DORA guide: does it apply to you and what must you arrange?
Adopted 2026-06-28 · ≈ 2 min read · 
edited by Dirk Baaijen
DORA (Regulation (EU) 2022/2554) has applied since 17 January 2025 to financial entities and their critical ICT providers. Five pillars: ICT risk management, incident reporting, resilience testing, third-party ICT risk and information sharing. This guide points the way per pillar.
Short answer: DORA — the Digital Operational Resilience Act, Regulation (EU) 2022/2554 — has applied directly across the EU since 17 January 2025. It requires financial entities to demonstrably manage their digital resilience. If you are in scope, five pillars apply: ICT risk management, incident reporting, resilience testing, third-party ICT risk management and (voluntary) information sharing.
Does DORA apply to my institution?
DORA sets out an exhaustive list of financial entities. These include banks (credit institutions), payment institutions, electronic money institutions, investment firms, crypto-asset service providers, insurers and reinsurers, insurance intermediaries, fund managers, and their critical ICT service providers. Small, non-interconnected and micro-enterprises may use a simplified ICT risk framework (proportionality). In the Netherlands, DNB and AFM supervise. If you are also an essential sector under NIS2 — say a carrier holding a payment licence — DORA applies as the more specific rule to that financial part. See DORA or NIS2: which applies?.
The five pillars
- ICT risk management — a governance framework with ultimate responsibility at board level. See ICT risk management under DORA.
- Incident reporting — classifying and reporting major ICT incidents to the supervisor. See Incident reporting under DORA.
- Resilience testing — regular testing, with threat-led penetration testing (TLPT) for significant entities. See Resilience testing and TLPT.
- Third-party ICT risk — contractual requirements, a register of information and oversight of critical ICT providers. See Third-party ICT risk and oversight.
- Information sharing — voluntary exchange of threat intelligence between entities.
Where to start
First determine whether you are an in-scope entity and whether the simplified framework applies. Then map your ICT dependencies and outsourcing (the register), set up the risk-management and incident processes, and plan the testing cycle. The detailed requirements are in the technical standards (RTS/ITS) from EBA, EIOPA and ESMA.
Lees ook: AI Act and DORA interplay.
Sources
- https://eur-lex.europa.eu/eli/reg/2022/2554/oj
Regulation (EU) 2022/2554 (DORA), authentic text; applicable since 17 January 2025. - https://www.eba.europa.eu/regulation-and-policy/digital-operational-resilience-dora
EBA — Digital Operational Resilience Act: technical standards (RTS/ITS) by the ESAs. - https://finance.ec.europa.eu/regulation-and-supervision/financial-services-legislation/implementing-and-delegated-acts/digital-operational-resilience-act_en
European Commission — DORA: scope and implementing acts.
Read next
Does my firm fall under DORA?
DORA applies to an exhaustively listed set of financial entities — from banks and insurers to payment institutions, crypto providers and their critical ICT providers. Small, non-interconnected entities may use a simplified framework. This explainer helps you determine whether you are in scope.
DORA or NIS2: which one applies to my (logistics) organisation?
A logistics organisation generally falls under NIS2 (transport is an essential sector), not DORA. DORA applies to financial entities. If you are both, DORA takes precedence as lex specialis.
DORA readiness: a roadmap to prepare
DORA has applied since 17 January 2025. A practical roadmap to get a grip: determine scope, map ICT dependencies and the register, set up risk management and incident reporting, plan resilience testing, and review your vendor contracts.