DORA is the Digital Operational Resilience Act — Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector. It establishes uniform requirements for the security of network and information systems supporting the business processes of financial entities, and imposes specific contractual-arrangement requirements (Articles 28–30) and an oversight framework for designated critical ICT third-party service providers (Articles 31–44). DORA entered into force on 16 January 2023 and applies from 17 January 2025 (Article 64). It is accompanied by Directive (EU) 2022/2556 which amends several sectoral financial-services directives in light of DORA.

Who must comply with DORA?

DORA Article 2(1) lists in-scope entities by type, not by size cap — roughly 21 categories, including credit institutions, payment and e-money institutions, account information service providers, investment firms, crypto-asset service providers, CSDs, CCPs, trading venues, trade repositories, fund managers (AIFMs and UCITS management companies), data reporting service providers, insurers and reinsurers, insurance / reinsurance / ancillary insurance intermediaries, IORPs, credit rating agencies, critical-benchmark administrators, crowdfunding service providers and securitisation repositories — plus ICT third-party service providers, which are in scope but not themselves 'financial entities' under Article 2(2). Article 2(3) carves out specific entity types, and Article 2(4) lets Member States exclude the institutions referred to in Article 2(5), points (4)–(23), of Directive 2013/36/EU.

When does DORA apply?

Article 64 of DORA fixes a single application date: DORA applies from 17 January 2025. Entry into force was 16 January 2023, twenty days after publication in OJ L 333 of 27 December 2022. Eight Commission Delegated and Implementing Regulations (the Level 2 acts) flesh out the detailed obligations and have their own entry-into-force dates within 2024 and 2025.

What are DORA's main pillars?

DORA's operative obligations sit in five blocks across Chapters II–VI: Chapter II (Articles 5–16) on ICT risk management, with Article 16 providing a simplified framework for specific smaller entities; Chapter III (Articles 17–23) on ICT-related incident management, classification, and reporting; Chapter IV (Articles 24–27) on digital operational resilience testing, including threat-led penetration testing under Articles 26–27; Chapter V Section I (Articles 28–30) on managing ICT third-party risk including the register of information under Article 28(3); Chapter V Section II (Articles 31–44) on the EU oversight framework for ICT third-party service providers designated as critical. Chapter VI (Article 45) addresses information-sharing arrangements.

What is the DORA register of information?

Article 28(3) requires financial entities to maintain and update a register of information in relation to all contractual arrangements on the use of ICT services provided by ICT third-party service providers, distinguishing between ICT services that support critical or important functions and other ICT services. Commission Implementing Regulation (EU) 2024/2956 of 29 November 2024 lays down implementing technical standards for the standard templates of the register of information. Article 28(3) itself fixes the authority-facing duties: financial entities report at least yearly to the competent authorities on the number of new ICT arrangements, the categories of providers, the types of contractual arrangements, and the services and functions provided; they inform the competent authority in a timely manner about planned arrangements supporting critical or important functions and when a function has become critical or important; and they make the full register (or requested sections) available upon request. On top of that, the ESAs collect the registers annually via the competent authorities under their dedicated collection Decision, feeding the Article 31 criticality assessments.

How does Modulos handle the DORA full versus simplified (Article 16) regimes?

The Modulos DORA framework templates (OFF-16 organisation-level, MFF-16 per-system) express regime applicability per limb rather than per framework. Each requirement states in its Applicability section which cohort each obligation binds, and carries DORA Framework tags (Full / Simplified) and DORA Addressee tags (All financial entities; Other than microenterprises; Other than Art 16(1) entities and microenterprises; Microenterprises only; Simplified (Art 16(1) entities)). An Article 16(1) entity fulfils the simplified limbs and records the full-regime limbs as out of scope, with the disposition documented through the requirement's fulfilment attestation.

How does DORA relate to NIS2?

