What Is DORA?
The Digital Operational Resilience Act — known as DORA — is Regulation (EU) 2022/2554, adopted by the European Parliament and the Council on 14 December 2022. The EU published it in the Official Journal on 27 December 2022. It entered into force on 16 January 2023 and became fully applicable on 17 January 2025.
DORA addresses a specific gap in EU financial regulation. Before DORA, financial institutions managed operational risk primarily by setting aside capital. However, that approach did not adequately cover ICT-related disruptions, which can affect many institutions at the same time when a shared technology provider fails. Therefore, DORA introduces a uniform framework across the EU for ICT risk management, incident reporting, operational resilience testing, and oversight of third-party technology providers.
Who Must Comply with DORA?
DORA applies to two main groups of organisations involved in information and communication technology (ICT) services within the financial sector.
The first group is financial entities. These include credit institutions, payment institutions, electronic money institutions, investment firms, insurance and reinsurance undertakings, crypto-asset service providers, central securities depositories, central counterparties, and trading venues, among others listed in Article 2 of the regulation.
The second group is ICT third-party service providers — companies that supply technology services to financial entities. This group includes cloud computing providers, software developers, data analytics firms, cybersecurity companies, data centre providers, and any other provider whose services support a regulated financial institution’s operations.
Importantly, DORA also covers ICT providers based outside the EU. If a technology company in the United States, United Kingdom, or Asia supplies services to EU-regulated financial institutions, DORA applies to that relationship.
The LEI Requirement Under DORA
DORA requires financial entities to maintain a detailed Register of Information covering all their ICT third-party service providers. Commission Implementing Regulation (EU) 2024/2956, published on 2 December 2024, sets out the standard templates for this register.
Article 3(5) of that implementing regulation states directly:
“Financial entities shall use a valid and active legal entity identifier (LEI) or the European Unique Identifier referred to in Article 16 of Directive (EU) 2017/1132 (‘EUID’), and where available both of these identifiers, to identify all of their ICT third-party service providers that are legal persons, except for individuals acting in a business capacity.”
In other words, every ICT third-party provider that is a legal entity must be identifiable using either a valid and active LEI or an EUID. Both must be current. A lapsed or expired LEI does not satisfy this requirement.
LEI or EUID — Which One Applies to You?
Both identifiers satisfy DORA requirements, but they cover different situations. Understanding the difference helps you choose correctly.
The LEI (Legal Entity Identifier) is a globally recognised 20-character alphanumeric code based on ISO standard 17442. The Global Legal Entity Identifier Foundation (GLEIF) governs the Global LEI System and makes all LEI data publicly available in the Global LEI Index. The LEI covers legal entities in over 200 jurisdictions and also includes ownership and control data.
The EUID (European Unique Identifier) links to the EU’s Business Registers Interconnection System (BRIS). Because it connects exclusively to EU national registries, it covers only entities registered in EU Member States.
Here the implementing regulation draws a critical distinction: ICT providers established outside the EU must be identified using the LEI only. The EUID is simply not available for non-EU entities. As a result, the LEI is the only valid identifier for any provider operating from outside the EU.
For EU-based providers, either identifier works. However, for global operations or providers with non-EU exposure, the LEI is the stronger choice because of its international recognition and broader data coverage.
What “Valid and Active” Means in Practice
The implementing regulation specifically requires a valid and active LEI. This refers to the status that appears in the GLEIF global database.
An LEI showing the status “Issued” is valid and active, and therefore satisfies DORA. An LEI showing “Lapsed” has expired, and consequently does not satisfy the requirement. Financial entities cannot record a lapsed LEI as a compliant identifier in their Register of Information.
An LEI remains valid for one year from the date of issuance or last renewal. After that, the owner must renew it to maintain active status. During renewal, the issuing organisation re-verifies the entity’s reference data — including legal name, registered address, and ownership structure — against official registry sources. This process ensures that data in the global LEI database stays accurate and current.
You can check the status of any LEI using the GLEIF LEI search tool or through the LEI System search.
Why the LEI Is the Practical Standard for DORA Compliance
DORA regulators chose the LEI because it solves a problem that no national identifier can: consistent, cross-border identification of legal entities in a single globally recognised format.
National company registration numbers vary significantly between countries, are not always machine-readable, and do not cover non-EU entities at all. The LEI, by contrast, provides one consistent code for any legal entity, regardless of where it is incorporated. Additionally, because LEI data is publicly available and verifiable, financial institutions can check provider details instantly without requesting documents.
For financial institutions managing many ICT suppliers across different countries, this standardisation significantly reduces the administrative complexity of DORA compliance. A single LEI lookup delivers verified information about the provider’s legal name, registration details, and ownership structure — all of which are directly relevant to DORA’s third-party risk management obligations.
For ICT providers, holding a valid LEI makes it straightforward for financial institution clients to include them correctly in their DORA register. Providers without a valid LEI, on the other hand, create compliance gaps for their clients and therefore risk damaging the business relationship. GLEIF provides further context on how the LEI supports this in its overview of the regulatory use of the LEI.
What ICT Providers Should Do Now
Check whether you have a valid LEI. If you supply ICT services to any EU-regulated financial institution, your client must identify you in their DORA Register of Information. Contact them to confirm whether they have recorded your LEI and whether it is currently active.
Register an LEI if you do not have one. The process is fully digital and completes within 24 hours for most jurisdictions. You need to provide your company’s legal name, registered address, and registration number. In most cases, the system verifies this data automatically against official business registries. LEI System is an accredited GLEIF Registration Agent. You can start your LEI registration today.
Renew your LEI if it has lapsed. A lapsed LEI must be renewed before your clients can use it in a DORA register. Renewal restores the “Issued” status and re-validates your company’s reference data. You can renew your LEI quickly through LEI System.
Keep your LEI data up to date. If your company name, registered address, or ownership structure has changed, update your LEI reference data accordingly. Outdated LEI data creates compliance complications for your financial institution clients when they submit their register to national authorities.
DORA in the Context of Broader EU Regulation
DORA does not operate in isolation. It sits alongside other EU regulations that also use the LEI as the standard identifier for legal entities, including MiFID II transaction reporting, EMIR derivatives reporting, and the EU Instant Payments Regulation. For financial entities already using LEIs for transaction reporting, DORA therefore adds a further dimension rather than an entirely new system.
Additionally, DORA connects directly to the NIS2 Directive (Directive (EU) 2022/2555) on cybersecurity. DORA functions as a sector-specific act under NIS2 for financial entities. You can read more about NIS2 and the LEI in the NIS2 and LEI article on this site. For a broader overview of how the LEI operates across EU financial regulation, see How LEI Works in Practice in the EU.
DORA and LEI — Key Facts at a Glance
What is DORA? Regulation (EU) 2022/2554 on digital operational resilience for the financial sector.
When did DORA become applicable? 17 January 2025.
Who must comply? EU financial entities and their ICT third-party service providers, including non-EU providers serving EU financial institutions.
What does DORA require for ICT provider identification? A valid and active LEI or EUID, as specified in Commission Implementing Regulation (EU) 2024/2956.
Which identifier applies to non-EU ICT providers? LEI only. The EUID covers EU-registered entities only.
What LEI status satisfies DORA? “Issued” only. A “Lapsed” LEI does not satisfy the requirement.
Where can I register or renew an LEI? Through an accredited GLEIF Registration Agent such as LEI System.