DORApp Blog
DORA Fundamentals

DORA European Commission History (2026 Guide)

M
ByMatevž Rostaher
DORA regulation European Commission visual representing the five pillars of operational resilience
dora-european-commission-history-visual-showing-eu-policy-timeline-from-proposal-2.jpg

You are reading about DORA, everyone around you keeps referring to “the regulation,” and then someone asks a very reasonable question: who actually pushed this forward, when did it become law, and why was the European Commission so central to it? That moment comes up more often than you might think, especially for compliance teams, IT leaders, and founders in regulated sectors who need more than a headline summary.

The history of DORA matters because implementation did not appear out of nowhere. The Digital Operational Resilience Act grew out of a broader EU effort to strengthen the financial sector’s ability to withstand ICT disruption, third-party dependency, cyber incidents, and fragmented national approaches. If you understand the policy journey, you also understand why the final text looks the way it does.

DORApp was built to simplify DORA compliance for EU financial institutions through a modular approach, helping teams turn complex requirements into structured, manageable workflows. In this article, you will get a practical timeline from proposal to regulation, what the European Commission actually did, and why that history still matters in 2026.

  • Why the history still matters
  • Where DORA started at the EU level
  • How the law moved from proposal to adoption
  • DORA in official sources: Eur-Lex, RTS, and Level 1 vs Level 2 vs Level 3
  • What made DORA different from older rules
  • What DORA requires at a high level: the five pillars
  • Why the European Commission matters so much here
  • What happened after adoption and into 2026
  • Who needs to comply with DORA, and who else is affected
  • Practical lessons for compliance and IT teams
  • Frequently Asked Questions

    • Why the history still matters

    If you only look at DORA as a deadline, you miss the bigger picture. The regulation is really the result of years of EU policy work aimed at creating a more consistent operational resilience framework for financial entities. That is why DORA is broader than a cyber rule and more specific than a generic governance expectation.

    For many readers, the best starting point is simply understanding what is dora. Once that foundation is clear, the policy timeline becomes much easier to follow.

    The reality is that regulators did not create DORA just to add paperwork. They were responding to visible structural issues, including growing dependence on ICT providers, uneven incident handling, and inconsistent oversight across member states. That is also why DORA is closely connected to broader ideas about what is digital resilience.

    Where DORA started at the EU level

    DORA began as part of the European Commission’s Digital Finance Package. The Commission adopted that package in September 2020, with the goal of supporting innovation in financial services while addressing digital risks that existing rules did not fully cover. DORA was one of the package’s core legislative proposals.

    The policy problem the Commission was trying to solve

    Before DORA, many financial institutions already faced ICT, outsourcing, and security expectations through sectoral rules, national supervision, and guidelines from the European Supervisory Authorities. Still, the framework was fragmented. A bank, insurer, or investment firm might face slightly different expectations depending on its sector, home state, or supervisory interpretation.

    From the Commission’s standpoint, that fragmentation created risk. Financial markets were becoming more digital, supply chains were getting more complex, and cloud concentration risk was becoming harder to ignore. A harmonized EU regulation could reduce gaps and make cross-border supervision more coherent.

    Why a regulation, not just guidance

    Think of it this way: guidance can influence behavior, but a regulation creates a direct and consistent legal framework across the EU. That is one reason the DORA proposal carried so much weight from the start. If you want a broader explainer on the legal structure, see dora regulation explained.

    How the law moved from proposal to adoption

    The legislative path was structured, but not especially short. After the European Commission published the proposal in 2020, the text moved through the ordinary EU legislative process. That meant review, amendment, and negotiation by the European Parliament and the Council of the European Union.

    A practical timeline

    Here is the simplified sequence that matters most:

  • September 2020: European Commission adopts the DORA proposal as part of the Digital Finance Package.
  • 2021 to 2022: Parliament and Council review, debate, and negotiate the text.
  • May 2022: Political agreement is reached.
  • December 2022: DORA is formally adopted as Regulation (EU) 2022/2554.
  • January 2023: The regulation enters into force.
  • January 17, 2025: DORA becomes applicable.

