Digital Operational Resilience Act (Dora): What's in store for the financial sector

DORA attaches great importance to the overall responsibility of the management body for digital operational stability. Management must ensure that the company is adequately protected against ICT disruptions and cyber attacks.

DORA provides a holistic ICT risk management framework as fundamental to creating resilient financial organisations. This enables ICT risks to be identified, assessed, managed and monitored.

One example of the implementation of the DORA requirements is the establishment of resilient ICT systems in accordance with a uniform standard throughout the European Economic Area.

Financial organisations need to ensure that their IT systems and processes are able to detect and respond to potential threats quickly and effectively.

In order to increase responsiveness, DORA specifies requirements for processes and systems for the immediate detection and defence of potential threats, among other things.

One example of the implementation of this requirement is automatic network isolation in the event of cyber attacks. This minimises the risk of data loss or system failures and makes it easier to restore normal operations.

Another DORA requirement is to standardise reporting obligations for serious ICT incidents across the European financial industry. This should help to improve the response to such incidents and ensure effective cooperation between national and European authorities.

One example of the implementation of this requirement is the introduction of standardised procedures for monitoring, classifying and reporting ICT incidents to the competent authorities.

Regularly checking the operational stability and security of critical IT systems is crucial for the smooth operation of financial organisations. A risk-based testing approach is required to ensure that potential ICT disruptions are recognised and rectified.

One example of the implementation of this requirement is the performance of penetration tests on live production systems at least every three years. This involves looking for specific weaknesses in the system in order to identify potential attack vectors and take appropriate countermeasures.

DORA is designed to enable financial organisations to effectively monitor the risks posed by third-party ICT providers. This is particularly important as more and more financial companies are relying on the services of third-party providers for their IT systems and processes.

One example of the implementation of this requirement is the introduction of penalties and new cancellation options for third-party ICT providers that do not comply with the requirements of the DORA Regulation. These measures will enable financial organisations to ensure robust monitoring of the risk posed by third-party ICT providers

Audit practice began with the end of the DORA implementation period in January 2025. Since then, the implementation of DORA and therefore the resilience of financial companies, including information and communication technology (ICT) service providers, has been audited by the internal audit department, the auditor of the annual financial statements and, in particular, by the national (BaFin) and European (European Supervisory Authorities) supervisory authorities. The starting point for these audits is a functioning ICT risk management system. Based on the definition of critical and important functions, all areas of the DORA are reviewed both in terms of requirements and their effective implementation.

We provide financial companies with comprehensive support during these audits: starting with the preparation of our clients, we accompany the entire audit and then help them to work through the findings in a structured manner. We ensure a professional audit process and transparent communication with the authorities. Through a gap analysis, we avoid surprises in terms of content and can quickly identify, assess and communicate anomalies.

DORA also includes the concretisation of the requirements on the part of the ESAs (European Supervisory Authorities) through technical regulatory and implementation/implementation standards (RTS/ITS).

The following graphic shows the overview and timeline of the concretisations provided in the first round (pink) and still to come in the next round (blue), broken down by DORA chapter. The current public consultation phase of the first round has been running since 19 June 2023 until 11 September 2023. The European Commission should then receive the revised drafts by 17 January 2024. The RTS/ITS of the second round of public consultation are expected at the end of November/beginning of December 2023: