DORA (Digital Operational Resilience Act)

Banks are used to managing capital risks. DORA carries the same seriousness over to the digital side: outages, attacks, and dependencies on IT service providers have counted since January 2025 as risks that must be managed and evidenced just as systematically.

What is DORA?

The Digital Operational Resilience Act is EU Regulation 2022/2554 on digital operational resilience in the financial sector. As a regulation, it applies directly in all member states, without a national transposition law; it has been applicable since 17 January 2025.

The scope is broad: banks, insurers, investment firms, payment and e-money institutions, trading venues, and other financial players, around 20 categories in total. The distinctive point: ICT third-party service providers also come into view. Critical providers can be overseen directly by the European supervisory authorities, and every service provider of a financial entity has the requirements passed on to it through contracts and the register of information.

The five pillars of DORA

  • ICT risk management: A documented framework covering systems, roles, and protective measures; explicitly required are strategies that limit the impact of ICT incidents, together with detection and recovery capabilities.
  • Incident management and reporting: Classification of ICT incidents and reporting of major incidents to the supervisory authority in fixed stages and deadlines.
  • Digital resilience testing: Regular testing of systems and controls; for significant institutions, additionally threat-led penetration testing (TLPT) roughly every three years.
  • ICT third-party risk: A complete register of information for all ICT contracts, mandatory clauses with service providers, and exit strategies for critical services.
  • Information sharing: A framework for the voluntary sharing of threat information within the industry.

Why it matters

  • The regulation applies directly and is supervised by BaFin and the Bundesbank; transition periods have expired.
  • The evidence obligations are concrete: registers, classifications, test reports, and reporting processes cannot be improvised.
  • IT service providers of financial entities are bound by contract and must be able to evidence their measures.
  • The focus on limiting impact shifts budgets from pure prevention toward containment and recovery.

Typical scenarios

  • A bank builds its register of information and finds that dozens of network and cloud contracts need mandatory DORA clauses.
  • A payment institution segments its transaction systems in order to evidence the required limitation of incident impact.
  • An insurer rehearses the failure of a critical ICT service provider, including the exit scenario.
  • An IT provider in the financial sector receives identically worded questionnaires from several customers about resilience, testing, and subcontractors.

What auditors want to see in practice

Since the start of application, it has become clear what audits focus on. The register of information must be complete and up to date, including subcontractor chains; incomplete registers are the fastest route to findings. Incident classification needs practiced processes: those who only clarify in an emergency whether an incident is reportable will miss deadlines. And the required limitation of impact wants to be evidenced technically, for example through documented segmentation policies, recovery tests, and traceable data flows.

The principle of proportionality applies here: a small payment institution does not have to demonstrate the testing depth of a large bank, but it does need a lived framework appropriate to its size. For ICT service providers, the reverse holds: those who deliver ready-made evidence to their financial customers, from operating reports through test results to contractually assured exit support, turn from a risk factor into a competitive advantage in audits and noticeably shorten every contract negotiation.

DORA and NIS-2: the difference

Both frameworks stem from the same EU package but address different things: NIS-2 is a cross-sector directive with national leeway for transposition, DORA a directly applicable special regulation for the financial sector. For financial entities, DORA takes precedence in its subject areas as the more specific framework; anyone affected by both, for example as an IT service provider across several industries, must serve both sets of requirements. The classification of all frameworks is brought together in the entry Cybersecurity Compliance .

How KAEMI helps

The core DORA requirement, limiting the impact of ICT incidents, is a question of architecture: Zero Trust microsegmentation keeps the radius of an attack small and provides the visibility over data flows that eases registers and audits; private, redundant connections via Cloud Connectivity & SDN strengthen the availability side. KAEMI operates both as a managed service with the documentation depth that financial supervisors expect. A detailed classification with a practical guide is offered by our blog post DORA: What the financial sector needs to know .

Frequently asked questions about DORA (Digital Operational Resilience Act)

Who does DORA apply to?

To around 20 categories of financial entities in the EU, from banks and insurers through payment institutions to trading venues, and indirectly to their ICT service providers. Critical ICT third-party providers can additionally fall directly under the oversight of the European supervisory authorities.

Since when has DORA been binding?

DORA has been applicable since 17 January 2025. As an EU regulation, it applies directly, without a national transposition law. In Germany, BaFin and the Deutsche Bundesbank supervise compliance; the transition period for preparation has expired.

What are the five pillars of DORA?

ICT risk management, management and reporting of ICT incidents, digital operational resilience testing including threat-led penetration testing for significant institutions, management of ICT third-party risk with a register of information, as well as arrangements for the exchange of threat information.

Does DORA also affect IT service providers outside the financial sector?

Yes, indirectly almost always: financial entities must include mandatory DORA clauses in ICT contracts, list service providers in the register of information, and manage their risks. Anyone serving financial customers must be able to evidence resilience, testing, and subcontractors, regardless of their own industry affiliation.

What role does microsegmentation play for DORA?

DORA explicitly requires limiting the impact of ICT incidents. Microsegmentation implements exactly that: a compromised system stays isolated, critical processes continue to run, and the resulting visibility over communication relationships provides evidence for audits and incident management.

From term to implementation: KAEMI supports you from the first assessment to day-to-day operations.