Under DORA Article 1(2), DORA is considered a sector-specific Union legal act for the purposes of Article 4 of the NIS2 Directive. In relation to financial entities that would otherwise be essential or important entities under the national NIS2 transposition, DORA's specialised provisions apply on the matters DORA covers (ICT risk management, ICT-related incident reporting, digital operational resilience testing, ICT third-party risk). NIS2 obligations remain relevant in areas DORA does not cover or where the national NIS2 transposition extends further. See the NIS2 vs DORA comparison on docs.modulos.ai for a structured walk-through.

What are the DORA Level 2 acts?

Eight Commission Delegated (RTS) and Implementing (ITS) Regulations flesh out DORA's detailed obligations on financial entities (further delegated acts under Articles 31(6) and 43(2) address the critical-TPP oversight framework): Delegated Regulation (EU) 2024/1772 on criteria for classification of major ICT-related incidents (under Article 18(3)); Delegated Regulation (EU) 2024/1773 on the policy on ICT services supporting critical or important functions (under Article 28(10)); Delegated Regulation (EU) 2024/1774 on the ICT risk management framework and simplified framework (under Articles 15 and 16(3)); Implementing Regulation (EU) 2024/2956 on standard templates for the register of information (under Article 28(9)); Delegated Regulation (EU) 2025/301 on content and time limits for incident notifications and reports (under Article 20, first paragraph, point (a)); Implementing Regulation (EU) 2025/302 on forms and templates for incident reporting (under Article 20, first paragraph, point (b)); Delegated Regulation (EU) 2025/532 on elements of subcontracting (under Article 30(5)); Delegated Regulation (EU) 2025/1190 on threat-led penetration testing (under Article 26(11)).

DORA — Digital Operational Resilience Act

The Digital Operational Resilience Act — Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 (DORA) — is the European Union's binding operational-resilience regulation for the financial sector. It establishes uniform requirements for the security of network and information systems supporting the business processes of financial entities, and imposes specific contractual and oversight obligations on ICT third-party service providers serving those financial entities. DORA entered into force on 16 January 2023 and applies from 17 January 2025.

This page is a Modulos compliance guide. The Article references and key dates are drawn from the published OJ text; the platform mapping references real Modulos surfaces.

Quick decision

Financial entity in the Article 2(1) scope → read Applicability and governance first to confirm scope and proportionality, then work through the five operative chapters via the spokes below.
Eligible for the Article 16 simplified ICT risk management framework → see Applicability and governance — the simplified regime is reserved for specific entity types listed in Article 16(1), not a general SME carve-out.
ICT third-party service provider that may be designated critical → Articles 31–44 set out the oversight framework; designation criteria are in Article 31. The financial-entity contractual obligations in Articles 28–30 apply to your relationships with financial entities regardless of designation.
Subject to NIS2 in addition to DORA → apply DORA Article 1(2) — on matters DORA covers, DORA's specialised provisions apply for financial entities that would otherwise be essential or important entities under the national NIS2 transposition. See NIS2 vs DORA.
Found a major ICT-related incident → Articles 17–19 establish the classification and reporting regime; Delegated Regulation 2025/301 sets content and time limits; Implementing Regulation 2025/302 sets the standard forms and templates. Article 19(4) sequences the initial notification, intermediate report, and final report.

TL;DR

DORA = Regulation (EU) 2022/2554, published in OJ L 333, 27 December 2022. Adopted 14 December 2022, entered into force 16 January 2023, applies from 17 January 2025 (Article 64).
Five operative blocks (Chapters II–V, with Chapter V in two sections): Articles 5–16 (ICT risk management), Articles 17–23 (incident reporting), Articles 24–27 (testing including TLPT), Articles 28–30 (ICT third-party risk), Articles 31–44 (oversight of critical TPPs).
Eight Level 2 acts (Delegated + Implementing Regulations) flesh out the financial-entity obligations — incident classification (2024/1772), TPP policy (2024/1773), ICT RMF (2024/1774), register of information template (2024/2956), incident report content (2025/301), incident report forms (2025/302), subcontracting (2025/532), TLPT (2025/1190); further delegated acts under Articles 31(6) and 43(2) address the oversight framework.
Under DORA Article 1(2), DORA is considered a sector-specific Union legal act for the purposes of NIS2 Article 4 on the matters DORA covers; NIS2 obligations remain relevant where DORA does not extend.
Companion Directive (EU) 2022/2556 amends several sectoral financial-services directives in light of DORA, also applying from 17 January 2025.

