Regulation (EU) 2022/2554 on digital operational resilience for the financial sector, commonly known as DORA, is the European Union’s in-force operational-resilience framework for financial entities and certain ICT third-party service providers. The regulation entered into force on Jan. 16, 2023 and has applied from Jan. 17, 2025. For crypto markets, DORA is most relevant because its scope includes crypto-asset service providers authorized under MiCA and issuers of asset-referenced tokens.
DORA Scope and Crypto-Asset Coverage
DORA is not a crypto-only law. It is a horizontal financial-sector resilience regulation covering banks, insurers, investment firms, payment institutions, market infrastructures, fund managers, crypto-asset service providers, asset-referenced token issuers, and other financial entities. Official supervisory materials describe DORA as a common legal framework for ICT risk across the EU financial sector, replacing a fragmented set of operational-risk expectations with harmonized digital-resilience rules.
The crypto connection runs through MiCA authorization. A crypto-asset service provider or issuer of asset-referenced tokens that falls within DORA must treat ICT resilience as a regulated financial-services obligation, not merely an internal technology matter. This includes governance, testing, incident reporting, ICT outsourcing controls, registers of ICT third-party arrangements, and cybersecurity-related information-sharing mechanisms.
Core DORA Requirements for Financial Entities
DORA is commonly organized around five operational pillars: ICT risk management, ICT-related incident management and reporting, digital operational resilience testing, ICT third-party risk management, and voluntary information-sharing on cyber threats. EIOPA and ESMA also identify an EU-level oversight framework for ICT third-party providers designated as critical for the financial sector.
The ICT risk-management pillar requires financial entities to maintain governance, controls, procedures, technical tools, continuity arrangements, and oversight structures designed to preserve resilient operations. The management body remains accountable for ICT risk governance, and Level 2 technical standards add detail on ICT asset management, encryption, network security, change management, access control, detection, response, and business continuity.
Incidents, Testing, and Third-Party ICT Risk
DORA harmonizes how financial entities classify, manage, and report major ICT-related incidents and significant cyber threats. Implementing and delegated acts adopted under DORA specify incident-classification criteria, report content, time limits, standard forms, templates, and procedures. The framework is designed to help competent authorities coordinate faster where incidents affect cross-border or interconnected financial services.
Resilience testing is another core part of the regime. Financial entities must maintain testing programs that can include vulnerability assessments, scenario-based testing, source-code reviews, network-security reviews, and, for selected entities, threat-led penetration testing. DORA also requires a more formal approach to ICT third-party risk, including contract controls, registers of information, subcontracting assessments, and monitoring of services supporting critical or important functions.
Critical ICT Third-Party Provider Oversight
DORA created a direct EU oversight layer for ICT third-party service providers designated as critical. On Nov. 18, 2025, the European Supervisory Authorities published the first list of designated critical ICT third-party providers, including cloud, infrastructure, data, and technology firms used across the EU financial system. The ESAs said the objective is to promote sound ICT risk management by critical providers and assess whether they have appropriate governance and resilience frameworks.
Status and Jurisdictional Impact
As of June 5, 2026, DORA is in force and applicable across the European Union. The ESAs published the first annual overview of major ICT-related incidents under DORA on June 3, 2026, showing the framework has moved from implementation into supervisory reporting and oversight. The profile should be read together with MiCA, national competent-authority implementation, EU Level 2 standards, and related cybersecurity frameworks such as NIS2 where applicable.