    • That gap between entry into force and applicability is important. It gave financial entities, supervisors, and the ESAs time to prepare technical standards, implementation expectations, and supporting supervisory processes.

    If you want the full legislative context in one place, the Dorapp blog also tracks it in DORA European Commission Timeline and History (2026).

    dora-eu-law-concept-illustrating-unified-compliance-framework-for-financial-inst-2.jpg

    DORA in official sources: Eur-Lex, RTS, and Level 1 vs Level 2 vs Level 3

    Here is the thing: once DORA was adopted, the real-world reading work did not stop. Many implementation headaches come from mixing up what is legally binding today, what is still draft, and what is “helpful, but not law.” If you have ever seen someone circulate an RTS draft as if it were final, you have seen this in action.

    How to read the DORA “stack”

    In most cases, you will hear people talk about DORA in three layers. This is not unique to DORA, but it is especially important here because so much operational detail sits below the core regulation.

  • Level 1: the regulation itself, Regulation (EU) 2022/2554. This is the main legal text and is directly applicable across the EU.
  • Level 2: delegated acts and implementing acts, which often include Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS). These add detail on how certain requirements are expected to work in practice.
  • Level 3: supervisory guidance and communications, such as Q&As, opinions, or supervisory statements. These can be very useful for interpretation, but they do not typically have the same legal status as Level 1 and Level 2 texts.

    • The difference often comes down to what you are trying to prove. If you are designing policy and governance, you usually start with Level 1. If you are building reporting fields, templates, and evidence structures, Level 2 often becomes the day-to-day reference. Level 3 helps you understand supervisory intent and common questions, but you should treat it carefully, especially if it conflicts with the binding texts or if it is not intended for your entity type.

    What people mean by the “RTS list,” and why the Commission still matters after adoption

    You will often hear teams talk about “the RTS list” as if it is a checklist that arrived in one package. In reality, it is usually a set of separate standards that land at different times and cover different parts of DORA, such as incident classification, reporting details, testing expectations, and third-party oversight mechanics.

    Now, when it comes to the European Commission’s role after the Level 1 regulation was adopted, it still matters because Level 2 measures can involve Commission adoption through delegated or implementing acts, following drafts developed by the European Supervisory Authorities. That workflow is one reason implementation programs tend to evolve. Institutions may have a clear Level 1 obligation, but the precise reporting structure, templates, or technical conditions often become clearer through Level 2 texts over time.

    A practical research path (and how to avoid draft confusion)

    From a practical standpoint, you can usually keep your research organized with a simple rule: use official sources for the legal baseline, then layer in standards and supervisory explanations.

  • Eur-Lex is typically where you confirm the final, published law, including the official regulation text, recitals, and amendments or corrigenda if they exist. If you need the “what is legally in force” answer, start there.
  • European Commission pages often help you track the legislative package context and, depending on the topic, you may see references to delegated and implementing acts as they move into adoption and publication.
  • ESA publications are typically where you find draft RTS or ITS consultations, final reports, and sometimes Q&As or clarifications. This is valuable, but you need to check whether you are reading a consultation draft, a final draft submitted for adoption, or a text that has already been formally adopted and published.

    • Consider this: if a document is labeled as a consultation, final report, or draft standard, it is not necessarily the binding final text yet. For internal change control, many teams keep a small “source of truth” log that captures the document name, version status, publication date, and whether it is draft or final. That alone can prevent a lot of rework, especially when different teams pull references from different sources.

    What made DORA different from older rules

    What many people overlook is that DORA was not written as a narrow cybersecurity text. It is a cross-sector operational resilience regulation. Under DORA, this means financial entities have to manage ICT risk, report major incidents, test resilience, oversee ICT third-party providers, and support certain information-sharing arrangements.

    That structure is usually summarized through five pillars. For a more detailed breakdown, you can read DORA Pillars Explained: Complete Breakdown (2026) or browse the DORA Fundamentals category.

