DORA

Read aloud

The Digital Operational Resilience Act (DORA) is a European regulation aimed at increasing the digital operational resilience of the financial sector. Financial institutions must be aware that the preparations for the implementation of DORA will take some time. We use this webpage to inform the various stakeholders on DORA-related topics.  

Most recent update: 22 April 2025

DORA focuses on ICT risk management, ICT incidents, the periodic testing of digital operational resilience, the management of risks related to outsourcing to (critical) third parties and cooperation via information-sharing arrangements on cyber threats. DORA also introduces a framework for European supervision of critical third-party providers of ICT services. 

DORA is currently in the implementation phase, and institutions have until 17 January 2025 to comply with the legislation. 

First reporting of the register of information

We note that the registers of information will fail to pass the data quality checks (and thus fail to be accepted) if basic steps have not been followed by those responsible for submitting the register. We therefore recap in this document the key links to be followed for guidance, while also sharing a list of common mistakes that financial entities may inadvertently make. The document will be updated when further guidance or tips become available.

The regulation  

DORA was published in the Official Journal of the European Union on 27 December 2022. DORA includes a regulation (NL / EN) and a directive (NL / EN). The regulation entered into force on 17 January 2023 and is applicable per 17 January 2025. 

Technical standards  

The three European Supervisory Authorities (ESAs) are jointly responsible for the development of the technical standards for DORA.

The development of the technical standards is divided into two sets.  

The first set was submitted to the European Commission (EC) on 17 January 2024. All standards in this set are published in the Official Journal of the European Union and therewith officially adopted. The first set contains the following documents: 

  • RTS on ICT risk management framework and RTS on simplified ICT risk management framework(NL/EN)
  • RTS on criteria for the classification of ICT-related incidents(NL/EN)
  • ITS to establish the templates for the register of information (final report to the EC)
  • RTS to specify the policy on ICT services performed by ICT third-party providers(NL/EN)

The first set was submitted to the EC on 17 July 2024 and 26 July 2024. The second set contains the following documents:  

  • RTS on content, timelines and templates on incident reporting (NL / ENG)
  • ITS on content, timelines and templates on incident reporting (NL / ENG)
  • RTS on subcontracting of critical or important functions
  • RTS on oversight harmonisation (NL / ENG)
  • GL on oversight cooperation between ESAs and competent authorities (NL / ENG)
  • RTS on threat-led penetration testing (TLPT) 
You can swipe the table to see more columns.

Reporting and notifications

DORA includes several obligations for ad hoc reports and notifications. Below you can read how to submit each report or notification.

Report or notification

Explanation
Reporting of major ICT-related incidents (art. 19 sub 1 and art. 23)

Template

Reporting via Mijn DNB – Supervision applications – Start application/notification - DORA major ICT-incident reporting.

Please note: Financial institutions within scope of the NIS2 directive, also need to report the incident to the NCSC (please see NCSC.nl for more information about the NIS2 registration obligation and reporting).

 

Voluntary notification of significant cyber threats (art. 19 sub 2)

Template

Notification via: Mijn DNB – Supervision applications – Start application/notification – Form for other applications and notifications.

 

Notification of (planned) contractual arrangements on the use of ICT services supporting critical or important functions. (art. 28 sub 3, 5th paragraph)

Notification via: Mijn DNB – Notification outsourcing and ICT third-party services.

Notification of validation or cessation of membership in an information-sharing arrangement (art. 45 sub 3)

Template

Notification via: Mijn DNB - Requests and notifications – Form for other applications and notifications..

 

Reports requested by DNB, for example the information register or the exchange of files for the purpose of TLPT, have a different character. If DNB requests these, DNB will at the same time indicate how DNB expects to receive them. More information on information register reporting was published in early January.