Primary source

Regulation (EU) 2022/2554 on EUR-Lex (CELEX 32022R2554) · OJ L 333, 27.12.2022, pp. 1–79 · Directive (EU) 2022/2556 (amending directive) · the eight Level 2 acts (see Information sharing and Level 2 acts)

Key facts

Instrument

Regulation (EU) 2022/2554 — directly applicable

Adopted / in force

14 Dec 2022 / 16 Jan 2023

Applies

17 January 2025 (Art 64)

Scope test

Entity-type list (Art 2(1)) — no size cap

Core duties

ICT RMF, incident reporting, resilience testing, ICT third-party risk

Level 2

8 RTS/ITS acts (2024–2025) + ESAs guidelines

What DORA changes

Before DORA, ICT risk management for EU financial entities was a patchwork — ESA guidelines (EBA, EIOPA, ESMA), national supervisory expectations, and sector-specific provisions in the CRD, MiFID, Solvency II, PSD2, and adjacent acts. DORA replaces this patchwork with a single binding Regulation. The structural changes:

Single uniform RMF. Article 6 establishes the baseline ICT risk management framework that every in-scope financial entity outside the Article 16(1) simplified regime must implement.
Single uniform incident regime. Articles 17–19 set classification and reporting obligations across all in-scope financial entities, with the operational detail in Level 2 acts 2024/1772, 2025/301, and 2025/302.
Resilience testing including TLPT. Articles 24–25 require general digital operational resilience testing; Articles 26–27 add advanced threat-led penetration testing for entities meeting Article 26(1) criteria, with the methodology in Delegated Regulation 2025/1190.
Direct EU oversight of critical ICT TPPs. Articles 31–44 introduce a new oversight framework run by the ESAs over ICT third-party service providers designated as critical, including a Lead Overseer regime, oversight plans, and periodic penalty payments (Article 35(6)–(11)).
Register of information. Article 28(3) requires every in-scope financial entity to maintain a register of all contractual arrangements on the use of ICT services, with the template laid down by Implementing Regulation 2024/2956.

DORA structure

Regulation (EU) 2022/2554 (DORA)

Chapter I — General provisionsArticles 1–4: subject matter, scope, definitions, proportionality

Chapter II — ICT risk managementArticles 5–16: governance, RMF, identification, protection, detection, response, business continuity, learning, communication; simplified framework at Art 16

Chapter III — ICT-related incidentsArticles 17–23: incident management process, classification, reporting, harmonised reports, supervisory cooperation, payment incidents

Chapter IV — Digital operational resilience testingArticles 24–27: general testing, types and frequency, threat-led penetration testing (TLPT), TLPT requirements for testers

Chapter V Section I — Managing ICT third-party riskArticles 28–30: general principles, register of information (Art 28(3)), preliminary assessment, key contractual provisions

Chapter V Section II — Oversight of critical TPPsArticles 31–44: designation as critical, Lead Overseer regime, oversight tasks, conduct of oversight, penalties

Chapter VI — Information-sharing arrangementsArticle 45: cyber-threat information and intelligence sharing among financial entities

Chapter VII — Competent authoritiesArticles 46–56: designation of competent authorities, cross-border cooperation, supervisory measures

Chapter VIII — Delegated actsArticle 57: exercise of the delegation

Chapter IX — Transitional and final provisionsArticles 58–64: review clauses, sectoral amendments, entry into force and application from 17 January 2025 (Art 64)

Article 1(2) — interaction with NIS2

Article 1(2) of DORA is structured as the operative provision that allocates competence between DORA and the NIS2 Directive for financial entities. In relation to financial entities that would otherwise also be essential or important entities under the national NIS2 transposition, DORA's specialised provisions apply on the matters DORA covers. The NIS2 obligations remain relevant for areas DORA does not cover and where the national NIS2 transposition extends further. The cooperation channels between competent authorities under DORA and the structures and authorities established under NIS2 are set out in Chapter VII of DORA, in particular DORA Article 47.

