obOpen Banking Lab
GlossarySTETBlogContact
Regulation

DORA

Digital Operational Resilience Act

A European regulation that took effect in January 2025, imposing a strict IT resilience framework on all financial players — banks, fintechs, insurers, CASPs.

See also:DSP2MiCAACPREBA

Definition

DORA (Digital Operational Resilience Act) is a European regulation that took effect on 17 January 2025.

It imposes on all EU financial players — banks, fintechs, insurers, CASPs, asset managers, crowdfunding platforms — a strict framework for operational IT resilience: risk management, incident management, penetration testing, and oversight of critical IT providers.

Why DORA exists

Before DORA, IT resilience was fragmented: each sector had its own rules, and critical IT providers (cloud, SaaS, payment processors) escaped any supervision — even though an outage at one of them could paralyse the financial system. DORA harmonises all of this within a single pan-European framework.

The 5 pillars

  • IT risk management: governance, mapping of critical assets and processes, backup, restoration, continuity plan.
  • Incident management: classification and mandatory reporting to the NCA within short deadlines (initial notification within 4 hours, interim report within 72 hours).
  • Resilience testing: scans, audits, and for significant players a TLPT (Threat-Led Penetration Testing) every 3 years.
  • Third-party IT risk: a mandatory register of critical providers, governed contracts, due diligence, audit rights.
  • Information sharing: participation in the sharing of Cyber Threat Intelligence between players.

The major novelty: supervising critical IT providers

This is the most disruptive innovation. Providers deemed critical for the financial system — AWS, Azure, Google Cloud, OVH, but also specialised SaaS vendors — are designated by the ESAs (EBA, ESMA, EIOPA) and placed under direct European supervision: audits, sanctions, even an obligation to change their practices. It is the first time an American cloud provider has been directly supervised by a European regulator.

What DORA does not do

  • It creates no new status: it applies on top of existing statuses (bank, PI, EMI, CASP, insurer).
  • It does not cover personal data: that is the GDPR.
  • It does not replace NIS 2 (general EU cybersecurity) but dovetails with it.
  • It does not exempt from sector-specific rules (PSD2, MiCA, Solvency II): it adds to them.

Timetable

  • December 2022 — adoption of the regulation.
  • January 2023 → January 2025 — 24 months to come into compliance.
  • 17 January 2025 — effective application, with no exemption.
  • 2025–2026 — first strengthened checks and first designations of critical IT providers.

In the PSD2 ecosystem

DORA is not specific to PSD2, but any fintech operating a payment service is concerned. It is now an unavoidable compliance building block, on a par with SCA or anti-money-laundering.

Real-world examples

  • Incident reporting: an API that goes down for 2 hours in full production triggers 4 hours to notify the ACPR and 72 hours for an interim report — something to wire into the runbook before the incident.
  • TLPT: a PSP such as Worldline, Adyen or Stripe Europe runs a Threat-Led Penetration Testing exercise every 3 years, conducted by an approved provider (€100K to €500K per exercise).
  • Cloud oversight: hosting your critical infrastructure on AWS requires a DORA-compliant contract (reversibility, audit rights, exit plan), hence the EU fintech contracts offered by AWS, Azure and GCP since 2024.
  • IT provider register: kept up to date with criticality and an exit plan, often via OneTrust, MetricStream or in-house spreadsheets.
  • Continuity plan: being able to fail over to a secondary site or cloud in case of a major incident — a concrete requirement, to be tested regularly.
  • Monitoring: keeping track of the ESAs' RTS and guidelines and the timetable for designating critical IT providers.

Sources

Back to glossary