The terms a digital operational resilience team actually uses, defined in plain language by practitioners and grounded in Regulation (EU) 2022/2554. For the full walk-through, see the EU DORA practitioner's guide.
The Digital Operational Resilience Act, Regulation (EU) 2022/2554. Binding EU law that requires financial entities and their ICT providers to withstand, respond to, and recover from disruptions to their network and information systems. It applies from January 17, 2025.
The ability of a financial entity to build, assure, and review its operational integrity and reliability by securing the network and information systems it relies on, whether directly or through its ICT third-party providers. It is the outcome the regulation is written to protect.
An entity in scope of DORA under Article 2, including credit institutions, payment and e-money institutions, investment firms, crypto-asset service providers, central securities depositories, central counterparties, trading venues, insurers and intermediaries, occupational pension funds, credit rating agencies, and crowdfunding providers.
The risk of loss arising from a failure, breach, or disruption of network and information systems, including the risk that an ICT-related incident harms the availability, authenticity, integrity, or confidentiality of data, or the continuity of the services the entity provides.
The sound, comprehensive, and documented framework, forming part of overall risk management, through which a financial entity identifies, protects against, detects, responds to, recovers from, and learns about ICT risk. It is the first DORA pillar.
The board or equivalent governing body that DORA holds accountable for ICT risk. It defines and approves the ICT risk framework, sets the risk tolerance and the resilience strategy, allocates budget, and bears ultimate responsibility for ICT risk. The accountability cannot be delegated away.
An undertaking that provides ICT services to financial entities, such as cloud platforms, software vendors, and data services. DORA reaches these providers through the entity's contracts and, for the most important of them, through a direct oversight framework.
An ICT third-party provider designated by the European Supervisory Authorities as systemically important to the EU financial sector. A CTPP is placed under the DORA oversight framework and assigned a Lead Overseer. Designations began in 2026.
The fifth DORA pillar: a supervisory regime giving the European Supervisory Authorities direct oversight of critical ICT third-party providers, including powers to request information, run investigations and inspections, and issue recommendations.
The European Supervisory Authority assigned to oversee a designated critical ICT third-party provider. It assesses the provider, adopts an annual oversight plan, and exercises the oversight powers DORA confers.
The inventory of all the entity's ICT contractual arrangements with third-party providers, maintained at entity, sub-consolidated, and consolidated level, distinguishing those that support critical or important functions. It is reported to the competent authority each year, and its fields are set by an implementing technical standard.
A single event or series of linked events, unplanned by the entity, that compromises the security of network and information systems and has an adverse impact on the availability, authenticity, integrity, or confidentiality of data, or on the services the entity provides.
An ICT-related incident that crosses the materiality thresholds set in the DORA technical standards. A major incident triggers reporting to the competent authority in three stages: initial, intermediate, and final.
The process of judging an ICT-related incident against DORA criteria, including clients and transactions affected, downtime and duration, geographical spread, data losses, the criticality of services, and economic impact, to decide whether it is major and reportable.
The obligation to notify a major ICT-related incident to the competent authority on standard templates in three stages: an initial notification, an intermediate report as the situation develops, and a final report after root-cause analysis. The entity stays responsible even when reporting is outsourced.
The third DORA pillar: a risk-based programme that tests the entity's ICT systems, including the systems behind critical or important functions at least yearly, using independent testers and remediating the findings.
An advanced resilience test that simulates a real attacker against the entity's live production systems. Entities identified by their competent authority must run TLPT at least every three years; the authority validates the scope, and in-scope ICT providers must take part.
The risk arising from relying on a hard-to-substitute ICT provider, from concentrating multiple critical arrangements with one provider or with closely connected providers, or from long or third-country subcontracting chains. It must be assessed before contracting for a critical or important function.
A documented and tested plan, required for ICT arrangements that support critical or important functions, that lets the entity move off a provider, including through a transition period, without losing continuity of service.
A function whose disruption would materially impair the entity's financial performance, the soundness or continuity of its services, or its ability to meet regulatory obligations. DORA applies its strictest third-party and testing requirements to these functions.
An ICT provider's use of further providers to deliver part of the service. DORA requires the entity to assess subcontracting chains, including long or third-country chains, for the risk they add. The detail is set by a regulatory technical standard.
The DORA principle that the ICT risk management rules apply in proportion to an entity's size, overall risk profile, and the nature, scale, and complexity of its operations. It is one of the two cross-cutting rules beneath the five pillars.
A lighter regime for defined smaller entities, such as small and non-interconnected investment firms and small pension funds. They are excused the full Article-by-Article framework but must keep a sound, documented framework covering protection, detection, continuity, testing, and follow-up.
A financial entity that, broadly, employs fewer than ten people and has limited turnover or balance sheet. DORA grants microenterprises specific relief from a number of requirements throughout the regulation.
The national or EU authority that supervises a financial entity for DORA purposes and receives its incident reports and register of information. Which authority applies depends on the entity's type.
The three EU authorities, the EBA, ESMA, and EIOPA, that, through their Joint Committee, develop the DORA technical standards and run the oversight framework for critical ICT third-party providers.
Binding rules developed by the ESAs that fill in the technical detail DORA leaves to standards, such as the ICT risk framework elements, incident classification thresholds, and the TLPT methodology. They are the source for operative specifics, which should be read at the current standard.
Binding standards developed by the ESAs that set out forms, templates, and procedures under DORA, including the template for the register of information. Like the RTS, they carry detail that has to be checked at the current standard rather than recalled.
Compliance Command Center turns these concepts into a board-ready DORA program, run by practitioners and backed by software. Rupture Labs builds your register of information, maps your contracts against the regulation's required provisions, and assembles the readiness assessment from evidence.
See Compliance Command Center Read the guides