For a structured pairwise walk-through, see NIS2 vs DORA.

How to operationalize DORA in Modulos

Modulos models DORA as two complementary framework templates:

Framework	Project type	Focus	Requirements	Mapped controls
OFF-16 (`DORA (org)`)	Organization	Scope and classification, management-body duties under Article 5, ICT risk-management governance under Articles 6–16, incident-reporting governance under Articles 17–23, resilience-testing governance under Articles 24–27, ICT third-party strategy and governance under Articles 28–30, information-sharing under Article 45	29 (`ORF-361` to `ORF-388`, plus `ORF-393`)	87 unique
MFF-16 (`DORA (app)`)	ICT system / AI application	Per-system execution of the Articles 5–30 obligations, including ICT inventory, vulnerability management, incident-reporting workflow, resilience-testing execution, TLPT participation evidence, register-of-information entries, contractual flow-down	18 (`MRF-293` to `MRF-310`)	54 unique

Every requirement is anchored in the primary law: the requirement text carries a References section citing the precise article and paragraph (DORA, plus the relevant RTS/ITS, with EUR-Lex links) and an Applicability section stating which entities each limb binds. Three DORA tag families classify the requirements and their controls:

DORA Pillar — the operative area: ICT Risk Management, ICT Incident Management & Reporting, Digital Operational Resilience Testing, ICT Third-Party Risk, Information & Intelligence Sharing, and Governance & Organisation.
DORA Framework — Full (the Articles 5–15 regime) versus Simplified (the Article 16(1) regime, which disapplies Articles 5–15 for the listed entities and substitutes the lighter Article 16(1)(a)–(h) duties).
DORA Addressee — who each limb binds: All financial entities, Other than microenterprises, Other than Art 16(1) entities and microenterprises, Microenterprises only, or Simplified (Art 16(1) entities). DORA's obligations are not uniform — many paragraphs carry their own addressee carve-out, and the tags make each limb's cohort explicit.

A typical setup:

Requirements — each DORA obligation is recorded as a requirement on the relevant project (OFF-16 organisation, MFF-16 per-ICT-system). Fulfilment tracks through Not fulfilled → Fulfilled (with optional Out of scope).
Controls — the framework templates pair DORA-specific overlay controls (carrying article-cited guidance and an evidence checklist for the duty, with full-regime and simplified-regime limbs separated) with shared, framework-agnostic governance controls reused across the ISO 27001 / ISO 42001 / NIS2 templates. Additional implemented measures (RMF documentation, vulnerability-management programme, incident-handling SOP, BC/DR plan, ICT-TPP register, contractual templates, TLPT participation records, resilience-testing plan, key-control mapping) are documented as named controls and mapped to one or more requirements.
Evidence — RMF policy, governance minutes, ICT-asset inventory, incident postmortems, BC/DR test outputs, ICT-TPP contracts, register-of-information entries (per Implementing Regulation 2024/2956 templates), TLPT outputs (per Delegated Regulation 2025/1190 methodology), incident reports (per 2025/301 content and 2025/302 forms) are recorded once and linked to multiple controls.
Readiness + fulfilment attestation — a requirement becomes ready for review once all linked controls are in a final state; the requirement owner then attests fulfilment for the project scope.
What Modulos does not provide:
- a dedicated DORA incident-reporting UI surface — Article 19 reports are stored as evidence linked to the relevant requirement;
- a dedicated register-of-information UI — the Article 28(3) register is modelled as requirements ORF-386 (governance) and MRF-309 (execution), with register entries stored as evidence;
- a dedicated ICT-asset-inventory surface — the Article 8 inventory is modelled as evidence linked to MRF-295.

See Operationalizing DORA in Modulos for the practical rollout sequence.

