DORA

Digital Operational Resilience Act

The EU regulation for ICT risk management in financial services. Comprehensive requirements for digital operational resilience.

What is DORA?

DORA (Regulation 2022/2554) is an EU regulation establishing uniform requirements for ICT risk management and operational resilience in the financial sector.

The regulation covers ICT risk management, incident reporting, resilience testing, third-party risk management, and information sharing. It applies directly across all EU member states.

DORA aims to ensure financial entities can withstand, respond to, and recover from ICT-related disruptions and threats.

Entities in scope

Credit institutions (banks)
Payment institutions
Electronic money institutions
Investment firms
Crypto-asset service providers
Insurance and reinsurance undertakings
Insurance intermediaries
Pension funds
Credit rating agencies
Crowdfunding service providers
ICT third-party service providers

Key requirements

DORA establishes five pillars of digital operational resilience for financial entities.

ICT risk management framework

ICT incident classification

Major incident reporting

Digital operational resilience testing

Threat-led penetration testing (TLPT)

ICT third-party risk management

Contractual arrangements oversight

Information sharing arrangements

ICT business continuity

ICT response and recovery

ICT change management

ICT security awareness

How Kynosure helps

Achieve DORA compliance with comprehensive ICT risk documentation and assessments.

PYXIS — Multi-Framework Assessment

Pyxis scores your DORA ICT risk management alongside NIS2, ISO 27001, and four more frameworks in a single guided run. Sector-profiled, severity-ranked gaps, methodology-backed PDF.

Achieve DORA readiness

Run the unified assessment and score DORA alongside NIS2 and ISO 27001 — shared controls scored once, not three times.

Start your assessment Explore Pyxis