DORA — what it is and why it will matter to every business, not just financial services
DORA is law in the EU since January 2025. It does not just regulate financial firms — it regulates the entire digital ecosystem they depend on. Here is what every business needs to know.
Definition
DORA — the Digital Operational Resilience Act (EU Regulation 2022/2554), in force across the EU since 17 January 2025. The first major law to treat digital resilience as a board-level concern with systemic importance.
DORA — the Digital Operational Resilience Act (EU Regulation 2022/2554) — became law across the European Union on 17 January 2025. Most businesses outside the financial sector read the headline and concluded it doesn't apply to them. That conclusion is understandable. It is also, for many, wrong.
DORA is the first major piece of legislation in any jurisdiction to treat digital operational resilience as a systemic concern requiring board-level accountability, not a technical concern delegated to an IT team. It will reshape contracts, audit obligations, and supplier relationships across virtually every sector that touches financial services — and the model it establishes is being copied by regulators around the world. Businesses that ignore it because they are not banks are reading the wrong map.
What DORA is — the five pillars
DORA is European Union Regulation 2022/2554. It applies directly to financial entities and to the ICT third-party service providers who underpin them. It is built on five pillars.
1 · ICT risk management
Comprehensive, documented framework for identifying, protecting against, detecting, responding to, and recovering from ICT risks. Approved by the management body, reviewed annually. Boards are explicitly accountable.
2 · Incident classification & reporting
Harmonised criteria for incident severity. Major incidents reported to the competent authority in tight, prescribed timeframes using standardised templates across the Union.
3 · Resilience testing
A programme of testing proportionate to size and risk. Significant entities undergo Threat-Led Penetration Testing (TLPT) every three years.
4 · Third-party risk management
A register of all ICT third-party arrangements, due diligence, and mandatory contract clauses — audit rights, exit strategies, incident notification, sub-contracting controls. Critical providers come under direct EU oversight.
5 · Information & intelligence sharing
Arrangements for sharing threat intelligence between financial entities, encouraged and in some cases mandated. The intent is to make the financial system as a whole more resilient.
Who is formally in scope
The list of in-scope financial entities is long and inclusive. It covers credit institutions, investment firms, insurance and reinsurance undertakings, crypto-asset service providers, crowdfunding service providers, and managers of alternative investment funds. If an entity holds a financial services licence in the EU, the working assumption should be that DORA applies.
The cascade effect — why non-financial businesses are affected
The reason DORA matters far beyond the financial sector is that its requirements do not stay inside the regulatory perimeter. They cascade outwards through three distinct mechanisms.
First, contractual flow-down. If your business provides IT services, software, or infrastructure to a regulated financial entity, your contracts must now include specific DORA-mandated provisions: audit rights, defined incident notification timeframes, security and resilience standards, sub-contracting restrictions, and exit assistance obligations.
Second, supply-chain due diligence. Even if you are not the direct provider, sitting in the supply chain of a DORA-regulated entity means receiving due-diligence questionnaires, evidence requests, and audit visits as obligations flow downstream.
Third, the regulatory template effect. DORA is the most detailed digital resilience regulation in the world, and other regulators are paying close attention. The direction of travel is clear: digital operational resilience is becoming a regulated discipline globally, and DORA is the reference text.
"DORA does not just regulate financial firms. It regulates the entire digital ecosystem they depend on."
Closing
DORA is the first major regulation to treat digital operational resilience as a systemic risk rather than an IT concern. Whether your business is formally in scope or not, the direction of travel is clear: contractual obligations, audit rights, and resilience standards rooted in the DORA model will reach you sooner or later. The organisations that treat DORA as a prompt to improve their own digital resilience will be better positioned regardless of which regulatory framework arrives next.