Cross-framework mapping (preview)

DORA area	NIS2 (Directive (EU) 2022/2555)	ISO/IEC 27001:2022 (Amd 1:2024)	EU AI Act (Regulation (EU) 2024/1689)
Article 5 governance	Article 20 management-body duties	Clause 5 (leadership)	Article 26 (deployer obligations)
Articles 6–16 ICT RMF	Article 21(2) ten measure categories + Article 21(3) supply chain	Clauses 4–10, Annex A.5–A.8	Article 9 (RMS), Article 15 (cybersecurity, robustness)
Articles 17–23 incident reporting	Article 23(3)–(4) significance test + staged timelines	A.5.24, A.5.25, A.5.27	Article 73 (serious incidents for high-risk AI)
Articles 24–27 testing + TLPT	(no direct equivalent; TIBER-EU — on which DORA TLPT builds, Art 26(11) — is voluntary outside DORA)	A.5.29, A.5.30 (BC), audit clauses	Article 15 (accuracy, robustness, cybersecurity); Article 72 (post-market monitoring)
Articles 28–30 ICT third-party	Article 21(2)(d) + Article 21(3) supply chain	A.5.19–A.5.22 supplier-relationship family	Article 25 (value-chain responsibility and provider reclassification)
Articles 31–44 oversight of critical TPPs	(no direct equivalent — sector-specific)	(no direct equivalent)	(no direct equivalent)
Article 45 information sharing	Article 29 (cybersecurity information-sharing arrangements)	A.5.6 (contact with special-interest groups)	(no direct equivalent)

For the pairwise NIS2↔DORA treatment see NIS2 vs DORA; for the full hub see framework comparison.

Applicability and governance

Article 2 scope, Article 16 simplified framework, Article 5 management body

ICT risk and resilience operations

Articles 5–23 — RMF, incident process, classification, reporting

Testing and third-party risk

Articles 24–30 — testing, TLPT, register of information, subcontracting

Information sharing and Level 2 acts

Article 45 + the eight Commission Delegated / Implementing Regulations

Operationalizing in Modulos

Practical rollout sequence for OFF-16 and MFF-16

NIS2 vs DORA

Where each applies, sector-specific Union legal act interaction, incident-reporting coordination

Source attribution

Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector (DORA) is published in the Official Journal of the European Union L 333, 27.12.2022, pp. 1–79. Directive (EU) 2022/2556 of 14 December 2022 amends sectoral financial-services directives in light of DORA and is published in OJ L 333 of 27.12.2022. The eight Commission Delegated and Implementing Regulations referenced on this page (2024/1772, 2024/1773, 2024/1774, 2024/2956, 2025/301, 2025/302, 2025/532, 2025/1190) are individually published on EUR-Lex; see the Level 2 acts spoke for the verbatim titles, CELEX numbers, and OJ pinpoints.

Disclaimer

This page is for general informational purposes and does not constitute legal advice. DORA applies directly in every Member State; binding obligations and supervisory authorities are determined by DORA and the competent authority designated by the Member State. For binding interpretation in your jurisdiction, consult the published EUR-Lex text and qualified counsel.

Comparison

EU AI Act

Commission guidance

ISO Standards

ISO/IEC 42001

ISO/IEC 27001

ISO/IEC 27701

NIST AI RMF

GDPR (EU)

NIS2 (EU)

DORA (EU)

OWASP for AI Security

UAE AI Ethics

MAS FEAT

Microsoft Supplier DPR

DORA — Digital Operational Resilience Act

Quick decision

TL;DR

What DORA changes

DORA structure

Article 1(2) — interaction with NIS2

How to operationalize DORA in Modulos

Cross-framework mapping (preview)

Source attribution

Commission guidance

ISO/IEC 42001

ISO/IEC 27001

ISO/IEC 27701

DORA — Digital Operational Resilience Act ​

Quick decision ​

TL;DR ​

What DORA changes ​

DORA structure ​

Article 1(2) — interaction with NIS2 ​

How to operationalize DORA in Modulos ​

Cross-framework mapping (preview) ​

Related pages ​

Source attribution ​

DORA — Digital Operational Resilience Act

Quick decision

TL;DR

What DORA changes

DORA structure

Article 1(2) — interaction with NIS2

How to operationalize DORA in Modulos

Cross-framework mapping (preview)

Related pages

Source attribution