Compliance
DORA compliance, explained
The Digital Operational Resilience Act (DORA) has been in force since January 2025. If you're an EU financial entity or an ICT provider to one, continuity and resilience testing are now legal obligations — and auditable.
Who DORA applies to
Banks, insurers, investment firms, payment institutions, crypto-asset providers and many other EU financial entities — plus the critical ICT third parties that serve them.
What it requires
- ICT risk management framework and governance.
- ICT-related incident classification and reporting.
- Digital operational resilience testing, including for critical systems.
- ICT third-party risk management.
- Documented, tested business continuity and disaster recovery plans.
How to evidence it
DORA supervisors expect documentation and proof of testing, not intentions. Map your continuity plans to the relevant articles, keep exercise records, and be able to produce an evidence pack on request.
Resilira maps plan elements to DORA's ICT-continuity articles and produces a one-click evidence pack when a supervisor or enterprise customer sends a questionnaire.
Frequently asked questions
- When did DORA come into force?
- DORA applies from 17 January 2025 across the EU.
- Does DORA require business continuity plans?
- Yes. DORA requires financial entities to maintain documented and tested ICT business continuity and disaster recovery plans, and to evidence regular resilience testing.
Keep reading
Get audit-ready before your next due-diligence questionnaire.
Start free — no credit card. 14-day trial with a sample workspace preloaded.