    Why the Commission went broad

    The Commission’s logic was fairly practical. If digital finance depends on technology, then resilience cannot be managed only through isolated IT controls. You need governance, accountability, testing, reporting, and supplier oversight tied together in one legal framework. That is why readers looking for a plain-language definition often start with digital operational resilience act dora.

    This also explains why DORA reaches beyond classic internal IT operations. It touches outsourced services, intra-group dependencies, documentation quality, and the ability to demonstrate control over your environment, not just describe it.

    What DORA requires at a high level: the five pillars

    If you are trying to get oriented quickly, the five pillars are the simplest way to understand what DORA is asking you to build. They are not just a neat structure. Each pillar exists because the EU saw a specific operational resilience problem repeating across firms and across borders.

    The five pillars in plain language (and the policy problem behind them)

    For most small business owners and entrepreneurs in regulated sectors, the confusing part is that DORA blends risk governance with technical operations. Think of the pillars as the EU’s way of making sure resilience is managed end to end.

  • ICT risk management: this is about having governance, controls, and an operating model that keeps technology risk under control over time, not only after a major incident. The policy problem was inconsistent maturity and uneven internal accountability.
  • Incident reporting: this focuses on identifying, classifying, and reporting major ICT-related incidents in a consistent way. The policy problem was fragmented reporting practices that made cross-border supervision and systemic risk monitoring harder.
  • Digital operational resilience testing: this is about validating that your defenses and recovery capabilities actually work, typically through planned testing approaches that match your risk profile. The policy problem was reliance on paper controls without enough evidence that resilience holds under stress.
  • ICT third-party risk management: this covers the way you select, contract with, and oversee ICT providers, including concentration and subcontracting concerns. The policy problem was growing dependency on a few providers and limited leverage or visibility once services were outsourced.
  • Information sharing: this supports structured sharing of threat intelligence and lessons learned, under defined conditions. The policy problem was that firms often learned the same hard lessons in isolation, which can slow down collective resilience.

    • In practice, these pillars connect. Your incident reporting quality depends on monitoring and escalation paths. Your testing program is only as good as your asset and dependency mapping. Your third-party oversight often determines whether recovery plans are realistic. That is why DORA reads as a system, not a single control list.

    Who typically owns what inside an institution

    Another reason competitors lean on the pillar view is that it maps well to real teams. DORA is rarely owned by one function, even if one function coordinates it.

  • IT and engineering teams often own system inventories, change processes, availability targets, and recovery capabilities.
  • Security teams often own threat detection, response playbooks, vulnerability management, and parts of testing.
  • Risk management often owns the overarching ICT risk framework, risk appetite integration, and consistent reporting up to management.
  • Compliance typically coordinates interpretation, evidence strategy, and supervisory communication planning, in partnership with risk and legal.
  • Procurement and vendor management typically own contract workflows, supplier governance, and ongoing assurance requests, often with input from security and risk.

    • The reality is that DORA tends to succeed when ownership is explicit and repeatable. If responsibilities are fuzzy, teams often end up with “policy compliance” on paper and operational gaps in practice.

    dora-eur-lex-style-image-representing-the-path-from-eu-proposal-to-adopted-regul-2.jpg

    Why the European Commission matters so much here

    The phrase dora european commission matters because the Commission did more than publish a draft. It framed the policy problem, set the legislative direction, and positioned DORA within a larger digital finance strategy. Without that early framing, the final regulation could have looked much narrower.

    The Commission as policy architect

    From a practical standpoint, the Commission’s role was to identify where EU financial law needed modernization. Existing sector rules covered parts of the risk, but not in one consistent, directly applicable framework. The Commission’s proposal gave Parliament and Council a starting point that reflected concerns about system-wide digital dependency and supervisory fragmentation.

    The ESAs and later technical detail

    After the main regulation was adopted, a lot of the operational detail shifted toward the European Supervisory Authorities, namely EBA, EIOPA, and ESMA. They have played a major role in developing standards, templates, and reporting expectations. That is especially visible in areas such as the Register of Information, XBRL reporting, and third-party oversight.

