DORA
An EU regulation on the digital operational resilience of the financial sector. Requires TLPT testing, ICT risk management and third-party oversight.
What is DORA?
DORA (Digital Operational Resilience Act) is a European Union regulation (2022/2554) that establishes uniform requirements for digital operational resilience across the financial sector. Unlike the NIS2 directive, DORA is a regulation - it applies directly in all member states without the need for transposition into national law.
DORA covers banks, insurance companies, investment firms, payment institutions, exchanges, trade repositories and many other financial market participants. The regulation is built on five pillars: ICT risk management, incident reporting, digital operational resilience testing (including TLPT), third-party risk management and threat intelligence sharing.
A particularly significant element of DORA is the requirement for Threat-Led Penetration Testing (TLPT) by entities deemed systemically important. These tests, based on red teaming methodology, must be conducted every three years and cover critical business functions.
Why does it matter?
DORA changes the financial sector’s approach to cybersecurity - from reactive to proactive. It requires not only implementing security controls, but regularly testing their effectiveness under realistic conditions. The management board of a financial institution is responsible for approving and overseeing the digital resilience strategy.
For technology providers serving the financial sector, DORA means new requirements regarding contracts, reporting and audits. Critical ICT providers (e.g., cloud providers) will be subject to direct oversight by European financial supervisory authorities.
Related topics
Related terms
Related SEQRED services
Need help in this area?
Our experts will help you assess the risk and plan next steps.