Skip to content

DORA

Regulation (EU) 2022/2554 — the Digital Operational Resilience Act. In application since 17 January 2025 for financial entities and their critical ICT third-party providers.

DORA is the lead branch of this library. The regulation is organized around five pillars, and the resources here will follow the same structure:

Branches

Pillar Planned artefacts
ICT risk management (Ch. II) Document inventory · responsibility matrix for the management body · control mapping
Incident management & reporting (Ch. III) Classification checklist · reporting timeline reference · evidence examples
Digital operational resilience testing (Ch. IV) Testing programme checklist · TLPT readiness overview
ICT third-party risk (Ch. V) Register of information starter kit · contract clause checklist (Art. 30) · exit strategy template
Information sharing (Ch. VI) Short practical note

Under construction

This branch is being built out artefact by artefact — roughly one per week, announced on the blog. Pages listed above without links don't exist yet.

Primary sources

  • Regulation (EU) 2022/2554 on EUR-Lex
  • The technical standards (RTS/ITS) developed by the ESAs — linked from each artefact as it's published, since the set has continued to evolve; always verify you're reading the version in force.