What is DORA?
DORA is the Digital Operational Resilience Act — Regulation (EU) 2022/2554. It sets a single, harmonized set of requirements for how financial entities across the EU manage the risk that their information and communication technology (ICT) fails, is disrupted or is attacked. The aim is plain: a bank, an insurer or a payment provider should be able to keep operating, and recover, when something in its technology stack goes wrong.
Two facts shape everything else. First, DORA is a regulation, not a directive — so it is directly applicable in every member state rather than transposed into 27 separate national laws. The text that applies to you is the EU text. Second, it has applied since 17 January 2025; this is not a future obligation to plan around but a live one.
It is also not a certificate. There is no DORA badge to hang on the wall and no accredited body that certifies you. DORA sets legal requirements you have to meet and be able to demonstrate to your supervisor — so the right framing is compliance and evidence, not certification.
A regulation, not a directive
The distinction is worth holding onto, because it changes how you read the rules. A directive sets goals that each country writes into its own law, so the detail varies by jurisdiction. A regulation like DORA applies directly and uniformly — the obligations, the incident-classification criteria and the reporting timelines are the same text wherever you operate in the EU. The detailed technical standards that fill in the specifics are written at EU level by the European Supervisory Authorities.