, 2024/1773, 2024/1774, 2024/2956, 2025/301, 2025/302, 2025/532, 2025/1190) are individually published on EUR-Lex; see the Level 2 acts spoke for the verbatim titles, CELEX numbers, and OJ pinpoints.

Disclaimer

This page is for general informational purposes and does not constitute legal advice. DORA applies directly in every Member State; binding obligations and supervisory authorities are determined by DORA and the competent authority designated by the Member State. For binding interpretation in your jurisdiction, consult the published EUR-Lex text and qualified counsel.

Comparison

EU AI Act

Commission guidance

ISO Standards

ISO/IEC 42001

ISO/IEC 27001

ISO/IEC 27701

NIST AI RMF

GDPR (EU)

NIS2 (EU)

DORA (EU)

OWASP for AI Security

UAE AI Ethics

MAS FEAT

Microsoft Supplier DPR

DORA — Digital Operational Resilience Act

Quick decision

TL;DR

What DORA changes

DORA structure

Article 1(2) — interaction with NIS2

How to operationalize DORA in Modulos

Cross-framework mapping (preview)

Source attribution

Commission guidance

ISO/IEC 42001

ISO/IEC 27001

ISO/IEC 27701

DORA — Digital Operational Resilience Act ​

Quick decision ​

TL;DR ​

What DORA changes ​

DORA structure ​

Article 1(2) — interaction with NIS2 ​

How to operationalize DORA in Modulos ​

Cross-framework mapping (preview) ​

Related pages ​

Source attribution ​

DORA — Digital Operational Resilience Act

Quick decision

TL;DR

What DORA changes

DORA structure

Article 1(2) — interaction with NIS2

How to operationalize DORA in Modulos

Cross-framework mapping (preview)

Related pages

Source attribution