DORA Regulation

Regulation (EU) 2022/2554 — the Digital Operational Resilience Act. EU regulation establishing operational-resilience requirements for financial-sector entities (banks, insurers, investment firms, payment service providers, crypto-asset providers) and for the third-party ICT providers they depend on. Enforcement began 17 January 2025.

DORA is the regulation that turned 'critical third-party ICT provider' into a designated category with specific obligations. For agentic-AI procurement in financial services, DORA Article 28-30 contractual requirements bind: incident-reporting timelines, audit rights, exit clauses, sub-outsourcing disclosure. Most 2025-era AI vendor contracts were not drafted to DORA standards; the 2026 procurement-cycle remediation work in the financial sector is largely DORA-driven. Pairs with the EU AI Act for in-scope deployments — a high-risk AI system in financial services inherits both regimes.

Related frameworks

• GAUGE →

Articles that analyse this term

• Agentic-AI vendor contracts: the six gotchas in 2026 enterprise MSAs that procurement teams routinely miss
• Agentic AI in financial services: five frameworks

Primary sources

• European Union. Regulation (EU) 2022/2554 — DORA
• European Banking Authority. DORA — Implementing Technical Standards