Definition

DORA

DORA (Digital Operational Resilience Act, Regulation 2022/2554) is the EU regulation requiring financial-sector entities to maintain digital operational resilience, in force since January 2025.

DORA covers banks, insurance companies, investment firms, payment institutions, crypto-asset providers and their critical ICT third-party providers. Article 28 requires an ICT third-party register listing every external party that processes the institution's data, plus contractual obligations on those parties. AI tooling that processes regulated financial data falls in scope.

Why it matters

✓Article 28 + 30 + 31 explicitly bring AI service providers into the regulated perimeter.
✓Concentration risk on a single non-EU AI provider is now a board-level reportable.
✓Penalties: up to 1 % of average daily worldwide turnover per day of non-compliance.

Related terms

EU AI Act
NIS2
GDPR
CLOUD Act