FinWiki
EN

DORA · EU Digital Operational Resilience Act Overview

Confidence: Certain Updated 2026-05-26 Review by 2026-09-22 Sources 5 Machine-translated Original (JA)
#fintech#law#regulation#eu#dora#operational-resilience
On this page

Wiki route

This entry sits under fintech index. Read it with Japan Financial Regulation — Legal Framework for Tokens, Crypto Assets, and Payments for adjacent context and Three-Layer Structure of Japan's Stablecoin Regulatory Regime (JPYC, USDC, Project Pax) for the broader system boundary.

[!info] TL;DR DORA (Regulation (EU) 2022/2554) came into full force on 2025-01-17, imposing 5 pillars of requirements on all EU financial institutions + their critical ICT third-party suppliers (including cloud / wallet provider / blockchain infrastructure): ICT risk management / incident reporting / digital operational resilience testing / third-party risk / information sharing. Combined with MiCA, it forms a “conduct + resilience” dual-track supervision.

Key facts

  • DORA adopted: 2022-12-14 (Regulation (EU) 2022/2554)
  • DORA in force: 2025-01-17 (all provisions)
  • Scope: approx. 22,000 社 EU financial institutions + 3,000+ ICT suppliers
  • Maximum fines: financial institutions up to 1% of worldwide turnover + ICT suppliers up to 1% of turnover
  • The ESAs published 9 sets of Level 2 RTS/ITS in 2024-07
  • A major incident must be initially reported within 4 hours + reported in detail within 72 hours
  • TLPT framework: covers all significant financial institutions over approx. 5 years
  • The DORA Joint Committee is a three-party composition of EBA + ESMA + EIOPA

Mechanism / How it works

Five pillars:

  • ICT Risk Management (Art. 5-16): governance framework · CEO / Board directly responsible · asset inventory + risk assessment · Business Continuity Plan + Disaster Recovery
  • ICT-Related Incident Reporting (Art. 17-23): a major incident must be initially reported within 4 hours + reported in detail within 72 hours · EU common template (ESAs 2024-07 RTS)
  • Digital Operational Resilience Testing (Art. 24-27): Threat-Led Penetration Testing (TLPT) every 3 years · based on the TIBER-EU framework · cross-border coordinated testing
  • ICT Third-Party Risk (Art. 28-44): a Critical Third-Party Provider (CTPP) is supervised directly by the ESAs · covers cloud / blockchain infra / wallet provider — for details see DORA CTPP Third-Party Risk · Indirectly Bringing AWS/Anchorage under Financial Regulation
  • Information Sharing (Art. 45): voluntary threat-intelligence sharing · similar to US FS-ISAC

Origin & evolution

DORA was proposed as part of the 2020-09 EU Commission Digital Finance Package and was advanced in the same period as MiCA. Adopted 2022-12 , in full force 2025-01 . The ESAs (EBA + ESMA + EIOPA) published 9 sets of Level 2 RTS/ITS in 2024-07 , implementing 9 sub-areas. US counterpart: across the dimensions of the FFIEC IT Handbook · NYDFS Part 500 · OCC Heightened Standards · MRA, a USA-EU MRA would need to include DORA-equivalent provisions; for details see MiCA cross-border implications: USDC-EURC bilateral recognition and a 2026-Q3 U.S.-EU MRA.

Sources