    Platforms like DORApp streamline the Register of Information process through importing existing data, managing records in an intuitive interface, auto-enriching selected data from public sources, validating against reporting logic, and generating compliant outputs. That kind of support matters because the policy vision from the Commission eventually turns into very practical reporting work for institutions.

    What happened after adoption and into 2026

    Adoption was only the midpoint. Once DORA entered into force, the implementation phase began. Financial institutions had to translate legal obligations into governance structures, ICT inventories, testing plans, contracts, incident processes, and evidence.

    The run-up to applicability in 2025

    By January 17, 2025, DORA became applicable. That meant regulated entities across 20 categories had to be ready to operate under the new framework. The first Register of Information submission deadline at EU level was April 30, 2025, using the required data structure and XBRL-based reporting approach as currently defined.

    For teams building that control environment, understanding the connection between DORA and ict risk management framework dora became essential. The same was true for core concepts like ict risk dora.

    Why 2026 feels different

    By 2026, the conversation has shifted from initial readiness to proof of compliance. Supervisors are increasingly focused on whether institutions can evidence ongoing control, not just produce a one-time implementation story. The designation of critical third-party providers in late 2025 and the growing attention to subcontracting risk have made that even more operational.

    With features such as modular workflows, audit-ready records, configurable processes, and a data model that converts into XBRL outputs, DORApp is one approach that may help compliance teams work from imperfect data while improving structure over time. That does not replace legal interpretation, but it can reduce operational friction.

    You can also browse the Digital Operational Resilience category if you want more context around how this area is evolving.

    Who needs to comply with DORA, and who else is affected

    A lot of confusion in 2026 is not about what DORA says, but about whether it applies to a specific organization and how far its reach extends through suppliers and group structures. The EU’s main goal was harmonization across borders, so scope was designed to cover a wide set of financial entities, not only banks.

    Scope in practical terms: financial entities across sectors

    DORA applies to a broad set of “financial entities,” across multiple categories. That typically includes many types of institutions in banking, insurance, investments, payments, and related financial market activities. The exact scope details can depend on your authorization status and business model, so you usually want your legal and compliance teams to confirm classification rather than relying on informal labels.

    What matters operationally is that the EU aimed for cross-sector consistency. Similar ICT risks show up in many regulated business lines, and incidents often do not respect sector boundaries. This cross-sector scope is one reason the European Commission pushed for a single regulation rather than a patchwork of sector-by-sector updates.

    Critical ICT third-party providers: direct oversight, plus indirect pressure downstream

    DORA also introduced an oversight regime for certain ICT third-party providers that may be designated as critical. That does not mean every vendor becomes directly supervised, and it does not automatically change contractual obligations by itself. It does mean that critical providers can fall under a more centralized oversight approach, reflecting the systemic importance of certain shared service providers.

    Even if you are not a “financial entity,” you can still feel DORA’s impact in very practical ways. Vendors and intra-group service companies often see more structured due diligence, more detailed contract clauses, more frequent assurance questionnaires, and more evidence requests tied to resilience, subcontracting, incident handling, and audit rights. In most cases, this is how DORA spreads. Institutions need to prove they control their dependencies, so they ask their providers for the data and commitments that make that proof possible.

    If you are a founder selling into EU financial services, this often becomes a go-to-market requirement as much as a legal question. The best approach is usually to prepare a clear resilience and assurance story, then validate the exact requirements with the financial entity you support and, where needed, with qualified legal or compliance professionals.

    dora-regulation-european-commission-visual-representing-the-five-pillars-of-oper-2.jpg

    Practical lessons for compliance and IT teams

    If you are responsible for DORA implementation, the history gives you a useful shortcut. It shows that DORA was designed to solve structural resilience problems, not just reporting inconsistency. That means your implementation should not stop at templates and policies.

    What this means in practice

    In practice, this means you should read the regulation with three questions in mind:

  • What operational problem was the EU trying to solve?
  • What evidence would a supervisor expect to see?
  • Which processes need to run continuously, not just near a deadline?

