The final text of the Digital Operational Resilience Act (DORA)


Preamble 1 to 106

Preamble 1 to 10, Digital Operational Resilience Act (DORA).


Preamble 11 to 20, Digital Operational Resilience Act (DORA).


Preamble 21 to 30, Digital Operational Resilience Act (DORA).


Preamble 31 to 40, Digital Operational Resilience Act (DORA).


Preamble 41 to 50, Digital Operational Resilience Act (DORA).


Preamble 51 to 60, Digital Operational Resilience Act (DORA).


Preamble 61 to 70, Digital Operational Resilience Act (DORA).


Preamble 71 to 80, Digital Operational Resilience Act (DORA).


Preamble 81 to 90, Digital Operational Resilience Act (DORA).


Preamble 91 to 106, Digital Operational Resilience Act (DORA).



Chapter I, General provisions.

Article 1, Subject matter, Digital Operational Resilience Act (DORA)


Article 2, Scope, Digital Operational Resilience Act (DORA)


Article 3, Definitions, Digital Operational Resilience Act (DORA)


Article 4, Proportionality principle, Digital Operational Resilience Act (DORA)



CHAPTER II, ICT risk management

Article 5, Governance and organisation, Digital Operational Resilience Act (DORA)


Article 6, ICT risk management framework, Digital Operational Resilience Act (DORA)


Article 7, ICT systems, protocols and tools, Digital Operational Resilience Act (DORA)


Article 8, Identification, Digital Operational Resilience Act (DORA)


Article 9, Protection and prevention, Digital Operational Resilience Act (DORA)


Article 10, Detection, Digital Operational Resilience Act (DORA)


Article 11, Response and recovery, Digital Operational Resilience Act (DORA)


Article 12, Backup policies and procedures, restoration and recovery procedures and methods, Digital Operational Resilience Act (DORA)


Article 13, Learning and evolving, Digital Operational Resilience Act (DORA)


Article 14, Communication, Digital Operational Resilience Act (DORA)


Article 15, Further harmonisation of ICT risk management tools, methods, processes and policies, Digital Operational Resilience Act (DORA)


Article 16, Simplified ICT risk management framework, Digital Operational Resilience Act (DORA)



CHAPTER III, ICT-related incident management, classification and reporting

Article 17, ICT-related incident management process, Digital Operational Resilience Act (DORA)


Article 18, Classification of ICT-related incidents and cyber threats, Digital Operational Resilience Act (DORA)


Article 19, Reporting of major ICT-related incidents and voluntary notification of significant cyber threats, Digital Operational Resilience Act (DORA)


Article 20, Harmonisation of reporting content and templates, Digital Operational Resilience Act (DORA)


Article 21, Centralisation of reporting of major ICT-related incidents, Digital Operational Resilience Act (DORA)


Article 22, Supervisory feedback, Digital Operational Resilience Act (DORA)


Article 23, Operational or security payment-related incidents concerning credit institutions, payment institutions, account information service providers, and electronic money institutions, Digital Operational Resilience Act (DORA)



CHAPTER IV, Digital operational resilience testing

Article 24, General requirements for the performance of digital operational resilience testing, Digital Operational Resilience Act (DORA)


Article 25, Testing of ICT tools and systems, Digital Operational Resilience Act (DORA)


Article 26, Advanced testing of ICT tools, systems and processes based on TLPT, Digital Operational Resilience Act (DORA)


Article 27, Requirements for testers for the carrying out of TLPT, Digital Operational Resilience Act (DORA)



CHAPTER V, Managing of ICT third-party risk

Section I, Key principles for a sound management of ICT third-party risk

Article 28, General principles, Digital Operational Resilience Act (DORA)


Article 29, Preliminary assessment of ICT concentration risk at entity level, Digital Operational Resilience Act (DORA)


Article 30, Key contractual provisions, Digital Operational Resilience Act (DORA)



Section II, Oversight Framework of critical ICT third-party service providers

Article 31, Designation of critical ICT third-party service providers, Digital Operational Resilience Act (DORA)


