The Frequently Asked Questions are based on the current published requirements of DORA and will be updated once the final versions are published.

What is DORA?

DORA (Digital Operational Resilience Act) is a single legislative act addressing ICT risk in finance across the European union.

When is DORA due?

DORA is expected to be finalised in 2023. It will be published in an EU official journal. After an expected implementation period of 24 months, DORA is estimated to come in full force in 2025.

What are the biggest areas DORA addresses?

The biggest areas are;
1) ICT based risk and internal control framework
2) Incident management and reporting
3) Security testing
4) Resilience or business continuity management
5) Third-party risk management

What companies are effected by DORA?

Most companies within banking and finance are effected by DORA (with the exception of financial infrastructure companies) including banks, insurance companies, FinTechs, crypto asset providers and crowd funding companies. ICT third-party service providers are also included in DORA (to be defined by the EU financial authorities) and have to adhere to DORA.

How vital is the future management of ICT third-party providers?

The management of ICT third-party providers is a fundamental concept to DORA. It includes companies’ ability to have appropriate insight to manage, monitor and measure performance of third-party providers.

What is the difference between DORA and the ICT and security risk management regulations?

There are slight differences between DORA and the ICT regulations currently in force. At large the regulations address the same areas but there are subtle differences and focus areas. The ICT regulations are also broader as they are addressing additional areas such as governance and management of ICT.

Will DORA drive organisational changes?

For companies already organised by the three lines-of-defense model no significant changes are needed. For companies who previously have no regulation forcing a three line-of-defense model, a second-line-of-defense needs to established or outsourced to a professional service provider.

Is DORA the final regulation within information security and outsourcing?

DORA is expected to be accompanied with several Technical standards to clarify and regulate the banking and finance sector even further. These Technical Standards will be published one or two years after DORA is enforced (i.e. 2025 and 2026). There are also additional regulations under development within the information security areas, such as the EU Cyber Security Act, the NIS 2 Directive, and additional regulation from the European financial authorities (EBA, EIOPA and ESMA).

Want to find out how FCG can help you?

This website is using cookies

We use cookies for functionality and analysis.

Read more about cookies
Accept cookies

Cookie settings

Read more about cookies

These cookies are essential and required for this site to work properly. Without them we will not be able to assure that our website and services functions correctly.


Analytical cookies are used by third party web services to measure visitors traffic and helps us to evaluate the performance of this website. The collected data is used for the purpose to improve the visitors experience.