Framework

DORA (Digital Operational Resilience Act)

An EU regulation that establishes uniform requirements for the security of network and information systems in the financial sector. DORA became mandatory on January 17, 2025, and applies to banks, insurance companies, investment firms, and their critical ICT service providers.

The Digital Operational Resilience Act (DORA) is a landmark EU regulation designed to ensure that financial entities can withstand, respond to, and recover from ICT-related disruptions. It establishes a comprehensive framework built on five pillars: ICT risk management, incident reporting, digital operational resilience testing, third-party risk management, and information sharing.

DORA applies to over 22,000 financial entities across the EU, including banks, insurance companies, payment institutions, crypto-asset service providers, and critical ICT third-party providers. The regulation mandates that organizations implement robust ICT risk management frameworks, report major incidents to competent authorities, conduct regular resilience testing including threat-led penetration testing (TLPT), and maintain registers of all ICT third-party service providers.

For financial institutions operating in Germany, BaFin serves as the primary supervisory authority for DORA compliance. Non-compliance can result in significant administrative penalties and reputational damage.

Learn More

Discover how Matproof can help you achieve DORA (Digital Operational Resilience Act) compliance.

View framework page

DORA compliance by city

Frankfurt Munich Berlin Hamburg Düsseldorf Stuttgart Cologne

Related Terms

ICT Risk Management

The process of identifying, assessing, and mitigating risks associated with information and communication technology systems. Under DORA, financial entities must maintain a comprehensive ICT risk management framework covering identification, protection, detection, response, and recovery.

Incident Reporting

The formal process of detecting, classifying, and reporting ICT-related incidents to competent authorities. DORA Articles 17-23 establish specific requirements for incident classification, initial notification, intermediate reports, and final reports to supervisory authorities.

TLPT (Threat-Led Penetration Testing)

An advanced form of security testing mandated by DORA Articles 26-27 for significant financial entities. TLPT uses real-world threat intelligence to simulate adversary tactics and test an organization's detection, response, and recovery capabilities against realistic attack scenarios.

BaFin (Federal Financial Supervisory Authority)

Germany's integrated financial regulatory authority responsible for supervising banks, insurance companies, and securities trading. BaFin is the primary competent authority for DORA compliance in Germany, receiving incident reports and conducting supervisory reviews.

Third-Party Risk Management

The process of identifying, assessing, and controlling risks arising from outsourcing to third-party service providers. Under DORA Article 28, financial entities must maintain a register of all ICT third-party providers and conduct thorough due diligence on critical providers.

Automate compliance with Matproof

DORA, SOC 2, ISO 27001 — get audit-ready in weeks, not months.

Request a demo