.svg)
Regulation (EU) 2022/2554 (Digital Operational Resilience Act – DORA) was published in the Official Journal of the European Union on December 27, 2022. The regulation amends:
- Regulation (EC) No. 1060/2009 (Credit Ratings Agency Regulation – CRAR).
- Regulation (EU) No. 648/2012 (European Market Infrastructure Regulation – EMIR).
- Regulation (EU) No. 600/2014 (Markets in Financial Instruments Regulation – MiFIR).
- Regulation (EU) No. 909/2014 (Central Securities Depositaries Regulation – CSDR).
- Regulation (EU) 2016/1011 (Benchmarks Regulation – BMR).
DORA lays down uniform requirements concerning the security of network and information systems supporting the business processes of financial entities. Specifically, the regulation provides:
- Requirements applicable to financial entities in relation to ICT risk management, reporting, testing information sharing and measures for the sound management of ICT third-party risk.
- Requirements relating to the contractual arrangements concluded between ICT third-party service providers and financial entities.
- Rules for the establishment and conduct of the oversight framework for critical ICT third-party service providers when providing their services to financial entities.
- Rules for cooperation among competent authorities.
These rules apply to all financial institutions, including banks, payment institutions, electronic money institutions, crypto-asset service providers, third-party service providers and others. Through the extensive set of rules and wide applicability, the regulation aims to achieve a high common level of digital operational resilience in the European Union.
DORA was first announced in the digital finance package on September 24, 2020, which provided a proposal for a regulation on digital operational resilience. The European Council subsequently reached a provisional agreement on DORA on May 11, 2022. On November 28, 2022, the European Council formally adopted DORA.
With the publication of DORA in the Official Journal of the European Union, the regulation entered into force on January 16, 2023. It subsequently applied from January 17, 2025.
DORA also contains several reporting requirements, including:
- The annual submission of a register of information.
- Ad-hoc submission of major ICT-related incident reports.
This Mapping EU Legislation: DORA page will be updated in line with any DORA update. This includes any delegated regulation, implementing regulation or guideline issued and published at EU level, or any legislation supplementing it at member state level.
|
Item |
Date |
|
Publication date |
December 27, 2022 |
|
Entry into force |
January 16, 2023 |
|
Application date |
January 17, 2025 |
Implementing Acts
|
Country |
Act |
Competent Authority |
|
The Austrian Financial Markets Authority. |
||
|
Act on digital operational resilience for the financial sector and containing various provisions |
The National Bank of Belgium. |
|
|
The Bulgarian National Bank. |
||
|
The Croatian Financial Services Supervisory Agency and the Croatian National Bank. |
||
|
Notification for the Application of Article 19 and 46 of Regulation (EU) 2022/2554 |
The Cyprus Securities and Exchange Commission and the Central Bank of Cyprus. |
|
|
The Czech National Bank. |
||
|
The Danish Financial Supervisory Authority. |
||
|
Estonia |
Implemented via several laws amending existing Estonian legislation. |
The Estonian Financial Supervisory Authority. |
|
Implemented via the Act on Amendments to the Act on Financial Supervision and several other Acts |
The Finnish Financial Supervisory Authority. |
|
|
The legislative act is currently undergoing parliamentary scrutiny. A draft law is available |
The Prudential Control and Resolution Authority and the Financial Markets Authority. |
|
|
The Federal Financial Supervisory Authority (BaFin) |
||
|
Law No. 5193 Strengthening the Capital Market and Other Provisions |
The Bank of Greece. |
|
|
Act VII of 2024 and several other acts |
Magyar Nemzeti Bank, the central bank. |
|
|
European Union (Digital Operational Resilience) Regulations 2025 and European Union (Digital Operational Resilience) (No. 2) Regulations 2025 |
The Central Bank of Ireland. |
|
|
||
|
The Bank of Latvia. |
||
|
Lithuania |
Implemented via several laws amending existing Lithuanian legislation. |
The Central Bank of Lithuania. |
|
The Commission de Surveillance du Secteur Financier. |
||
|
Malta |
Implemented via several laws amending existing Maltese legislation. |
The Malta Financial Services Authority. |
|
The Dutch Central Bank and the Authority for Financial Markets. |
||
|
The Polish Financial Supervision Authority (KNF). |
||
|
||
|
Emergency order laying down implementing measures for Regulation (EU) 2022/2554 |
The National Bank of Romania and the Financial Supervisory Authority (ASF). |
|
|
Slovakia |
To the best of Vixio’s knowledge, there is no legislative act at national level. |
According to the EBA, the National Bank of Slovakia. |
|
Regulation implementing Regulation (EU) on digital operational resilience for the financial sector |
The Bank of Slovenia, Securities Market Agency and Insurance Supervision Agency. |
|
|
The Bank of Spain. |
||
|
The Swedish Financial Supervisory Authority. |
Secondary Regulations
DORA contains empowerments for the European Commission to develop draft delegated and implementing acts.
