What is DORA?

The Digital Operational Resilience Act (DORA, Regulation EU 2022/2554) is an EU Regulation that has applied to the entire financial sector since January 2025. The objective: financial undertakings must systematically ensure their digital operational resilience — not just on paper but in an operationally demonstrable manner.

Who does DORA affect? #

DORA applies to 21 categories of financial undertakings (Art. 2(1)), including:

• Banks and payment service providers
• Investment firms and trading venues
• Insurance and reinsurance undertakings
• Fund managers and management companies
• Crypto-asset service providers and credit rating agencies
• Institutions for occupational retirement provision

Additionally affected: ICT third-party service providers — i.e. all IT, cloud, and software suppliers working for financial undertakings.

What does DORA specifically require? #

DORA demands comprehensive ICT risk management. For open source components, the following are particularly relevant:

• Ultimate responsibility of the management body for ICT risk management (Art. 5(2a))
• Inventory of all ICT assets including dependencies (Art. 8(4-6))
• Vulnerability detection and remediation with documented processes (Art. 10, Art. 13)
• Open source analyses expressly listed as a mandatory test (Art. 25(1))
• Source code reviews, where feasible (Art. 25(1))
• Strategy for ICT third-party risk, regularly reviewed by the management body (Art. 28(2))
• Annual tests of all critical systems (Art. 24(6))

For severe incidents, a first notification deadline of 4 hours applies (Art. 19(4a)).

What are the consequences of non-compliance? #

• Periodic penalty payments for critical ICT third-party service providers: 1% of worldwide daily turnover, daily, for up to 6 months (Art. 35(8))
• Personal liability of management: The management body bears ultimate responsibility (Art. 5(2a)) and can be personally sanctioned (Art. 50(5))
• Training obligation: The management body must actively keep its knowledge up to date (Art. 5(4))
• Public visibility: All sanction decisions are published on authority websites for up to 5 years (Art. 54(1-2), para. 6)
• D&O insurance typically does not cover regulatory violations

Implementation in Germany #

DORA is an EU Regulation and applies directly in all Member States — no national transposition is required. In Germany, BaFin is the competent supervisory authority. DORA supplements existing regulation through MaRisk and BAIT and tightens the requirements for ICT risk management and third-party oversight in particular. Financial undertakings already subject to DORA are exempt from the obligations under the NIS2 Implementation Act (§ 28(6) NIS2UmsuCG). Other EU countries have different supervisory structures.

What does this mean for you? #

If you manage a financial undertaking or provide IT services for the financial sector, you are obliged to know, monitor, and document your entire software supply chain. Open source components in your SBOM are no exception — they are an explicit subject of examination. Responsibility for this cannot be delegated: it lies personally with the management body.

Important: The supply chain does not only include components that end up in your final product. Development dependencies — compilers, build tools, test frameworks, CI/CD pipelines — also fall under the obligations. Art. 25(1) mandates open source analyses as a required test, Art. 8(4-6) requires the inventory of all ICT assets including dependencies. A compromised build tool can inject malicious code into your final product without a single runtime dependency being affected.

Further reading #

• Detailed DORA requirements and how OTTRIA fulfils them
• Personal liability of management
• Practical audit preparation

Download factsheet: DORA factsheet (PDF)

Want to know how OTTRIA covers your DORA obligations in the open source domain? Arrange an initial consultation.