DORA · EU Digital Operational Resilience Act Overview
Wiki route
This entry sits under fintech index. Read it with Japan Financial Regulation — Legal Framework for Tokens, Crypto Assets, and Payments for adjacent context and Three-Layer Structure of Japan's Stablecoin Regulatory Regime (JPYC, USDC, Project Pax) for the broader system boundary.
[!info] TL;DR DORA (Regulation (EU) 2022/2554) came into full force on 2025-01-17, imposing 5 pillars of requirements on all EU financial institutions + their critical ICT third-party suppliers (including cloud / wallet provider / blockchain infrastructure): ICT risk management / incident reporting / digital operational resilience testing / third-party risk / information sharing. Combined with MiCA, it forms a “conduct + resilience” dual-track supervision.
Key facts
- DORA adopted: 2022-12-14 (Regulation (EU) 2022/2554) •
- DORA in force: 2025-01-17 (all provisions) •
- Scope: approx. 22,000 社 EU financial institutions + 3,000+ ICT suppliers •
- Maximum fines: financial institutions up to 1% of worldwide turnover + ICT suppliers up to 1% of turnover •
- The ESAs published 9 sets of Level 2 RTS/ITS in 2024-07 •
- A major incident must be initially reported within 4 hours + reported in detail within 72 hours •
- TLPT framework: covers all significant financial institutions over approx. 5 years •
- The DORA Joint Committee is a three-party composition of EBA + ESMA + EIOPA •
Mechanism / How it works
Five pillars:
- ICT Risk Management (Art. 5-16): governance framework · CEO / Board directly responsible · asset inventory + risk assessment · Business Continuity Plan + Disaster Recovery
- ICT-Related Incident Reporting (Art. 17-23): a major incident must be initially reported within 4 hours + reported in detail within 72 hours · EU common template (ESAs 2024-07 RTS)
- Digital Operational Resilience Testing (Art. 24-27): Threat-Led Penetration Testing (TLPT) every 3 years · based on the TIBER-EU framework · cross-border coordinated testing
- ICT Third-Party Risk (Art. 28-44): a Critical Third-Party Provider (CTPP) is supervised directly by the ESAs · covers cloud / blockchain infra / wallet provider — for details see DORA CTPP Third-Party Risk · Indirectly Bringing AWS/Anchorage under Financial Regulation
- Information Sharing (Art. 45): voluntary threat-intelligence sharing · similar to US FS-ISAC
Origin & evolution
DORA was proposed as part of the 2020-09 EU Commission Digital Finance Package and was advanced in the same period as MiCA. Adopted 2022-12 , in full force 2025-01 . The ESAs (EBA + ESMA + EIOPA) published 9 sets of Level 2 RTS/ITS in 2024-07 , implementing 9 sub-areas. US counterpart: across the dimensions of the FFIEC IT Handbook · NYDFS Part 500 · OCC Heightened Standards · MRA, a USA-EU MRA would need to include DORA-equivalent provisions; for details see MiCA cross-border implications: USDC-EURC bilateral recognition and a 2026-Q3 U.S.-EU MRA.
Related
- Wiki Index
- DORA CTPP Third-Party Risk · Indirectly Bringing AWS/Anchorage under Financial Regulation
- Deep dive into MiCA EMT vs ART sub-classification · Product shaping based on regulatory burden
- U.S. / EU / Japan \"three major circles\" stablecoin global compliance architecture
- GENIUS Act §501
Sources
Discovery
Keep reading
Read next
- Dual-currency arbitrage · the §501 legal hack and regulatory fragility This entry sits under fintech index. Read it with 日本金融規制 — トークン・暗号資産・決済に関する法体系 for adjacent context and 日本 Stablecoin 法制度の三層構造(JPYC・USDC・Project Pax) for the broader system boundary. fintech/dual-currency-stablecoin-arbitrage-legal-hack
- Dual-currency stablecoin arbitrage · the only legal on-chain FX path in the §501 era This entry sits under fintech index. Read it with 日本金融規制 — トークン・暗号資産・決済に関する法体系 for adjacent context and 日本 Stablecoin 法制度の三層構造(JPYC・USDC・Project Pax) for the broader system boundary. fintech/dual-currency-stablecoin-arbitrage-overview
- Digital euro retail rollout — Preparation Phase 2023-2026, anti-disintermediation design, e-krona pause comparison This entry sits under fintech index as the per-jurisdiction deep dive on the ECB digital euro for the 2026 Preparation-Phase snapshot. It pairs with CBDC adoption curve 2026 for the four-cou... fintech/e-euro-retail-rollout
Links here
- DORA CTPP Third-Party Risk · Indirectly Bringing AWS/Anchorage under Financial Regulation This entry sits under fintech index. Read it with 日本金融規制 — トークン・暗号資産・決済に関する法体系 for adjacent context and 日本 Stablecoin 法制度の三層構造(JPYC・USDC・Project Pax) for the broader system boundary. fintech/dora-eu-digital-operational-resilience-ctpp
- EU MiCA implementation status 2026-05 · EMT/ART license diagram × USDT withdrawal × USDC market share reconstruction EU MiCA (Markets in Crypto-Assets Regulation, Regulation (EU) 2023/1114) has entered a 18 -month steady implementation state after 2024-06 SC (EMT/ART) partial implementation and 2024-12 ful... fintech/eu-mica-implementation-status-2026
- MiCA cross-border implications: USDC-EURC bilateral recognition and a 2026-Q3 U.S.-EU MRA This entry sits under fintech index. Read it with Japan financial regulation for tokens, crypto-assets, and payments for adjacent context and Japan stablecoin regulation: the three-layer str... fintech/mica-cross-border-implications
- EU MiCA · Markets in Crypto-Assets Regulation Overview This entry sits under fintech index. Read it with 日本金融規制 — トークン・暗号資産・決済に関する法体系 for adjacent context and 日本 Stablecoin 法制度の三層構造(JPYC・USDC・Project Pax) for the broader system boundary. fintech/mica-overview