    • That perspective makes the regulation much easier to operationalize. It also helps explain why article-by-article reading is useful, but not enough on its own. Process design, ownership, data quality, and workflow control matter just as much.

    DORApp was built specifically for EU financial institutions and supports a modular path across DORA-related workflows, including the Register of Information and third-party risk processes. If you want to explore how that works in practice, you can visit Free Trial – 14 Days or Book a Demo for a closer look.

    Disclaimer: The information in this article is intended for general informational and educational purposes only. It does not constitute professional technical, legal, financial, or regulatory advice. Website performance outcomes, platform capabilities, and business results will vary depending on your specific circumstances, goals, and implementation. Always evaluate tools and platforms based on your own needs and, where relevant, seek professional guidance.

    Regulatory note: This article is for informational purposes only and does not constitute financial, legal, or regulatory advice. DORA compliance requirements may vary based on your institution type, size, and national regulatory framework. Content referencing regulated industries is provided for general context only and should not be interpreted as legal, regulatory, compliance, or financial advice. If you operate in a regulated sector, always consult qualified financial, legal, and compliance professionals for guidance specific to your situation.

    Frequently Asked Questions

    What is the connection between DORA and the European Commission?

    The European Commission proposed DORA as part of the Digital Finance Package in September 2020. Its role was to identify the policy gap, draft the legislative proposal, and set the strategic direction for a more harmonized EU framework on digital operational resilience in financial services. Parliament and Council then negotiated and adopted the final text. So, when people search for “dora european commission,” they are usually trying to understand where the law started and why the Commission shaped its scope so heavily.

    When did DORA become law in the EU?

    DORA was formally adopted in December 2022 as Regulation (EU) 2022/2554. It entered into force in January 2023 and became applicable on January 17, 2025. That distinction matters. “Entered into force” means the regulation officially became part of EU law, while “applicable” means financial entities had to comply with it in practice. For implementation planning, the applicability date is often the more important one because that is when supervisory expectations become operational rather than preparatory.

    Why did the EU feel a new regulation was necessary?

    The EU saw that financial institutions were becoming more dependent on ICT systems and third-party providers, while rules remained fragmented across sectors and member states. Existing guidance covered some issues, but not through one directly applicable and cross-sector framework. DORA was meant to create more consistent standards for ICT risk management, incident reporting, resilience testing, third-party oversight, and information sharing. In simple terms, the EU wanted financial entities to treat digital resilience as a core operating discipline, not an isolated IT issue.

    Is DORA only about cybersecurity?

    No, and that is one of the most important points to understand. Cybersecurity is part of DORA, but the regulation is broader than that. It covers operational resilience across governance, ICT risk, third-party arrangements, incident handling, and testing. A cyber incident may trigger DORA obligations, but so can failures related to systems, providers, processes, or resilience controls. If your team treats DORA as only a security issue, you may miss responsibilities that belong to compliance, procurement, risk, legal, and executive leadership.

    What does DORA’s legislative history tell us about implementation?

    It shows that DORA was designed to solve structural issues, not just create reporting templates. The European Commission’s original policy direction focused on harmonization, resilience, and supervisory visibility across the financial sector. That means implementation should go beyond policy writing. You typically need clear ownership, evidence trails, process discipline, and reliable data across functions. Teams that understand the history often build better operating models because they can see the purpose behind the legal text, not just the wording itself.

    Where does Eur-Lex fit into DORA research?

    Eur-Lex is the official EU legal database where you can access the formal text of DORA and related legislative materials. If you are researching “dora eurlex,” you are probably looking for the published regulation, legislative history, or official legal references. It is a useful source for confirming definitions, recitals, and procedural milestones. For day-to-day implementation, though, most teams also need practical interpretation, operational workflows, and internal governance support, because reading the regulation alone rarely answers every implementation question.

    Why does the timeline still matter in 2026?

    Because 2026 is not really about first awareness anymore. It is about demonstrating that your controls, records, and governance are working on an ongoing basis. The timeline helps you understand why this happened. First came the policy proposal, then the legal framework, then the standards, and now the market is moving into supervisory proof. That progression explains why regulators increasingly focus on evidence, data quality, and repeatable processes rather than one-off remediation projects or deadline-driven documentation exercises.

    How should a compliance team use this history in practice?

    Use it as a way to prioritize. If you understand why DORA was created, you can better judge which controls matter most and which gaps are simply documentation issues. Start by mapping your institution’s critical ICT dependencies, governance responsibilities, and reporting processes. Then ask whether your setup actually supports continuous oversight. Many teams find that the hardest part is not interpreting the regulation, but organizing the data, ownership, and evidence needed to support it consistently across the institution.

    Does DORApp replace legal or regulatory advice?

    No. DORApp may support operational compliance work, but it does not replace legal analysis, regulatory interpretation, or institution-specific advice. Tools can help with workflows, records, validation, reporting preparation, and auditability, but your institution still needs qualified legal, compliance, and risk professionals to interpret obligations in context. The best way to think about a platform is as an execution layer for structured compliance processes, not as a substitute for professional judgment or supervisory dialogue.

    What are the 5 pillars of the DORA regulation?

    The five pillars are ICT risk management, incident reporting, digital operational resilience testing, ICT third-party risk management, and information sharing. They are meant to work together. The EU’s goal was to make resilience measurable and consistent across the financial sector, so the pillars connect governance, operational processes, supplier oversight, and evidence in one framework.

    Who needs to comply with DORA?

    DORA applies to a broad set of EU-regulated financial entities across multiple categories, not only banks. In practice, scope depends on your authorization status and the type of regulated activity you perform, so your compliance and legal teams should confirm classification. Even organizations outside that scope, such as ICT vendors, are often indirectly affected through contracting, assurance requests, and resilience expectations from their regulated customers.

    What does DORA stand for?

    DORA stands for the Digital Operational Resilience Act. It is the EU framework that focuses on making sure financial entities can withstand, respond to, and recover from ICT-related disruptions, including those involving third-party providers.

    What is the DORA regulation in Europe?

    DORA is the EU’s Digital Operational Resilience Act, adopted as Regulation (EU) 2022/2554. It sets cross-sector requirements for how financial entities manage ICT risk, report major incidents, test resilience, oversee ICT third-party providers, and support certain information-sharing arrangements. While the regulation is directly applicable, many teams also track related technical standards and supervisory communications to implement it in an operationally consistent way.

    Key Takeaways

  • DORA started with the European Commission’s September 2020 proposal under the Digital Finance Package.
  • The regulation was adopted as Regulation (EU) 2022/2554, entered into force in 2023, and became applicable on January 17, 2025.
  • DORA was designed as a cross-sector operational resilience framework, not just a cybersecurity rule.
  • Understanding the legislative history helps you interpret why governance, third-party oversight, and evidence matter so much.
  • In 2026, the focus is increasingly on proving ongoing compliance through structured, auditable processes.

    • Conclusion

    The story behind DORA is more than a legislative timeline. It explains why the regulation is so broad, why the European Commission’s role mattered, and why implementation now reaches into governance, ICT risk, supplier oversight, and reporting discipline. Once you see DORA as part of the EU’s wider digital finance strategy, the final text starts to make a lot more sense.

    For compliance officers, risk teams, and IT leaders, that historical context can be surprisingly practical. It helps you separate core resilience goals from administrative noise and build a stronger long-term response. If you want to keep building your understanding, start with the related articles linked above or explore more from the Dorapp blog. If you are already working through DORA operational challenges, you can also see how DORApp approaches structured compliance workflows at dorapp.eu.

    M

    About the Author

    Matevž Rostaher is Co-Founder and Product Owner of DORApp. He brings deep experience in building secure and compliant ICT solutions for the financial sector and is positioned by DORApp as an expert trusted by financial institutions on complex regulatory and operational challenges. DORApp’s own webinar materials list him as CEO and Co-Founder of Skupina Novum d.o.o. and CEO and Co-Founder of FJA OdaTeam d.o.o. His articles should carry the voice of someone who understands not just compliance requirements, but the systems and delivery realities behind them.