Starting January 17, 2025, the Digital Operational Resilience Act (DORA) will require financial entities and their critical information and communication technology (ICT) service providers to comply with enhanced cybersecurity risk management measures. Its goal is to protect the financial sector from ICT disruptions and a new generation of cyber threats.
Scope. DORA applies to financial entities in the EU, such as banks, crypto-providers, trading venues and insurers, and their designated critical ICT service providers. Providers, regardless of their location, must establish a subsidiary in the EU if designated as critical by the European Supervisory Authorities (ESAs), with the first designations expected in the second half of 2025.
Key requirements. This EU regulation introduces comprehensive ICT risk management frameworks, including incident reporting (within four hours), resilience testing, third-party risk management, and threat monitoring. Financial entities must also conclude mandatory contract terms with all their ICT service providers (e.g., SaaS, security, data analysis, communication services) to implement these frameworks. As a result, DORA will affect many…
