TomatoBlue
Back to Services
EU Regulation 2022/2554

DORA Regulation: What it is, what it requires and how to comply

EU Regulation 2022/2554 – DORA (Digital Operational Resilience Act) establishes a unique and directly applicable regulatory framework for the digital operational resilience of the European financial sector. DORA has been fully applicable since January 17, 2025 and introduces stringent obligations regarding ICT risk management, business continuity, incident management, testing and oversight of critical technology providers.

The regulation's objective is to ensure that financial operators are able to withstand, respond to and recover from severe ICT incidents, including cyber attacks, systemic malfunctions and digital service disruptions.

Scope of application

DORA applies to a very broad perimeter of financial and technology entities, including:

Financial entities

  • Banks and credit institutions
  • Payment institutions and EMIs
  • Investment firms
  • Fund managers and UCITs
  • Insurance and reinsurance undertakings
  • Crypto intermediaries and regulated operators

Critical and relevant ICT providers

  • Cloud service providers
  • Software houses and core SaaS providers
  • Cybersecurity service providers
  • ICT outsourcers and data centers

The regulation also introduces direct obligations for ICT providers, with the possibility of centralized European supervision.

Main regulatory obligations

Organizations subject to DORA must:

1

Define and maintain an ICT risk management framework integrated into corporate governance

2

Identify, classify and manage ICT incidents according to harmonized criteria

3

Implement business continuity and disaster recovery plans tested periodically

4

Conduct digital operational resilience tests, including advanced tests (TLPT) for relevant entities

5

Ensure ICT supply chain oversight, including audit rights and contractual requirements

6

Ensure active involvement of management and the Board of Directors

7

Maintain evidence, logs, reports and documentation ready for competent authority inspections

Sanctions and liability

Significant administrative sanctions

Possible binding corrective measures by authorities

Direct liability of management bodies

Risk of operational limitations in case of serious non-compliance

Our DORA consulting services

We support financial entities and ICT providers in full compliance with the DORA Regulation through an integrated approach to compliance and technology, structured in scalable packages.

Contact Us