Fintech

DORA (Digital Operational Resilience Act)

By Paul Brock·Updated on 24-04-2026
TL;DR

DORA is the EU regulation (in force since 17 January 2025) requiring financial institutions to maintain robust IT risk management, incident reporting and strict oversight of critical third parties such as cloud providers.

DORA harmonises operational resilience rules for all financial entities in the EU: banks, insurers, investment firms, crypto service providers (under MiCA) and critical ICT providers. Five pillars: ICT risk management, ICT incident reporting, resilience testing (including TLPT pen-tests), third-party risk management, information sharing. Non-compliance: fines up to 2% of global turnover. Practical consequence: detailed ICT contract registers, exit strategies, substantial compliance investment.

Example

A Dutch challenger bank uses AWS for all production. Under DORA: contract register, exit plan within 12 months, regular joint testing, significant incidents reported within 4 hours to DNB/ESMA.

Frequently asked questions

Does DORA apply to fintech startups?

Yes, if operating under a regulated financial label (EMI, PI, crypto CASP). Proportionality: rules scale with size, but basic obligations apply to all.

What is TLPT?

Threat-Led Penetration Testing: advanced, scenario-based pen tests. Mandatory for large financial entities every 3 years. Certified testers; TIBER-EU framework as basis.

Related terms

MiCAFintechRegTech

Further reading

Need help with SEO or GEO?

We help Bitcoin, AI and fintech companies get found in Google and in AI search engines.

Book a call