DORA — Digital Operational Resilience Act

Resilience is now a regulatory test, not a best effort

Regulation (EU) 2022/2554 has applied since 17 January 2025. It targets EU financial entities — banks, insurers, investment firms, payment and e-money institutions, crypto-asset service providers, and more — and reaches their critical ICT third-party providers, who fall under an EU oversight framework run by the European Supervisory Authorities (EBA, EIOPA, ESMA).

DORA turns operational resilience into a measurable, supervised obligation built on five pillars: ICT risk management; ICT-related incident management and reporting; digital operational resilience testing; ICT third-party risk management; and information and intelligence sharing.

What we do

• Map the pillars. We assess each of the five pillars against your current state and produce a prioritised remediation plan.
• Harden third-party risk. We review ICT contracts and registers against the regulation's requirements, including concentration and exit risk.
• Prepare for testing. We scope your resilience testing and ready you for Threat-Led Penetration Testing where the thresholds apply.
• Streamline reporting. We design incident classification and reporting that meets the regulatory timelines.

For APAC and India-based firms serving EU finance

If you are an ICT provider supplying EU financial institutions, you may be drawn into DORA through your clients' contractual obligations — or designated critical. We help firms in APAC and India understand that exposure and respond before a European customer's procurement team asks.