Skip to main content

      The Digital Operational Resilience Act (DORA) is a new EU regulation that entered into force in January 2023 and forms a key part of the European Commission’s broader Digital Finance Package. Its main objective is to strengthen the digital resilience of the European financial market, primarily by ensuring that financial entities can operate securely and reliably even in the event of major disruptions to information and communication technologies (ICT).

      Organizations affected by the regulation have a transitional period until January 2025 to achieve compliance with its requirements.

      How to Comply with DORA

      ICT Governance and Risk Management

      DORA places strong emphasis on the responsibility of an organization’s management body for ensuring digital operational resilience. Management must ensure adequate protection against ICT disruptions and cyberattacks.
      DORA requires a comprehensive ICT risk management framework as the foundation for building resilient financial institutions. This framework should enable the identification, assessment, management, and monitoring of ICT-related risks. An example of implementation is the development of resilient ICT systems that comply with European Economic Area standards.

      Legal Aspects

      DORA defines requirements for contractual arrangements with third parties providing ICT services to financial entities. It requires categorization of existing contracts, definition of target requirements, gap analyses, and remediation of identified gaps. In addition, DORA changes the responsibilities and liability risks of companies and senior management in relation to ICT third-party risks, which may require a review and adjustment of insurance coverage.

      Digital Operational Resilience Testing

      Regular testing of the operational resilience and security of key ICT systems is essential for the smooth operation of financial institutions. To identify and address potential ICT disruptions, testing must be risk-based. An example of implementation is conducting penetration testing in live production environments at least once every three years to identify vulnerabilities and counter potential attacks.

      Protection and Prevention

      Financial institutions must have ICT systems and processes capable of rapidly and effectively detecting potential threats and responding to them. The regulation sets requirements for processes and systems that enable early threat detection and defense. An example of implementation is automatic network isolation in the event of a cyberattack, minimizing data loss and system failures while accelerating recovery to normal operations.

      ICT Incident Management

      The regulation aims to standardize reporting obligations for major ICT-related incidents across the entire European financial sector, enabling better responses and effective cooperation between national and European authorities. Implementation includes the introduction of unified processes for monitoring, classifying, and reporting ICT incidents to relevant authorities.

      ICT Third-Party Risk Management

      DORA facilitates effective monitoring of risks associated with ICT service providers, which is crucial as financial institutions increasingly rely on third-party services for their IT and processes. Implementation includes sanctions and the possibility to terminate contracts with non-compliant providers, ensuring robust third-party risk oversight.

      Challenges for Customers

      For many financial institutions, DORA represents a significant challenge and may require updates to ICT systems, process optimization, and employee training in order to meet regulatory requirements.

      How KPMG Experts Can Help

      Compliance Strategy and Management Consulting

      We help financial institutions design and implement effective strategies to achieve compliance with DORA, including governance and enhanced risk management.

      Information Security Management System (ISMS)

      We are experts in strengthening information security controls. We ensure that all ICT systems and processes meet regulatory requirements and support digital operational resilience.

      Information Risk Management (IRM)

      We assist with identifying, assessing, managing, and monitoring ICT risks, helping organizations establish a robust risk management framework in line with DORA requirements.

      Outsourcing and Cloud Solutions

      We support the evaluation of ICT service providers and collaboration models to minimize risk, and we design third-party contract management systems that comply with DORA.

      We bring extensive knowledge and experience across a wide range of disciplines relevant to DORA, including management consulting, information security management (ISMS), information risk management (IRM), business continuity management (BCM), technical security testing, outsourcing, and cloud solutions. Our specialized advisory services cover the full spectrum of these areas, leveraging deep expertise in processes, risks, and governance structures.

      As a global organization, we have access to experts and know-how from around the world. Through collaboration with international teams, we are able to develop tailored digital solutions for the financial sector that truly meet its needs. In addition, our experts provide clients with tools for effective risk management and control, including the coordination of ICT suppliers and their contracts.

      KPMG SARA

      Graphical risk analysis provides you with more detailed and easier-to-understand insights.
      Read more
      Ilustrační obrázek
      brychta-petr
      Petr Brychta

      Associate Director, Advisory – Strategy & Performance

      KPMG in the Czech Republic

      Radek Koudela
      Radek Koudela

      Director, Advisory – Risk & Finance

      KPMG in the Czech Republic