January 17, 2025 marks the full application of the Digital Operational Resilience Act — Regulation (EU) 2022/2554 — across the European Union. DORA unifies the operational resilience requirements for more than 22,000 financial entities and their ICT third-party providers, and it brings software supply chain risk squarely into the regulated perimeter. The law sits above the existing EBA, ESMA, and EIOPA guidelines and is enforced by national competent authorities with fines up to 2% of total annual worldwide turnover. Unlike the GDPR, DORA is not a principles-based regulation — the Level 2 Regulatory Technical Standards published between 2024 and 2025 prescribe concrete artifacts, timelines, and registers. If your software runs in a European bank, insurer, investment firm, or crypto-asset service provider, you are now part of someone's DORA register.
What Does DORA Actually Require?
DORA creates five pillars: ICT risk management (Articles 5-16), ICT incident reporting (Articles 17-23), digital operational resilience testing (Articles 24-27), ICT third-party risk (Articles 28-44), and information-sharing arrangements (Article 45). For software specifically, Article 6 mandates a sound, comprehensive, and well-documented ICT risk management framework; Article 8 requires identification and classification of all ICT supported business functions and information assets; and Article 9 requires protection and prevention measures including secure development practices. Article 28 flows the obligations down to ICT third-party service providers, with the Commission Delegated Regulation of 2024 adding the "Register of Information" RTS (ITS 2024/2956) with 15 templates that must be submitted to competent authorities annually by March 31 starting in 2025.
When Did Enforcement Begin and What Are the Transition Dates?
DORA entered into force on January 16, 2023 but became applicable on January 17, 2025. Competent authorities had until April 30, 2025 to submit the first aggregated register of information to the European Supervisory Authorities, and the ESA's first Oversight Framework designations of Critical ICT Third-Party Providers (CTPPs) are expected in Q3 2025. Member states transposed the companion Directive (EU) 2022/2556 by January 17, 2025 to align national financial sector legislation. Firms that miss the register-of-information filing are already receiving supervisory letters in France, Germany, the Netherlands, and Ireland.
How Does Article 28 Govern Your Software Vendors?
Article 28(1) requires financial entities to manage ICT third-party risk as an integral part of the ICT risk management framework and Article 30 specifies the minimum contractual provisions. Contracts must include unambiguous service descriptions, service-level targets, data-processing locations, exit strategies, audit rights, and cooperation with competent authorities. The Commission Delegated Regulation (EU) 2024/1773 on sub-contracting adds further conditions for ICT services supporting critical or important functions — including written notice before material sub-contracting changes and the right to terminate. For software vendors, this means any SaaS, on-prem library, or open-source component embedded in a critical function can be traced back through your customer's register.
What Is the Register of Information and Why Does It Matter for Software?
Under Article 28(3) and the ITS 2024/2956, every financial entity must maintain a register with 15 templates covering entity structure, contractual arrangements, ICT services, and subcontracting. Templates B_02.02 and B_05.02 require identification of the ICT services at function level and the criticality classification. Open-source software embedded in a product generally does not create a separate register entry, but commercial software with a license agreement does — and the register must include the software's Legal Entity Identifier (LEI), country of the service provider's head office, and the data storage location. The ESAs published the updated templates on January 17, 2024 and again in July 2024, with a machine-readable XBRL taxonomy required for submission.
What Are the Penalties and Who Enforces DORA?
National competent authorities — the ACPR and AMF in France, BaFin in Germany, DNB and AFM in the Netherlands, CBI in Ireland, CSSF in Luxembourg — enforce DORA within each member state. Article 50 of DORA sets administrative penalty maxima of at least 2% of total annual worldwide turnover or, for natural persons, at least EUR 1 million. Member states can go higher: the Netherlands and Germany have set criminal penalties for willful obstruction of supervisory inspections. For designated Critical ICT Third-Party Providers outside the financial entity perimeter, the ESAs themselves can impose periodic penalty payments of up to 1% of average daily worldwide turnover under Article 35(6).
How Does DORA Interact with NIS2 and the Cyber Resilience Act?
DORA is lex specialis for financial entities — where it overlaps with Directive (EU) 2022/2555 (NIS2), DORA prevails for in-scope entities per NIS2 Recital 28. The Cyber Resilience Act (Regulation (EU) 2024/2847), with main obligations applying from December 11, 2027, adds CE-marking requirements and SBOM obligations on the products financial entities buy. In practice, a software vendor shipping to a European bank must comply with the CRA on the product side and help the bank comply with DORA on the operations side — two distinct sets of evidence.
How Safeguard Helps
Safeguard builds the software inventory that feeds templates B_02.02 and B_05.02 of the DORA register, with LEI tagging, criticality classification, and data-location metadata surfaced from SCM metadata and contracts. Griffin AI reachability analysis focuses Article 6 and Article 9 vulnerability remediation on the functions actually called by your critical and important functions, meeting the supervisory expectation of risk-based prioritization. TPRM workflows manage Article 28 and Article 30 contractual evidence for every ICT third-party provider, and policy gates enforce the pre-deployment controls that Article 9 and Article 25 require. Compliance mapping across DORA, NIS2, and ISO 27001:2022 consolidates evidence so a single audit export satisfies multiple competent authorities.