Skip to main content
Try Lexiel for freeTry now →
DORA: Digital Operational Resilience Act for Financial Entities ) Guide 2025
Compliance11 minLexiel

DORA: Digital Operational Resilience Act for Financial Entities ) Guide 2025

Complete guide to DORA Regulation (EU) 2022/2554, in force since January 2025: which entities are obliged, the 5 compliance pillars, sanctions and how it affects law firms advising the financial sector.

DORAdigital operational resiliencefinancial entitiescybersecurityEU Regulation 2022/2554

# DORA: Digital Operational Resilience Act for Financial Entities: Guide 2025

Regulation (EU) 2022/2554 (DORA) is the EU framework obliging financial sector entities to implement rigorous ICT risk management. It entered full application on 17 January 2025.

Who is covered?

Banks, investment firms, payment and e-money institutions, insurers and reinsurers, occupational pensión funds (>15 members), credit rating agencies, crypto-asset service providers (under MiCA), crowdfunding platforms, securitisation repositories, and critical third-party ICT providers (cloud big tech designated by the Commission).

The 5 DORA compliance pillars

  1. ICT Risk Management (Arts. 5-16): documented framework approved by the management body (non-delegable), covering strategy, information security policies, business continuity and annual resilience tests.

  2. ICT Incident Management (Arts. 17-23): classify significant incidents and notify the competent authority in 3 phases, initial notification within 4 hours, intermediate within 72 hours, final report within 1 month.
  3. Digital Resilience Testing (Arts. 24-27): annual basic tests for all entities; Threat-Led Penetration Testing (TLPT, TIBER-EU methodology) every 3 years for significant entities.
  4. Third-Party ICT Risk (Arts. 28-44): register all ICT contracts, enhanced due diligence, mandatory contractual clauses (SLAs, audit rights, data location, exit plans); report contracts with designated critical ICT providers.
  5. Cyber Threat Intelligence Sharing (Art. 45): voluntary participation in sector-wide information sharing arrangements.

Sanctions

Critical ICT providers: daily fines up to 1% of global average daily turnover for up to 6 months. Financial entities: governed by sectoral law (LOSSEC, TRLMV, LOSSEAR), up to 10% of annual net turnover for very serious infringements.

Lexiel helps financial regulation lawyers locate DORA provisions, ABE/ESMA technical standards (RTS/ITS) and CJEU case law on cybersecurity and data protection.

Try Lexiel free · 28 days

Use code LEX-BLOG for double the standard trial period. Cancel anytime, no commitment.

LEX-BLOG
Get started free

Weekly legal updates

Legislative changes, relevant case law, and Lexiel news. No spam. Unsubscribe anytime.

GDPR compliant. We never share your email with third parties.