Skip to main content
All CollectionsFrameworksDORA
EU DORA Framework Overview
EU DORA Framework Overview
Updated over a month ago

DORA Overview

DORA is an European Union (EU) law that updates and outlines uniform rules on the security of network and information systems of financial entities, such as banks, insurance companies and investment firms. It covers a wide range of EU regulated financial entities, requiring them to withstand, respond to and recover from any disruption or threat involving information and communication technologies (ICT). In addition to financial institutions, DORA is also applicable to critical ICT third-party service providers providing ICT services to financial institutions.

DORA is primarily a legal framework because it establishes mandatory requirements for the operational resilience of financial entities across the European Union, focusing on ICT (Information and Communication Technology) risk management.

While DORA encompasses cybersecurity, risk management, and operational continuity, its core function is to ensure that financial institutions adhere to legal standards of resilience, manage risks, and maintain compliance with EU laws. The regulation includes specific provisions related to governance, reporting obligations, and contractual management, which must be legally sound and enforceable to ensure organizations meet the compliance obligations and avoid penalties.

Applicability

DORA is a complex piece of legislation that covers:

  • Credit, payment, electronic money and occupational pension institutions;

  • Service providers for account information, crypto assets, data reporting, crowdfunding and ICT third parties;

  • Investment firms, alternative investment funds, management companies, credit rating agencies and administrators of critical benchmarks;

  • Trade and securitization repositories, central securities depositories, central counterparties and trading venues;

  • Insurance, insurance intermediaries and reinsurance businesses.

Scope

DORA has a broad scope, and applies to almost all authorized financial institutions, ranging from credit institutions to pension funds and from alternative investment fund managers to insurance undertakings (jointly the ‘Financial Entities’). DORA allows for a proportionate application of the requirements for certain Financial Entities, particularly micro-enterprises. It covers a wide range of European Union (EU) regulated financial entities, requiring them to withstand, respond to and recover from any disruption or threat involving information and communication technologies (ICT).

Under DORA micro-enterprises are defined as entities with up to 10 employees and a turnover or balance sheet total of up to €2 million. This is an important point to emphasize, even small companies must comply with DORA.

In addition to financial institutions, DORA is also applicable to critical ICT third-party service providers providing ICT services to financial institutions.

DORA in Drata

Please note that while Drata offers a foundational starting point for DORA compliance, but we highly advise that all customers engage their legal teams to review requirements, Drata or custom controls, and policies. This ensures they are appropriately tailored to the organization's unique needs for DORA compliance, in consultation with the relevant regulatory authorities.

Did this answer your question?