The Art of CTO DORA Compliance tool assesses readiness for the Digital Operational Resilience Act, the EU regulation requiring financial services firms to manage ICT risk, test resilience, and report incidents.
Frequently Asked Questions
What is the Digital Operational Resilience Act (DORA)?
DORA is an EU regulation that took effect in January 2025, requiring financial services firms and their critical ICT providers to implement comprehensive digital resilience measures. It covers five pillars: ICT risk management, incident reporting, digital operational resilience testing, third-party risk management, and information sharing. Unlike previous guidelines, DORA is a binding regulation with enforcement teeth, applying to banks, insurers, investment firms, and their technology vendors.
Does DORA apply to technology vendors serving financial companies?
Yes, DORA directly regulates critical ICT third-party providers that serve financial institutions, including cloud providers, SaaS platforms, and managed service providers. These vendors must meet DORA requirements for resilience testing, incident reporting, and audit access. Even non-critical ICT providers face contractual requirements as their financial services clients must include specific DORA clauses in vendor agreements covering exit strategies, audit rights, and incident notification.