DORA (Digital Operational Resilience Act)
DORA (Digital Operational Resilience Act, Regulation (EU) 2022/2554) is the EU regulation directly applicable since 17 January 2025 governing the digital operational resilience of financial entities. It obliges banks, insurers, investment firms, payment and crypto providers to adopt a unified framework for ICT risk management, incident reporting, resilience testing and ICT third-party risk management.
DORA rests on five pillars: (1) ICT risk management with governance accountability at board level, (2) management, classification and reporting of ICT-related incidents to the competent authority, (3) digital operational resilience testing including threat-led penetration testing (TLPT) for significant institutions, (4) ICT third-party risk management with mandatory contractual clauses and registers, (5) cyber threat information sharing. DORA is supervised by the European Supervisory Authorities (EBA, ESMA, EIOPA); critical ICT third-party providers (such as large cloud providers) fall under a dedicated oversight framework. For danad clients in banking and finance, DORA overlaps strongly with NIS2 and ISO 27001 — Microsoft cloud implementation typically uses Azure EU data residency, Microsoft Sentinel for incident detection and Microsoft Purview for auditability.