Who must comply with DORA?

Most EU financial entities, including banks, insurers, investment and payment firms, and crypto-asset service providers, plus critical ICT third-party providers that serve them.

When did DORA start applying?

DORA entered into application on 17 January 2025 and is directly applicable across all EU Member States.

Does DORA cover identity and access management?

Yes, DORA requires strong authentication, least-privilege access, and management of privileged access as part of a firm's ICT risk management framework.

🇪🇺 European Union · Operational resilience

DORA

Digital Operational Resilience Act (Regulation (EU) 2022/2554)

DORA is an EU regulation that strengthens the digital operational resilience of the financial sector, ensuring firms can withstand, respond to, and recover from ICT-related disruptions. It has applied since 17 January 2025 and harmonizes ICT risk management, incident reporting, resilience testing, and oversight of third-party providers.

Jurisdiction:🇪🇺 European Union

Type:Operational resilience

In effect:2025

Authority:European Supervisory Authorities (EBA, ESMA, EIOPA) and national financial regulators

Who it applies to

Around 20 types of financial entities including banks, insurers, investment firms, payment institutions, and crypto-asset service providers, as well as critical ICT third-party service providers serving them.

Identity requirements

Maintain an ICT risk management framework that includes identity and access management controls
Enforce strong authentication and least-privilege access to ICT systems and data
Manage and monitor privileged access as part of ICT security controls
Report major ICT-related incidents to competent authorities within defined timelines
Maintain a Register of Information on ICT third-party arrangements
Conduct digital operational resilience testing, including for access and authentication controls

How it impacts identity systems

Identity area	Impact
Authentication & MFA	Requires strong authentication and access controls as part of the ICT risk management framework.
Privileged access (PAM)	Mandates least-privilege and monitoring of privileged access to critical ICT systems.
Audit, logging & accountability	Requires logging, testing, and a Register of Information demonstrating resilience controls.
Breach notification	Requires classification and timely reporting of major ICT-related incidents to authorities.

Penalties

Penalties are set by national competent authorities and must be effective, proportionate, and dissuasive; critical ICT third-party providers face periodic penalty payments of up to 1 percent of average daily worldwide turnover.

Official source

https://eur-lex.europa.eu/eli/reg/2022/2554/oj/eng

DORA: frequently asked questions

Who must comply with DORA?: Most EU financial entities, including banks, insurers, investment and payment firms, and crypto-asset service providers, plus critical ICT third-party providers that serve them.
When did DORA start applying?: DORA entered into application on 17 January 2025 and is directly applicable across all EU Member States.
Does DORA cover identity and access management?: Yes, DORA requires strong authentication, least-privilege access, and management of privileged access as part of a firm's ICT risk management framework.

Educational summary, not legal advice. Confirm current requirements with the relevant authority or counsel. See all European Union regulations or the full country index.