DORA (Digital Operational Resilience Act)
EU Regulation 2022/2554 making digital operational resilience — including human-factor controls — directly binding on financial entities since 17 January 2025.
The Digital Operational Resilience Act (DORA) is Regulation (EU) 2022/2554, a directly applicable EU regulation governing the digital operational resilience of the financial sector. It applies as of 17 January 2025 to roughly 22,000 entities — banks, payment institutions, insurers, investment firms, crypto-asset service providers, trading venues — and to the ICT third parties on which they depend.
Unlike a directive, DORA does not require national transposition: its articles bind every in-scope entity in the same way across the EU. The regulation is built on five pillars: ICT risk management, incident reporting, digital operational resilience testing, ICT third-party risk, and information sharing.
- Article 5–15 require a documented ICT risk-management framework approved and reviewed by the management body.
- Article 13 mandates ICT-related learning and development programmes, including awareness on cybersecurity threats, for staff and senior management — extended to ICT third-party providers where relevant.
- Article 17–23 require classification and reporting of major ICT-related incidents within strict timelines.
- Article 24–27 introduce advanced digital operational resilience testing, including threat-led penetration testing (TLPT) every three years for significant entities.
- Article 28–44 govern ICT third-party risk, including a Union-level Oversight Framework for critical third-party providers.
For RSSI and CISO teams in financial services, the practical consequence is that the human factor — credential phishing, social engineering of payments staff, unsafe handling of customer data — now sits inside an operational-resilience audit trail rather than next to it. The text expects training and awareness to be continuous and role-appropriate, not a one-off attestation, and supervisors will look for behavioral evidence that staff actually adopt safer practices.
DORA sits alongside NIS2 (which explicitly carves out financial entities where DORA applies as lex specialis) and GDPR Article 32. The European Supervisory Authorities (EBA, EIOPA, ESMA) jointly issue technical standards that refine each article; French entities additionally follow ANSSI guidance for technical implementation.
Related terms
- NIS2EU Directive 2022/2555 raising cybersecurity obligations across essential and important entities, with behavioral controls and training now in audit scope.
- ANSSI (Agence nationale de la sécurité des systèmes d'information)France's national cybersecurity agency — publishes the guidance, certifications (SecNumCloud, CSPN) and incident-response posture French organizations align with.
- GDPR Article 32The GDPR clause requiring controllers and processors to implement appropriate technical and organizational measures — increasingly read to include behavioral controls.
- Behavioral evidenceThe audit artifact a risky behavior was detected, the employee was nudged, and the behavior was corrected — increasingly demanded over training completion certificates.
- RansomwareMalware that encrypts data and/or exfiltrates it, then demands payment for decryption or non-publication — almost always entering through a human-mediated step.