DORA (Digital Operational Resilience Act)

DORA is the EU regulation on digital operational resilience for the financial sector, directly binding since 17 January 2025, built on five pillars covering ICT risk, incidents, testing, third-party risk and information sharing.

DORA, the Digital Operational Resilience Act (Regulation (EU) 2022/2554), is the EU regulation that requires financial entities to withstand, respond to and recover from ICT disruptions and cyber threats. It has applied since 17 January 2025 and, unlike a directive, it is directly binding in every member state without national transposition.

Key facts:

The five pillars

PillarWhat it requiresWhere email fits
ICT risk managementA documented framework: identify, protect, detect, respond, recoverEmail is the top initial attack vector to protect and monitor
Incident reportingClassify ICT incidents; report major ones to authorities on fixed timelinesEarly detection and evidence trails feed classification and reports
Resilience testingRegular testing, up to threat-led penetration testing for significant entitiesPhishing and social engineering are standard test scenarios
Third-party ICT riskRegister of ICT providers, contractual requirements, concentration riskVendor mailbox compromise and OAuth access are third-party risks in mail flow
Information sharingVoluntary threat intelligence exchange between entitiesEmail threat indicators are core shared intelligence

Why email matters under DORA

Most operational disruption in finance does not start with exotic malware; it starts with a message. Phishing, business email compromise and OAuth consent fraud are the entry points regulators see repeatedly. DORA's detection and monitoring requirements (anomalous activity, prompt incident identification) therefore reach the mailbox directly, and its third-party pillar reaches the SaaS and AI tools connected to it, including the unsanctioned ones: shadow IT with OAuth access to a financial entity's mail and files is exactly the kind of unmanaged ICT dependency DORA expects entities to know about.

Where Sentaro fits, honestly

No product delivers DORA compliance. The regulation demands governance, documentation, testing and contracts far beyond technology. What Sentaro contributes to the framework:

What remains yours: the risk framework, incident process and reporting, testing program, contracts and registers, and governance. Sentaro informs and monitors; your organization decides and documents.

This page is general guidance, not legal advice. Consult qualified counsel and your supervisor's guidance for your obligations.

Frequently asked questions

What does DORA stand for?

The Digital Operational Resilience Act, Regulation (EU) 2022/2554, the EU's framework for digital operational resilience in the financial sector, applicable since 17 January 2025.

Who does DORA apply to?

Some 20 categories of financial entities (banks, insurers, investment firms, payment institutions, crypto-asset providers and more) and critical ICT third-party service providers designated under the regulation.

What is the difference between DORA and NIS2?

NIS2 is a directive covering many sectors and works through national law; DORA is a regulation, directly applicable, and specific to finance. For financial entities DORA generally takes precedence where they overlap.

What are DORA's incident reporting requirements?

Financial entities must classify ICT-related incidents and report major ones to their competent authority on fixed timelines set out in the regulation and its technical standards, with initial, intermediate and final reports.

Does email security make us DORA compliant?

No. DORA compliance is an organizational framework. Email security addresses the most common incident entry point and supplies detection, third-party visibility and evidence that several pillars require, but governance, testing, contracts and reporting remain organizational responsibilities.