Digital Operational Resilience Act (DORA): Overview, Scope & Reporting Requirements

Overview

The Digital Operational Resilience Act (DORA) is an EU regulation designed to strengthen the digital and ICT resilience of financial entities across the European Union. Its objective is to ensure that firms can withstand, respond to, and recover from ICT-related disruptions, including cyber incidents and operational outages.
DORA establishes a harmonised framework for ICT risk management, incident reporting, digital operational resilience testing, and ICT third-party risk oversight. Unlike fragmented national approaches, DORA applies directly and uniformly across EU Member States.
DORA entered into force in January 2023 and become fully applicable in January 2025.

Legal Context

DORA is an EU Regulation adopted by the European Parliament and the Council and is overseen by the European Supervisory Authorities (ESAs):

• European Banking Authority (EBA)

• European Securities and Markets Authority (ESMA)

• European Insurance and Occupational Pensions Authority (EIOPA)

Supervision and enforcement are carried out by national competent authorities. Certain ICT third-party providers may also fall under EU-level oversight.

In the United Kingdom, similar ICT resilience expectations are overseen by the Financial Conduct Authority (FCA) and the Prudential Regulation Authority (PRA).

Applicability

DORA applies to a broad range of financial entities operating within the EU, including:

• Credit institutions (banks)

• Investment firms

• Asset managers and fund managers

• Payment and electronic money institutions

• Insurance and reinsurance undertakings

• Crypto-asset service providers

• Financial market infrastructures

• ICT third-party service providers supporting financial entities

The regulation applies proportionately, taking into account the size, nature, and complexity of the entity.

Obligations

DORA is structured around five core pillars:

• ICT risk management

• ICT-related incident reporting

• Digital operational resilience testing

• ICT third-party risk management

• Information-sharing arrangements

These obligations are further defined through Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS) issued by the ESAs.

Reporting

Common challenges include:

• Fragmented ICT vendor and contract data

• Inconsistent service classification

• Manual data consolidation and validation

• Difficulty maintaining audit-ready historical records

• Responding efficiently to supervisory data requests

These challenges increase operational risk and supervisory exposure.

REGREP Solution

REGREP supports DORA exclusively through its Unified Register of Information (ROI) Database and Reporting solution.

The REGREP ROI solution provides:

• A centralised and structured ROI database

• Data models aligned with ESA technical standards

• Built-in validation and completeness controls

• Supervisory-ready ROI report generation

• Full auditability and historical traceability

• API-first integration with existing systems

REGREP provides technical infrastructure to support DORA ROI obligations and does not replace governance, risk ownership, or supervisory judgement.

• European Banking Authority (EBA)

• European Securities and Markets Authority (ESMA)

• European Insurance and Occupational Pensions Authority (EIOPA)

• Financial Conduct Authority (FCA)

Links are provided for reference purposes only. REGREP is not affiliated with or endorsed by any regulatory authority.

• ICT third-party risk data management

• Regulatory reporting infrastructure