DORA¶
Regulation (EU) 2022/2554 — the Digital Operational Resilience Act. In application since 17 January 2025 for financial entities and their critical ICT third-party providers.
DORA is the lead branch of this library. The regulation is organized around five pillars, and the resources here will follow the same structure:
Branches¶
| Pillar | Planned artefacts |
|---|---|
| ICT risk management (Ch. II) | Document inventory · responsibility matrix for the management body · control mapping |
| Incident management & reporting (Ch. III) | Classification checklist · reporting timeline reference · evidence examples |
| Digital operational resilience testing (Ch. IV) | Testing programme checklist · TLPT readiness overview |
| ICT third-party risk (Ch. V) | Register of information starter kit · contract clause checklist (Art. 30) · exit strategy template |
| Information sharing (Ch. VI) | Short practical note |
Under construction
This branch is being built out artefact by artefact — roughly one per week, announced on the blog. Pages listed above without links don't exist yet.
Primary sources¶
- Regulation (EU) 2022/2554 on EUR-Lex
- The technical standards (RTS/ITS) developed by the ESAs — linked from each artefact as it's published, since the set has continued to evolve; always verify you're reading the version in force.