Law and standards

DORA

What is DORA?

DORA is Regulation (EU) 2022/2554 on digital operational resilience for the financial sector. It has applied since 17 January 2025 and requires financial entities to make their IT resilient against outages and attacks. Their ICT service providers are drawn into these duties as well.

DORA addresses financial entities, a group that includes banks, insurers, investment firms, payment institutions and crypto-asset service providers. Being a regulation, it applies directly in every member state. Supervision rests with the competent financial supervisory authorities.

The requirements cover five areas. The first is management of ICT risk, ICT meaning information and communication technology. The second is the handling and reporting of major ICT-related incidents. The third is regular testing of digital operational resilience. The fourth is management of risk arising from ICT third-party providers. The fifth is the sharing of information about threats. The Regulation follows a principle of proportionality. Micro-enterprises with fewer than ten staff and an annual turnover or annual balance sheet total of at most two million euros benefit from simplified requirements.

For a smaller business outside the financial sector, DORA arrives through the supply chain. A firm supplying software, maintenance, hosting or support to a financial entity counts as an ICT third-party service provider. The client then has to extend the contract to cover matters such as access and audit rights, incident reporting and exit arrangements. The Austrian Economic Chamber provides information for IT service providers on the requirements arising from such contracts.

The first practical sign is a lengthy information security questionnaire arriving from a client in the financial sector. Such a questionnaire can be answered where the firm's own position is documented. That means a current inventory of systems, defined access rights, tested backups, an agreed procedure for security incidents and evidence that updates are applied.

For financial entities, DORA takes precedence over the NIS2 Directive as the more specific rule. A supplier serving regulated financial clients alongside other industries is well advised to study both frameworks. A structured review of the firm's own IT creates the evidence base needed to answer questionnaires and to honour contractual commitments.

All terms in the knowledge base

From the term to practice

Where does your business actually stand?

The IT Check reviews your IT across 8 audit areas with more than 100 individual checks and delivers documented findings with a prioritised action plan. From 1,299 € excl. VAT. The first call takes 20 minutes and carries no charge.

Book a first call