When did DORA become enforceable and is there any grace period for compliance?

DORA became fully applicable on 17 January 2025 with no grace period. Financial entities were expected to have compliant ICT risk management frameworks, incident reporting procedures, and vendor contracts in place by that date. Supervisors across the EU began assessing compliance from that point forward.

Which financial entities are in scope for DORA and does it apply to non-EU firms?

DORA applies to a broad range of EU-regulated financial entities including banks, investment firms, insurers, payment institutions, crypto-asset service providers, CCPs, and data reporting services providers. Non-EU firms are in scope if they provide ICT services to EU financial entities and are designated as critical third-party providers (CTPPs) by the ESAs.

What are the mandatory incident reporting timeframes under DORA for major ICT incidents?

For incidents classified as major, financial entities must submit an initial notification to their competent authority within 4 hours of classification, an intermediate report within 72 hours, and a final report within one month. AI system failures, adversarial attacks, or third-party AI service outages may qualify as major ICT incidents triggering these timelines.

What contractual provisions must AI and cloud vendor agreements include to comply with DORA?

DORA mandates that all ICT vendor contracts, including those with AI service providers and cloud infrastructure firms, include service level descriptions, data location clauses, audit rights, termination rights, sub-outsourcing controls, and obligations to cooperate on incident response. Non-compliant contracts must be remediated regardless of when they were originally signed.

How does DORA's critical third-party provider oversight framework affect AI infrastructure vendors?

The ESAs can designate AI infrastructure providers, foundation model vendors, or cloud platforms as CTPPs if they are deemed critical to EU financial sector stability. Designated CTPPs are subject to a Lead Overseer from the ESAs who can conduct investigations, on-site inspections, and issue binding recommendations directly to those providers.

How does DORA interact with the EU AI Act for financial entities deploying AI systems?

DORA and the EU AI Act operate in parallel and are complementary rather than mutually exclusive. DORA requires AI systems to be included in ICT asset inventories, risk frameworks, and vendor contracts, while the AI Act imposes additional conformity requirements for high-risk AI use cases such as credit scoring. Financial entities must satisfy both frameworks simultaneously for in-scope AI deployments.

← Directory Compare with another →

Must ComplyRegulation EU

EU Digital Operational Resilience Act

Issued by

European Parliament and Council of the European Union; supervised jointly by the European Banking Authority (EBA), European Insurance and Occupational Pensions Authority (EIOPA), and European Securities and Markets Authority (ESMA), collectively the European Supervisory Authorities (ESAs)

liveEffective 2025-01-17DORAVerified April 2026

Official document →

The EU Digital Operational Resilience Act (DORA), Regulation (EU) 2022/2554, establishes a comprehensive ICT risk management, incident reporting, operational resilience testing, and third-party risk oversight framework for EU financial entities, with direct implications for AI systems deployed in financial services and the technology providers that supply them.

Applies To

Credit institutions (banks) operating or providing services in the EUInvestment firms, asset managers, and fund administrators subject to MiFID II or AIFMDInsurance and reinsurance undertakings under Solvency IIPayment institutions, e-money institutions, and crypto-asset service providers (CASPs) under MiCACentral counterparties (CCPs), central securities depositories (CSDs), and trading venuesData reporting service providers and credit rating agenciesAI technology vendors, cloud service providers, and data analytics firms supplying ICT services to EU financial entitiesFinancial entity CISOs, CROs, COOs, and technology risk functions responsible for ICT and AI governanceProcurement and vendor management teams within financial services enterprises structuring ICT and AI service contracts

Overview

The EU Digital Operational Resilience Act (DORA), Regulation (EU) 2022/2554, became fully applicable on 17 January 2025, consolidating and harmonizing ICT risk requirements across the EU financial sector. Prior to DORA, ICT operational resilience obligations for financial entities were fragmented across sector-specific EBA, EIOPA, and ESMA guidelines, national supervisory guidance, and the Network and Information Security Directive. DORA supersedes or supplements these instruments and creates a single binding EU-level framework. The regulation applies directly to a broad range of financial entities, including credit institutions, investment firms, insurance undertakings, payment institutions, crypto-asset service providers, and data reporting services providers, as well as to critical ICT third-party service providers (CTPPs) designated by the ESAs. DORA is organized around five pillars: (1) ICT risk management framework, requiring financial entities to maintain a documented, board-approved ICT risk framework that includes identification, protection, detection, response, and recovery capabilities; (2) ICT-related incident management and reporting, with mandatory classification, internal escalation, and regulatory reporting timelines, major incidents must be reported to competent authorities within defined timeframes using standardized templates; (3) digital operational resilience testing, including threat-led penetration testing (TLPT) for significant entities at minimum every three years; (4) ICT third-party risk management, requiring contractual minimum provisions in all ICT vendor agreements, concentration risk monitoring, and exit strategies for critical ICT dependencies; and (5) information and intelligence sharing arrangements permitting voluntary threat intelligence exchange among financial entities. For AI governance, DORA is highly relevant because AI systems used in algorithmic trading, credit decisioning, fraud detection, customer-facing services, and risk modeling constitute ICT assets subject to DORA's risk management framework. Financial entities must map AI systems within their ICT asset inventories, assess their criticality, and ensure that AI vendor agreements comply with DORA's mandatory contractual requirements. AI model failures, adversarial attacks, or third-party AI service outages may constitute ICT incidents reportable under DORA. The ESAs have issued regulatory technical standards (RTS) and implementing technical standards (ITS) under DORA covering, among other topics, ICT risk management framework requirements (Joint RTS on simplified ICT risk management for smaller entities), major incident classification criteria, TLPT requirements, and critical third-party oversight. The Oversight Framework for CTPPs enables the Lead Overseer (an ESA) to conduct investigations, on-site inspections, and issue binding recommendations to designated critical providers, which may include AI infrastructure providers.

