Digital Operational Resilience Act (DORA)

The Digital Operational Resilience Act (DORA) is an EU regulation that came into force on January 2023. It is part of the EU Commission's digital financial package with the aim of increasing the digital resilience of the European financial market. The aim is to ensure that financial market participants can continue to operate reliably even in the event of incidents concerning ICT (information and communications technology) or key suppliers.

For participants affected by the regulation, there is a transition period until January 2025 for full implementation. During this timeline, we expect further expectations from the European Supervisory Authorities (ESAs) through regulatory technical standards and guidelines.

The new requirements focus on ICT security, operational resilience and reporting obligations in the event of cyber-attacks, for example, and other ICT incidents. These are explained below and illustrated by examples.

DORA places great emphasis on the overall responsibility of the governing body for digital operational stability. Management must ensure that the company has an effective risk management system for ICT risks and is adequately protected against ICT disruptions and cyber-attacks.

To this end, DORA envisions a holistic ICT risk management framework as fundamental to creating resilient financial enterprises. This enables ICT risks to be identified, assessed, managed and monitored.

One example of the implementation of the DORA requirements is the establishment of resilient ICT systems in the pan-European economic area.

Financial organisations need to ensure that their IT systems and processes can detect and responding to potential threats quickly and effectively.

To increase responsiveness, DORA specifies, among other things, requirements for processes and systems to promptly detect and defend against potential threats.

One example of how this requirement is implemented is automatic network isolation in the event of cyberattacks. This minimises the risk of data loss or system failure and facilitates the restoration of normal operations.

Another DORA requirement is to standardise reporting requirements for serious ICT incidents across the European financial industry. This should help improve the response to such incidents and ensure effective cooperation between national and European authorities.

One example of the implementation of this requirement is the introduction of uniform procedures for monitoring, classifying, and reporting ICT incidents to the relevant authorities.

Regular testing of the operational stability and security of critical IT systems is crucial to the smooth operation of financial enterprises. To ensure that potential ICT disruptions are identified and remediated, a risk-based approach is used in these tests.

One example of the implementation of this requirement is the performance of penetration tests on live production systems at least every three years. This involves a targeted search for vulnerabilities in the system to identify potential attack vectors and take appropriate countermeasures.

DORA is designed to enable financial companies to effectively monitor the risks posed by ICT third-party providers. This is particularly important as more and more financial firms rely on third-party services for their IT systems and processes.

One example of the implementation of this requirement is the introduction of penalties and new termination options for third-party ICT providers that fail to comply with requirements of the DORA regulation. These measures will enable financial firms to ensure robust monitoring of the risk posed by third-party ICT providers.

Challenges for customers

The introduction of the DORA Regulation may pose several challenges for financial firms, as they may not be adequately prepared to implement the new requirements.

To meet the requirements and continue to conduct business appropriately and successfully, ICT systems must be brought up to date, processes optimised, and employees trained.

Go to page

Ensuring businesses can operate in the face of an ICT incident

Go to page

Why KPMG?

Range of disciplines

KPMG has a comprehensive professional repertoire regarding all relevant disciplines in the area of DORA regulation, including management consulting, ISM (Information Security Management), IRM (Information Risk Management), BCM (Business Continuity Management), outsourcing and cloud solutions. We specialise in advising and supporting our clients in all aspects of these disciplines.
Deep expertise

We have a deep understanding of processes, risks and controls as well as governance structures. Our expertise and know-how enable us to support our clients in implementing effective control mechanisms and risk management strategies.
Project experience

Our extensive project experience with companies in the industry has provided us with valuable insights and knowledge that help us better understand our clients' challenges and requirements. With our proven process model, we apply these insights in a targeted manner and develop customised solutions, optimally tailored to the individual needs of our customers.
Global corporate network

We benefit from direct access to global expertise and experience through our corporate network. We work closely with our international teams and can draw on a broad range of experience and expertise specifically tailored to the financial sector.
Market-standard tools

In addition to our technical and methodological expertise, we also offer know-how for the implementation of tools. We support our clients in the implementation of market standard GRC tools to efficiently manage and control risks and controls. Furthermore, we offer tools for the effective management of third-party vendors and their contracts in the area of information technology (ICT) .

Get in touch

It is imperative that financial firms prepare for DORA implementation. If you have any concerns or queries about how DORA will apply to your business, please contact our team below. We'd be delighted to hear from you.