DORA

Read aloud

The Digital Operational Resilience Act (DORA) is a European regulation aimed at increasing the digital operational resilience of the financial sector. We use this webpage to inform the various stakeholders on DORA-related topics.  

Most recent update: 22 July 2025

DORA focuses on ICT risk management, ICT incidents, the periodic testing of digital operational resilience, the management of risks related to outsourcing to (critical) third parties and cooperation via information-sharing arrangements on cyber threats. DORA also introduces a framework for European supervision of critical third-party providers of ICT services. 

 Institutions have to comply with the legislation per 17 January 2025.

The regulation  

DORA was published in the Official Journal of the European Union on 27 December 2022. DORA includes a regulation (NL / EN) and a directive (NL / EN). The regulation entered into force on 17 January 2023 and is applicable per 17 January 2025. For the Netherlands, Annex 35 of the Decree implementing EU Regulations on Financial Markets contains the designation of the competent authority for DORA. The decree also regulates which articles from DORA can be enforced in the event of violation with an administrative fine or order subject to penalty. 

Technical standards  

The three European Supervisory Authorities (ESAs) were jointly responsible for the development of the technical standards for DORA.

All technical standards have been published in the Official Journal of the European Union. It concerns

  • RTS on criteria for the classification of ICT-related incidents (NL / ENG)
  •  RTS on content, timelines and templates on incident reporting (NL / ENG)
  • ITS on content, timelines and templates on incident reporting (NL / ENG)
  •  RTS to specify the policy on ICT services performed by ICT third-party providers (NL / ENG)
  •  ITS to establish the templates for the register of information (NL / ENG)
  •  RTS on threat-led penetration testing (TLPT) (NL / ENG)
  •  RTS on subcontracting of critical or important functions (NL / ENG)
  •  RTS on oversight harmonization (NL / ENG)

  • GL on aggregated costs and losses from major incidents (NL / ENG)
  •  GL on oversight cooperation between ESAs and competent authorities (NL / ENG

The European process for Question & Answer (Q&A)

The three ESAs together facilitate the process which allows financial entities to ask questions and receive answers. The objective of the process is to ensure consistent and effective application of European regulation and to foster supervisory convergence. Existing Q&As on DORA can be found here.

For more information on the Q&A process, please visit the websites of either EBA, EIOPA or ESMA.

You can swipe the table to see more columns.

Reporting and notifications

DORA includes several obligations for ad hoc reports and notifications. Below you can read how to submit each report or notification.

Report or notification

Explanation
Reporting of major ICT-related incidents (art. 19 sub 1 and art. 23)

Template

Reporting via Mijn DNB – Supervision applications – Start application/notification - DORA major ICT-incident reporting.

Please note: Financial institutions within scope of the NIS2 directive, also need to report the incident to the NCSC (please see NCSC.nl for more information about the NIS2 registration obligation and reporting).

 

Voluntary notification of significant cyber threats (art. 19 sub 2)

Template

Notification via: Mijn DNB – Supervision applications – Start application/notification – Form for other applications and notifications.

 

Notification of (planned) contractual arrangements on the use of ICT services supporting critical or important functions. (art. 28 sub 3, 5th paragraph)

Notification via: Mijn DNB – Notification outsourcing and ICT third-party services.

Notification of validation or cessation of membership in an information-sharing arrangement (art. 45 sub 3)

Template

Notification via: Mijn DNB - Requests and notifications – Form for other applications and notifications..

 

Reports requested by DNB, for example the information register or the exchange of files for the purpose of TLPT, have a different character. If DNB requests these, DNB will at the same time indicate how DNB expects to receive them.