A draft act, once finalised by the regulators, is submitted to the European Commission for endorsement. If endorsed, it will be published in the Official Journal of the European Union as either a Commission Delegated Regulation (for a delegated act) or a Commission Implementing Regulation (for an implementing act). The procedure for the adoption of delegated acts is known as comitology (Article 290, Treaty on the Functioning of the European Union).
To date, the European Commission has published 12 delegated and implementing regulations. The published regulations are provided below:
|
Regulation |
Notes |
|
Commission Delegated Regulation (EU) 2024/1774 (Vixio update) |
Provides regulatory technical standards (RTS) specifying information and communication technology (ICT) risk management tools, methods, processes and policies, and the simplified ICT risk management framework. |
|
Commission Delegated Regulation (EU) 2024/1772 (Vixio update) |
Provides RTS for classifying ICT-related incidents and cyber threats, establishing materiality thresholds and detailing the reporting of major incidents. |
|
Commission Delegated Regulation (EU) 2025/301 (Vixio update) |
Provides RTS specifying the content and time limits for the initial notification of, and intermediate and final report on, major ICT-related incidents, and the content of the voluntary notification for significant cyber threats. |
|
Commission Implementing Regulation (EU) 2025/302 (Vixio update) |
Providing implementing technical standards (ITS) with regard to the standard forms, templates and procedures for financial entities to report a major ICT-related incident and to notify a significant cyber threat. |
|
Commission Delegated Regulation (EU) 2025/1190 (Vixio update) |
Provides RTS specifying:
|
|
Commission Implementing Regulation (EU) 2024/2956 (Vixio update) |
Provides ITS with regard to standard templates for the register of information. |
|
Commission Delegated Regulation (EU) 2024/1773 (Vixio update) |
Provides RTS detailing the content of policies governing contractual arrangements for ICT services supporting critical or important functions provided by third-party ICT service providers. |
|
Commission Delegated Regulation (EU) 2025/532 (Vixio update) |
Provides RTS specifying the elements that a financial entity has to determine and assess when subcontracting ICT services supporting critical or important functions. |
|
Commission Delegated Regulation (EU) 2024/1502 (Vixio update) |
Specifies the criteria for the designation of ICT third-party service providers as critical for financial entities. |
|
Commission Delegated Regulation (EU) 2025/295 (Vixio update) |
Provides RTS on harmonisation of conditions enabling the conduct of the oversight activities. |
|
Commission Delegated Regulation (EU) 2025/420 (Vixio update) |
Provides RTS to specify the criteria for determining the composition of the joint examination team ensuring a balanced participation of staff members from the ESAs and from the relevant competent authorities, their designation, tasks and working arrangements. |
|
Commission Delegated Regulation (EU) 2024/1505 (Vixio update) |
Provides requirements on determining the amount of the oversight fees to be charged by the lead overseer to critical ICT third-party service providers and the way in which those fees are to be paid. |
Guidelines
Alike the above delegated and implementing regulations, DORA provided three mandates for the European Supervisory Authorities (ESAs) to, by July 17, 2024, develop guidelines on DORA. The published guidelines are provided below:
|
Guideline |
Notes |
|
Joint Guidelines (JC 2024 36) on the oversight cooperation and information exchange between the ESAs and the competent authorities under Regulation (EU) 2022/2554 (Vixio update) |
The guidelines are directed towards competent authorities, and aim to ensure that such authorities have:
|
|
Joint Guidelines (JC 2024 34) on the estimation of aggregated annual costs and losses caused by major ICT-related incidents under Regulation (EU) 2022/2554 (Vixio update) |
The guidelines outline the ESAs' view on appropriate supervisory practices within the Union on the estimation of aggregated annual costs and losses caused by major ICT-related incidents. It provides guidance to both supervisory authorities and financial institutions. |
|
Joint Guidelines (JC 2025 29) on oversight activities (Vixio update) |
The guidelines provide high-level explanations of the critical third-party providers (CTPPs) oversight framework. The guide provides an overview of:
|
Following the implementation of DORA, national competent authorities have published information and guidance relating to the reporting of the registers of information. Each authority also has specific requirements for the submission of such registers. For more information see: Regulatory Reporting: Regulation (EU) 2022/2554 (Digital Operational Resilience Act – DORA) – Register of Information.
