DORA (Digital Operational Resilience Act)
DORA is the EU regulation on digital operational resilience for the financial sector, directly binding since 17 January 2025, built on five pillars covering ICT risk, incidents, testing, third-party risk and information sharing.
DORA, the Digital Operational Resilience Act (Regulation (EU) 2022/2554), is the EU regulation that requires financial entities to withstand, respond to and recover from ICT disruptions and cyber threats. It has applied since 17 January 2025 and, unlike a directive, it is directly binding in every member state without national transposition.
Key facts:
- DORA covers roughly the entire EU financial sector: banks, insurers, investment firms, payment and e-money institutions, crypto-asset service providers, and more, plus critical ICT third-party providers serving them. Sector-specific guidance is issued by the European Supervisory Authorities: EBA, ESMA and EIOPA.
- It is built on five pillars: ICT risk management, incident reporting, resilience testing, third-party risk management and information sharing.
- Management bodies carry explicit responsibility for ICT risk. Proportionality applies: obligations scale with entity size and risk profile.
- DORA acts as lex specialis for financial entities: where it overlaps with NIS2, DORA's rules generally take precedence.
The five pillars
| Pillar | What it requires | Where email fits |
|---|---|---|
| ICT risk management | A documented framework: identify, protect, detect, respond, recover | Email is the top initial attack vector to protect and monitor |
| Incident reporting | Classify ICT incidents; report major ones to authorities on fixed timelines | Early detection and evidence trails feed classification and reports |
| Resilience testing | Regular testing, up to threat-led penetration testing for significant entities | Phishing and social engineering are standard test scenarios |
| Third-party ICT risk | Register of ICT providers, contractual requirements, concentration risk | Vendor mailbox compromise and OAuth access are third-party risks in mail flow |
| Information sharing | Voluntary threat intelligence exchange between entities | Email threat indicators are core shared intelligence |
Why email matters under DORA
Most operational disruption in finance does not start with exotic malware; it starts with a message. Phishing, business email compromise and OAuth consent fraud are the entry points regulators see repeatedly. DORA's detection and monitoring requirements (anomalous activity, prompt incident identification) therefore reach the mailbox directly, and its third-party pillar reaches the SaaS and AI tools connected to it, including the unsanctioned ones: shadow IT with OAuth access to a financial entity's mail and files is exactly the kind of unmanaged ICT dependency DORA expects entities to know about.
Where Sentaro fits, honestly
No product delivers DORA compliance. The regulation demands governance, documentation, testing and contracts far beyond technology. What Sentaro contributes to the framework:
- Detect: AI-native blocking and flagging of phishing, BEC and consent phishing in Google Workspace and Microsoft 365, the attack surface where most incidents begin.
- Part of the incident reporting chain: for email-borne incidents, detection is what triggers classification, and Sentaro supplies the who/what/when/scope that initial, intermediate and final reports require, so the reporting clocks (verify exact current timelines against the applicable technical standards) start with facts, not archaeology.
- Third-party visibility: every app and AI service holding OAuth access to mailboxes and files, feeding the ICT register and concentration-risk picture with what is actually connected, not just what procurement recorded.
- Control support: continuous monitoring instead of point-in-time audits, which is the operating mode DORA assumes.
What remains yours: the risk framework, incident process and reporting, testing program, contracts and registers, and governance. Sentaro informs and monitors; your organization decides and documents.
This page is general guidance, not legal advice. Consult qualified counsel and your supervisor's guidance for your obligations.
Frequently asked questions
What does DORA stand for?
The Digital Operational Resilience Act, Regulation (EU) 2022/2554, the EU's framework for digital operational resilience in the financial sector, applicable since 17 January 2025.
Who does DORA apply to?
Some 20 categories of financial entities (banks, insurers, investment firms, payment institutions, crypto-asset providers and more) and critical ICT third-party service providers designated under the regulation.
What is the difference between DORA and NIS2?
NIS2 is a directive covering many sectors and works through national law; DORA is a regulation, directly applicable, and specific to finance. For financial entities DORA generally takes precedence where they overlap.
What are DORA's incident reporting requirements?
Financial entities must classify ICT-related incidents and report major ones to their competent authority on fixed timelines set out in the regulation and its technical standards, with initial, intermediate and final reports.
Does email security make us DORA compliant?
No. DORA compliance is an organizational framework. Email security addresses the most common incident entry point and supplies detection, third-party visibility and evidence that several pillars require, but governance, testing, contracts and reporting remain organizational responsibilities.