The Digital Operational Resilience Act (DORA) – Regulation (EU) 2022/2554 – establishes a unified EU framework to ensure that financial entities can withstand, respond to, and recover from ICT-related disruptions and cyber threats.

In force since 16 January 2023, DORA becomes fully applicable from 17 January 2025 and forms part of the EU’s broader Digital Finance Strategy.

DORA applies to a broad range of financial entities, including trading venues, market operators, central counterparties (CCPs), central securities depositories (CSDs), and energy market participants subject to EU financial regulation.

Core obligations include:

• ICT risk management: governance, monitoring, and response procedures across internal systems
• Incident reporting: mandatory reporting of major ICT-related incidents and cyber threats to regulators
• Digital resilience testing: including threat-led penetration testing (TLPT) for critical financial entities
• Oversight of third-party providers: critical ICT providers (e.g. cloud services) are subject to direct supervision by the European Supervisory Authorities (ESAs)

DORA is directly relevant for energy firms involved in financial trading, clearing, or infrastructure services. This includes companies operating regulated trading venues, using CCPs, or classified as financial counterparties under EU law.

It strengthens requirements for:

• Cyber resilience across platforms and operations
• Management of outsourced ICT and cloud services
• Transparent incident response and escalation procedures