DORA (Digital Operational Resilience Act)
ICT risk management for financial services
DORA has been in force since January 2025. It requires financial entities — including insurers and leasing companies — to maintain comprehensive ICT risk management, test digital resilience, and oversee third-party ICT providers. Every asset data provider is now a regulated third party.
2% global annual turnover. Third-party ICT provider oversight mandatory.
What It Requires
ICT risk management framework (Art. 6-16)
Digital operational resilience testing
Third-party ICT provider oversight and exit strategies
Incident classification and reporting (72h)
Information sharing arrangements
Who It Affects (2 Verticals)
What Happens If Not Compliant
Fines up to 2% of global turnover. Third-party ICT providers face direct oversight by EU financial supervisors. Contracts without DORA clauses are non-compliant.
How Arctura Solves It
L5 Governance Add-On: ICT risk management evidence, audit trail, policy controls, dedicated MCP endpoint, EU sovereign deployment. Provides 'Evidence of Effectiveness' for DORA auditors.
Related Regulations
This page provides general information about DORA (EU 2022/2554) requirements. It does not constitute legal advice. Consult a qualified financial regulation specialist for guidance specific to your organization.