Key Requirements

•Establish and maintain a board-approved ICT risk management framework covering governance, strategy, and the full ICT risk lifecycle including AI systems
•Maintain a complete and up-to-date register of all ICT assets, including AI models and supporting infrastructure, with documented criticality classification
•Implement business continuity, backup, and ICT disaster recovery plans specifically addressing critical AI-dependent processes
•Classify ICT-related incidents according to ESA-prescribed criteria; report major incidents to the relevant competent authority within prescribed timeframes (initial notification within 4 hours of classification as major; intermediate report within 72 hours; final report within one month)
•Conduct digital operational resilience testing including basic testing (vulnerability assessments, gap analyses) annually and threat-led penetration testing (TLPT) at least every three years for significant entities
•Manage ICT third-party risk through a documented Third-Party Risk Management Policy covering due diligence, onboarding, ongoing monitoring, and exit strategies for all ICT vendors including AI service providers
•Ensure ICT third-party contracts include DORA-mandated minimum provisions: service level descriptions, data location, audit rights, termination rights, sub-outsourcing controls, and incident cooperation obligations
•Monitor and manage ICT concentration risk arising from reliance on a limited number of critical ICT providers, including AI infrastructure and foundation model providers
•Designate a control function or senior manager responsible for ICT risk management with appropriate reporting lines to the management body
•Participate in the ESA Oversight Framework requirements if designated as a critical third-party service provider (CTPP)

What Your Organization Must Do

→Verify that your ICT risk management framework is board-approved, documented, and fully operational as of 17 January 2025, explicitly covering all AI systems used in trading, credit, fraud detection, and customer services; assign ownership to a designated senior ICT risk manager with direct reporting lines to the management body.
→Complete a comprehensive ICT asset inventory that includes all AI models, training data pipelines, and supporting infrastructure, with documented criticality classifications for each asset; use this register as the foundation for business continuity and disaster recovery plans that address AI-dependent processes specifically.
→Implement an ICT incident classification and escalation procedure aligned with ESA criteria, ensuring your operations and technology teams can execute the mandatory reporting timeline: initial notification to the competent authority within 4 hours of major incident classification, intermediate report within 72 hours, and final report within one month; run tabletop exercises to validate these timelines.
→Audit all existing ICT and AI vendor contracts against DORA's mandatory minimum provisions, including service level descriptions, data location clauses, audit rights, termination rights, sub-outsourcing controls, and incident cooperation obligations; remediate non-compliant contracts with counterparties before renegotiation deadlines and prioritize agreements with critical AI infrastructure and foundation model providers.
→Establish a Third-Party Risk Management Policy that addresses ICT concentration risk from reliance on a small number of AI or cloud providers; map single points of dependency, document exit strategies for each critical provider, and report concentration risk findings to the management body at least annually.
→Schedule and resource your digital operational resilience testing program so that vulnerability assessments and gap analyses occur at least annually, and threat-led penetration testing (TLPT) is planned and executed at least once every three years for your entity if it meets the significance threshold defined in the ESA regulatory technical standards; coordinate with your CISO to ensure AI systems are included in TLPT scope.

Playbook Guidance

Step-by-step implementation guidance for compliance teams.

01How do we inventory and classify AI systems by risk level?32How do we manage third-party AI vendors safely throughout the vendor lifecycle?33What do we do when an AI system causes harm or fails?22How do we apply a three lines of defense model to AI risk?16Do we have a complete AI inventory?

Frequently Asked Questions

When did DORA become enforceable and is there any grace period for compliance?: DORA became fully applicable on 17 January 2025 with no grace period. Financial entities were expected to have compliant ICT risk management frameworks, incident reporting procedures, and vendor contracts in place by that date. Supervisors across the EU began assessing compliance from that point forward.
Which financial entities are in scope for DORA and does it apply to non-EU firms?: DORA applies to a broad range of EU-regulated financial entities including banks, investment firms, insurers, payment institutions, crypto-asset service providers, CCPs, and data reporting services providers. Non-EU firms are in scope if they provide ICT services to EU financial entities and are designated as critical third-party providers (CTPPs) by the ESAs.
What are the mandatory incident reporting timeframes under DORA for major ICT incidents?: For incidents classified as major, financial entities must submit an initial notification to their competent authority within 4 hours of classification, an intermediate report within 72 hours, and a final report within one month. AI system failures, adversarial attacks, or third-party AI service outages may qualify as major ICT incidents triggering these timelines.
What contractual provisions must AI and cloud vendor agreements include to comply with DORA?: DORA mandates that all ICT vendor contracts, including those with AI service providers and cloud infrastructure firms, include service level descriptions, data location clauses, audit rights, termination rights, sub-outsourcing controls, and obligations to cooperate on incident response. Non-compliant contracts must be remediated regardless of when they were originally signed.
How does DORA's critical third-party provider oversight framework affect AI infrastructure vendors?: The ESAs can designate AI infrastructure providers, foundation model vendors, or cloud platforms as CTPPs if they are deemed critical to EU financial sector stability. Designated CTPPs are subject to a Lead Overseer from the ESAs who can conduct investigations, on-site inspections, and issue binding recommendations directly to those providers.
How does DORA interact with the EU AI Act for financial entities deploying AI systems?: DORA and the EU AI Act operate in parallel and are complementary rather than mutually exclusive. DORA requires AI systems to be included in ICT asset inventories, risk frameworks, and vendor contracts, while the AI Act imposes additional conformity requirements for high-risk AI use cases such as credit scoring. Financial entities must satisfy both frameworks simultaneously for in-scope AI deployments.