Article 32, Structure of the Oversight Framework, Digital Operational Resilience Act (DORA)


Article 33, Tasks of the Lead Overseer, Digital Operational Resilience Act (DORA)


Article 34, Operational coordination between Lead Overseers, Digital Operational Resilience Act (DORA)


Article 35, Powers of the Lead Overseer, Digital Operational Resilience Act (DORA)


Article 36, Exercise of the powers of the Lead Overseer outside the Union, Digital Operational Resilience Act (DORA)


Article 37, Request for information, Digital Operational Resilience Act (DORA)


Article 38, General investigations, Digital Operational Resilience Act (DORA)


Article 39, Inspections, Digital Operational Resilience Act (DORA)


Article 40, Ongoing oversight, Digital Operational Resilience Act (DORA)


Article 41, Harmonisation of conditions enabling the conduct of the oversight activities, Digital Operational Resilience Act (DORA)


Article 42, Follow-up by competent authorities, Digital Operational Resilience Act (DORA)


Article 43, Oversight fees, Digital Operational Resilience Act (DORA)


Article 44, International cooperation, Digital Operational Resilience Act (DORA)



CHAPTER VI, Information-sharing arrangements

Article 45, Information-sharing arrangements on cyber threat information and intelligence, Digital Operational Resilience Act (DORA)



CHAPTER VII, Competent authorities

Article 46, Competent authorities, Digital Operational Resilience Act (DORA)


Article 47, Cooperation with structures and authorities established by Directive (EU) 2022/2555, Digital Operational Resilience Act (DORA)


Article 48, Cooperation between authorities, Digital Operational Resilience Act (DORA)


Article 49, Financial cross-sector exercises, communication and cooperation, Digital Operational Resilience Act (DORA)


Article 50, Administrative penalties and remedial measures, Digital Operational Resilience Act (DORA)


Article 51, Exercise of the power to impose administrative penalties and remedial measures, Digital Operational Resilience Act (DORA)


Article 52, Criminal penalties, Digital Operational Resilience Act (DORA)


Article 53, Notification duties, Digital Operational Resilience Act (DORA)


Article 54, Publication of administrative penalties, Digital Operational Resilience Act (DORA)


Article 55, Professional secrecy, Digital Operational Resilience Act (DORA)


Article 56, Data Protection, Digital Operational Resilience Act (DORA)



CHAPTER VIII, Delegated acts

Article 57, Exercise of the delegation, Digital Operational Resilience Act (DORA)



CHAPTER IX, Transitional and final provisions

Section I

Article 58, Review clause, Digital Operational Resilience Act (DORA)



Section II, Amendments

Article 59, Amendments to Regulation (EC) No 1060/2009, Digital Operational Resilience Act (DORA)


Article 60, Amendments to Regulation (EU) No 648/2012, Digital Operational Resilience Act (DORA)


Article 61, Amendments to Regulation (EU) No 909/2014, Digital Operational Resilience Act (DORA)


Article 62, Amendments to Regulation (EU) No 600/2014, Digital Operational Resilience Act (DORA)


Article 63, Amendment to Regulation (EU) 2016/1011, Digital Operational Resilience Act (DORA)


Article 64, Entry into force and application, Digital Operational Resilience Act (DORA)



Understanding Cybersecurity in the European Union.

1. The NIS 2 Directive

2. The European Cyber Resilience Act

3. The Digital Operational Resilience Act (DORA)

4. The Critical Entities Resilience Directive (CER)

5. The Digital Services Act (DSA)

6. The Digital Markets Act (DMA)

7. The European Health Data Space (EHDS)

8. The European Chips Act

9. The European Data Act

10. European Data Governance Act (DGA)

11. The Artificial Intelligence Act

12. The European ePrivacy Regulation

13. The European Cyber Defence Policy

14. The Strategic Compass of the European Union

15. The EU Cyber Diplomacy Toolbox