The financial sector is among the most digitalised — and among the most obvious targets for cyberattacks and operational disruption. DORA is the EU's answer: a single rulebook to ensure that financial entities can withstand, respond to and recover from ICT-related incidents. For a complete overview, see our DORA page.
What DORA is — and why it arrived
DORA stands for the Digital Operational Resilience Act and is Regulation (EU) 2022/2554. Before DORA, ICT requirements for financial entities were spread across several different rulebooks and varied from member state to member state. DORA consolidates them into a single regulation with one goal: to make the financial sector's digital operations resilient — not just secure on paper, but able to keep functioning under pressure.
A central idea in DORA is that operational resilience is not only about avoiding incidents, but about handling them when they happen. The regulation therefore requires prevention, detection, response and recovery — and documentation that the whole thing works.
When did DORA take effect?
DORA entered into force in January 2023 and has applied since 17 January 2025. From that date, covered entities must meet the requirements. The regulation is supplemented by more detailed technical standards (RTS and ITS) developed by the European Supervisory Authorities, which specify how the requirements are to be met in practice.
Who is covered by DORA?
DORA covers a broad range of financial entities. Among the most important:
- Credit institutions (banks) and payment and e-money institutions.
- Investment firms and managers of collective investment undertakings.
- Insurance and reinsurance undertakings and insurance intermediaries.
- Crypto-asset service providers.
- Trading venues, central counterparties and a range of other financial actors.
In addition, DORA introduces dedicated oversight of critical ICT third-party providers — such as certain large cloud and IT providers whose failure could affect many financial entities at once. Proportionality is built in: requirements are scaled to the entity's size and risk profile.
Who supervises DORA?
Supervision is shared between the European Supervisory Authorities — EBA, ESMA and EIOPA — and the national competent authorities. For critical third-party providers, a dedicated oversight framework has been established at EU level.
Where certificate management comes in
DORA does not mention TLS certificates explicitly, but its ICT risk management requirements cover both asset management and cryptographic controls — and that is where certificates belong. An expired certificate on a critical service is both an operational risk and a potential ICT incident. For a concrete look at how DORA and NIS2 overlap on this, see DORA and NIS2 certificate management.
How CertControl supports DORA work
Certificate management is a concrete, documentable part of ICT risk management under DORA. CertControl provides a complete certificate inventory — the foundation for ICT asset visibility, built automatically from Certificate Transparency logs and active scanning. It adds TLS and cipher grading so the cryptographic controls can be documented rather than assumed, monitoring of suppliers' certificates for third-party risk, and audit-ready reports and an audit log for ongoing documentation to supervisors and internal audit.