Complete guide to the Digital Operational Resilience Act — uniform ICT risk management requirements for banks, insurers, investment firms, and ICT providers.
The Digital Operational Resilience Act (DORA), EU Regulation 2022/2554, establishes uniform requirements for the security of network and information systems supporting the business processes of the financial sector across the EU. It creates a comprehensive ICT risk management framework covering five pillars: ICT risk management governance, ICT-related incident reporting, digital operational resilience testing (including threat-led penetration testing), management of ICT third-party risk, and information sharing. The regulation became fully applicable on 17 January 2025, covering over 22,000 financial entities and ICT service providers.
21 categories of financial entities: banks, payment institutions, investment firms, crypto-asset service providers, insurers, central counterparties, trading venues, and more. Also covers ICT third-party providers (cloud services, data centres, software vendors) serving the financial sector.
Article 1
Article 2
Article 4
Article 5
Article 8
Article 11
Article 16
Entered into force
16 Jan 2023DORA became EU law.
Full application
17 Jan 2025All financial entities and ICT providers must now comply.
For critical ICT third-party providers: periodic penalty payments up to 1% of average daily worldwide turnover per day (max 6 months). National authorities can impose fines, temporary management bans, and public notices.
DORA is structured around five interconnected pillars that together create a comprehensive ICT risk management framework for the financial sector.
DORA introduces an unprecedented oversight framework for ICT third-party providers, including a direct European supervisory framework for critical providers.
Law4Devs provides all 64 DORA articles as structured JSON from EUR-Lex. Filter by financial entity type, ICT risk pillar, and obligation category. Cross-reference with NIS2, GDPR, and PSD2.
GET /v1/frameworks/dora/articles → 200 OK · structured JSON · official EUR-Lex source
DORA, the Digital Operational Resilience Act (EU Regulation 2022/2554), establishes uniform requirements for the security of network and information systems supporting the business processes of the financial sector across the European Union. Containing 64 articles, DORA creates a comprehensive ICT risk management framework covering five pillars: ICT risk management governance, ICT-related incident reporting, digital operational resilience testing (including threat-led penetration testing, or TLPT, for significant entities), management of ICT third-party risk, and information sharing arrangements. The regulation entered into force on 16 January 2023 and became fully applicable on 17 January 2025, meaning all in-scope financial entities must now comply. DORA applies to over 22,000 financial entities and ICT service providers operating in the EU. It complements NIS2 by creating sector-specific cybersecurity requirements for finance, and it works alongside GDPR for data protection obligations within financial services. Law4Devs provides all 64 DORA articles as structured JSON, queryable by entity type and obligation category.
EU Regulation 2022/2554 applies to 21 categories of financial entities, covering over 22,000 organisations across the European Union. In-scope entities include credit institutions (banks), payment institutions, account information service providers, electronic money institutions, investment firms, crypto-asset service providers, central securities depositories, central counterparties, trading venues, trade repositories, managers of alternative investment funds and management companies, data reporting service providers, insurance and reinsurance undertakings, insurance intermediaries, institutions for occupational retirement provision, credit rating agencies, statutory auditors and audit firms, administrators of critical benchmarks, and crowdfunding service providers. Critically, DORA also applies to ICT third-party service providers — including cloud computing providers, data analytics firms, and software vendors — that supply services to financial entities. The European Supervisory Authorities (EBA, ESMA, EIOPA) can designate ICT providers as critical, subjecting them to a direct oversight framework. Proportionality applies: microenterprises with fewer than 10 employees face a simplified ICT risk management framework. Law4Devs lets you filter DORA articles by financial entity type to identify your specific obligations.
Under EU Regulation 2022/2554, DORA enforcement operates through national competent authorities in each Member State, who have the power to impose a range of administrative penalties and remedial measures. For critical ICT third-party providers under the direct oversight framework, the European Supervisory Authorities (ESAs) can impose periodic penalty payments of up to 1% of the provider's average daily worldwide turnover of the preceding business year for each day of non-compliance, for a maximum of six months. National competent authorities supervising financial entities can require cessation of non-compliant conduct, impose temporary bans on management body members, issue public notices identifying the entity and the nature of the breach, and levy administrative fines as determined by Member State law. DORA requires Member States to ensure penalties are effective, proportionate, and dissuasive. The regulation also mandates that financial entities report major ICT-related incidents to competent authorities, and failure to do so constitutes a separate breach. Law4Devs structures all DORA enforcement and penalty provisions as queryable JSON, helping financial institutions and their ICT providers assess compliance risk.
Law4Devs provides all 64 articles of EU Regulation 2022/2554 as structured, machine-readable JSON via a REST API, sourced directly from EUR-Lex. Financial institutions, ICT providers, and compliance teams can query DORA articles by financial entity type (bank, insurer, investment firm, crypto-asset provider, and 17 more categories), ICT risk pillar (risk management, incident reporting, resilience testing, third-party risk, information sharing), obligation type, and timeline. Each response includes the full legal text, article metadata, semantic tags identifying whether a provision establishes an obligation, governance requirement, or reporting duty, and cross-references to related articles in NIS2, GDPR, and PSD2. The API tracks EUR-Lex amendments and Regulatory Technical Standards published by the ESAs automatically, ensuring integrations always reflect the latest consolidated text. Responses average 34 milliseconds. Official SDKs are available for Python, TypeScript, Java, Rust, PHP, and Dart, making it straightforward to integrate DORA compliance checks into fintech platforms, risk management dashboards, and audit workflows.
All articles, recitals, and amendments — queryable, filterable, and always up to date.