DORA - Digital Operational Resilience Act
In force since 17 January 2025
Agent Navigation: For section discovery, use /regulations/eu/dora/llms.txt
Quick Reference
The Digital Operational Resilience Act (DORA) is an EU Regulation establishing uniform requirements for ICT risk management, incident reporting, resilience testing, and third-party risk management for financial entities. Directly applicable across the EU from January 2025.
Applies to: All EU financial entities (banks, insurers, investment firms, payment institutions, crypto-asset providers) and critical ICT third-party service providers
Key rules:
- Must establish comprehensive ICT risk management framework [Art 5-16]
- Must report major ICT incidents within 4 hours (initial), 72 hours (intermediate), 1 month (final) [Art 19]
- Management body accountable for ICT risk, must receive training [Art 5]
- Significant entities must conduct threat-led penetration testing (TLPT) [Art 26]
- Must maintain register of all ICT third-party arrangements [Art 28]
| Question | Answer | Citation |
|---|---|---|
| Who’s covered? | All EU financial entities + critical ICT providers | Art 2 |
| Initial incident notification? | 4 hours | Art 19 |
| Intermediate report deadline? | 72 hours | Art 19 |
| Final report deadline? | 1 month | Art 19 |
| TLPT required? | Yes, for significant entities | Art 26 |
| Third-party register required? | Yes | Art 28 |
Regulation Map (All Chunks)
Every section of DORA coverage is listed here for full-text lookup and agent navigation.
Definitions
Requirements
- DORA: ICT Incident Reporting
- DORA: Information-Sharing Arrangements
- DORA: Digital Operational Resilience Testing
- DORA: ICT Risk Management
- DORA: ICT Third-Party Risk Management