Definitions

Article 3 serves as the definitional foundation of DORA, establishing over 40 precise definitions that govern how the regulation is interpreted and applied. The precision of these definitions is crucial because they determine the boundary between compliance and non-compliance for thousands of financial entities across the EU.

The definition of "digital operational resilience" itself is noteworthy. DORA defines it as the ability of a financial entity to build, assure, and review its operational integrity and reliability. This frames resilience as an ongoing capability rather than a checkbox to be achieved, emphasizing continuous assessment and improvement.

"ICT risk" is defined in deliberately broad terms to capture any circumstance related to the use of network and information systems that could compromise their security. This inclusive definition ensures that emerging technology risks — from cloud concentration to AI model failures — fall within the regulatory scope without requiring amendments.

The concept of "critical or important function" is central to how DORA calibrates its requirements. Functions are deemed critical if their disruption would materially impair an entity's financial performance, the continuity of its services, or its compliance with regulatory obligations. This definition drives the application of enhanced requirements for testing, third-party management, and incident reporting.