DORA (Digital Operational Resilience Act) is EU Regulation 2022/2554, applied from 17 January 2025. It establishes uniform ICT risk management, incident reporting, resilience testing, and third-party oversight requirements across the EU financial sector.

What are the DORA incident reporting deadlines?

Initial notification within 4 hours of major-incident classification (at most 24 hours after becoming aware). Intermediate report within 72 hours. Final report within one month of initial notification.

Who must comply with DORA?

Banks, payment institutions, investment firms, crypto-asset service providers, insurers, pension funds, fund managers, trade repositories, central counterparties, and central securities depositories. Critical ICT third-party providers are also designated for direct EU oversight.

When did DORA take effect?

DORA entered into force on 16 January 2023 and became applicable on 17 January 2025. As an EU regulation it applies directly without member-state transposition.

How is DORA different from NIS2?

DORA is sector-specific to financial services and is a regulation (direct effect). NIS2 is cross-sector across 18 industries and is a directive (requires national transposition). DORA's reporting deadlines are tighter (4-hour initial notification vs NIS2's 24-hour early warning).

DORA - Digital Operational Resilience Act (EU 2022/2554)

The Digital Operational Resilience Act (DORA) is EU Regulation 2022/2554, applied from 17 January 2025. DORA establishes a uniform framework for ICT risk management, incident reporting, operational resilience testing, and oversight of critical third-party ICT providers across the EU financial sector. Unlike a directive, DORA is a regulation: it applies directly without national transposition.

Source: Regulation (EU) 2022/2554 of 14 December 2022.

DORA Incident Reporting Timeline

Article 19 of DORA establishes incident reporting obligations for "major" ICT-related incidents:

Initial notification: as soon as possible, within 4 hours after classification as major and at most 24 hours after becoming aware
Intermediate report: within 72 hours of initial notification, providing additional detail on impact and root cause
Final report: within 1 month of the initial notification, with full incident details, impact assessment, and remediation

Reports are filed with the financial entity's competent authority. Significant cyber threats may also be reported voluntarily.

Who Is in Scope

DORA applies to financial entities including credit institutions, payment institutions, e-money institutions, investment firms, crypto-asset service providers, insurance and reinsurance undertakings, pension funds, fund managers, central counterparties, trade repositories, and central securities depositories. It also applies to critical ICT third-party service providers designated by the European Supervisory Authorities under direct EU oversight.

Five Pillars of DORA

ICT risk management: governance, identification, protection, detection, response, recovery
ICT incident reporting: classification, notification, and final reporting
Digital operational resilience testing: vulnerability assessments, scenario-based testing, threat-led penetration testing
ICT third-party risk management: contractual requirements, register of contracts, exit strategies
Information and intelligence sharing: voluntary sharing of cyber threat information among financial entities

Meet DORA incident reporting deadlines

IR-OS supports the DORA 4-hour, 24-hour, 72-hour, and one-month deadlines with role-based workflows and audit-ready records for ESAs and national competent authorities.

Start free

DORA - Digital Operational Resilience Act (EU 2022/2554)

DORA Incident Reporting Timeline

Who Is in Scope

Five Pillars of DORA

Related Terms

Meet DORA incident reporting deadlines