What is DORA? A plain-English primer

DORA — the Digital Operational Resilience Act — is EU regulation that sets common rules for how financial firms manage the technology risk that underpins their business. It has applied since 17 January 2025. This is the short version: what it is, who it touches, and what it asks for.

The idea behind it

Financial services run on technology, and when that technology fails, customers and markets feel it. Before DORA, the rules on ICT (information and communications technology) risk were scattered and inconsistent across the EU. DORA pulls them into one framework so that “can your systems take a hit and keep running?” is answered to a common standard.

Who it applies to

Two groups:

1. Financial entities in the EU — banks, investment firms, insurers, payment and e-money firms, crypto-asset providers, fund managers and more.
2. Critical ICT third-party providers — the cloud platforms, software vendors and managed providers those firms depend on.

For UK firms the question is exposure: if you operate in the EU, serve EU clients, or sit in the supply chain of a firm that does, DORA can reach you — and even where it doesn’t, the UK’s own operational-resilience rules ask very similar questions.

The five pillars

DORA is long, but it stands on five things:

• ICT risk management — a proper framework: know your systems, control access, monitor, document, and govern it from the top.
• Incident reporting — detect, classify and report major ICT-related incidents within set timelines.
• Resilience testing — test your defences and recovery regularly, and keep the evidence. The largest firms face advanced threat-led testing.
• Third-party risk — manage and monitor your ICT suppliers, keep a register of them, and understand concentration risk.
• Information sharing — cooperate and share threat intelligence across the sector.

What it means in practice

Most of DORA is good IT management made explicit and provable. The firms that find it painful are the ones whose controls exist informally — “we’re sure that’s handled” — because DORA wants it written down, tested, and evidenced on request.

If DORA is on your radar, start with the foundations: an accurate picture of your systems and suppliers, controls that genuinely operate, incident and testing processes set up before you need them, and evidence captured as you go. That’s the ground everything else stands on — and it’s where we’d begin.