What changed
Regulation (EU) 2022/2554 (DORA) has applied since 17 January 2025. It sets uniform requirements for the digital operational resilience of financial entities and their critical ICT third-party providers: ICT risk management, incident classification and reporting, resilience testing, and third-party risk oversight including the register of information.
Why it matters
DORA is live law: supervisors can already ask financial entities for evidence — the register of information, incident reports, testing results. This is an ongoing evidence obligation, not a one-off project.
Who is affected
Banks, insurers, investment firms, payment and e-money institutions, crypto-asset service providers and other financial entities in the EU — plus the ICT providers that serve them.
What to check next
Confirm your register of information is current, your incident classification and reporting flow matches the technical standards now in the Official Journal, and your resilience-testing programme is documented.
Key dates
- 2022-12-27Published in the Official Journal
- 2025-01-17DORA applies
Source. EUR-Lex — Regulation (EU) 2022/2554 (DORA) ↗
Document: Regulation (EU) 2022/2554 — CELEX 32022R2554
Verified by Trusq against this source on 4 Jul 2026. Trusq publishes only what it can trace to an official source; the source text prevails. Not legal advice.
Document: Regulation (EU) 2022/2554 — CELEX 32022R2554
Verified by Trusq against this source on 4 Jul 2026. Trusq publishes only what it can trace to an official source; the source text prevails. Not legal advice.