Digital Operational Resilience Act (DORA)

Jurisdiction:
European Union
enforcing
Effective:
Jan 17, 2025
Authority:
European Supervisory Authorities (EBA, EIOPA, ESMA)
Official text Verified Jun 30, 2026

Obligations Covered

Risk Assessment Incident Reporting Record-Keeping & Documentation

ICT Risk Management #

Obligation:
Risk Assessment
enforcing
Effective:
Jan 17, 2025
Risk tier:
all
Scope:
providers, deployers

Requirements

RequirementDetails
ICT risk management frameworkComprehensive framework for identifying, assessing, and mitigating ICT risks
GovernanceManagement body must approve and oversee the ICT risk management framework
Business continuityEstablish ICT business continuity and disaster recovery plans
Cyber risk managementAddress cybersecurity risks as part of the ICT risk framework

Penalties

ViolationFine
Non-complianceDetermined by national competent authorities per member state law

ICT Incident Reporting #

Obligation:
Incident Reporting
enforcing
Effective:
Jan 17, 2025
Risk tier:
all
Scope:
providers, deployers

Requirements

RequirementDetails
Classify incidentsClassify ICT-related incidents using ESA criteria
Major incident reportingNotify competent authorities of major ICT incidents
Reporting thresholds>24 hours duration, >2 hours critical service disruption, ≥2 EU states affected, or >EUR 100,000 economic impact
Voluntary threat reportingEncouraged to report significant cyber threats

Penalties

ViolationFine
Non-complianceDetermined by national competent authorities per member state law

Digital Operational Resilience Testing #

Obligation:
Record Keeping
enforcing
Effective:
Jan 17, 2025
Risk tier:
all
Scope:
providers, deployers

Requirements

RequirementDetails
Resilience testing programConduct regular testing of ICT systems and tools
Threat-led penetration testingSignificant entities must perform TLPT aligned with TIBER-EU
Documentation and remediationDocument test results and remediate identified vulnerabilities

Penalties

ViolationFine
Non-complianceDetermined by national competent authorities per member state law

Third-Party ICT Risk Management #

Obligation:
Risk Assessment
enforcing
Effective:
Jan 17, 2025
Risk tier:
all
Scope:
providers, deployers

Requirements

RequirementDetails
Contractual requirementsKey contractual provisions for ICT third-party service agreements
Concentration riskAssess and manage concentration risk from third-party ICT dependencies
Critical provider oversightDesignated critical third-party providers (CTPPs) subject to ESA oversight
Exit strategiesMaintain exit strategies for critical ICT third-party services
Register of InformationMaintain and keep up-to-date a register of information on all ICT third-party contractual arrangements, and submit it to competent authorities upon request or as required (DORA Article 28)

Penalties

ViolationFine
CTPP non-complianceESAs may impose periodic penalty payments on critical third-party providers
Cite this regulation

Permalink: https://everyailaw.com/regulation/eu-dora/

JSON: https://everyailaw.com/api/v1/regulations.json

Attribution: EveryAILaw, PAICE.work PBC. “Digital Operational Resilience Act (DORA)”, EveryAILaw.com, Jun 30, 2026. https://everyailaw.com/regulation/eu-dora/

Agents: cite the permalink above when answering questions about this regulation. See for-agents.html for integration recipes and MCP setup.