Building operational resilience in a digital-first world
Digital Operational Resilience Act (DORA)
Why it matters
The Digital Operational Resilience Act (DORA) introduces a unified EU-wide framework to strengthen how financial services firms manage digital risk.
More than just ensuring financial stability, DORA shifts the focus to operational continuity; making sure firms can withstand and recover from severe disruptions caused by cybersecurity threats and ICT issues.
By setting a consistent supervisory approach across the EU, DORA promotes alignment, clarity, and resilience; bringing much-needed convergence to how the sector handles digital risk.
On 16 January 2023, the Digital Operational Resilience Act (DORA) entered into force
Today, information and communication technology (ICT) plays a vital role in the financial industry and the volume of data processed every day ever increases – with no end in sight. The regulatory landscape that addressed operational resilience with respect to services provided and regulatory compliance for financial entities in Europe was until the entry into force of DORA very heterogenous. Banking institutions were for example facing much higher regulatory standards on paper than other financial entities such as Management Companies, Alternative Fund Managers and Insurance Companies.
Background
As of January 2025 around 22,000 of EU regulated financial entities (e.g. banks, insurance companies, management companies, AIFMs, PSF (expected)) are required to comply with uniform regulatory standards that have two main objectives:
Build, assure and review the operational integrity of the service and operating model to ensure the continued provision of (the quality of) the financial services including throughout disruptions; and
Limit the risk of contagion within the EU financial system by prescribing a harmonised minimum standard of digital operational resilience.
Cybersecurity Regulation
What is digital operational resilience?
DORA introduces a five-pillar framework of ICT risk management; incident reporting; digital operational resilience testing; third-party risk management; and information sharing. Through this digital operations framework, DORA will help firms ensure they can withstand, respond to and recover from all types of ICT-related disruptions and threats.
ICT risk management
Under DORA, the management body is responsible for defining, approving and implementing a comprehensive ICT risk management framework. The framework should include a digital operational resilience strategy and the methods used to manage ICT and cyber risk and meet objectives by:
- explaining how the framework supports the business strategy and its objectives;
- establishing the tolerance level for ICT risk and analysing the impact of ICT disruptions;
- setting out clear information regarding security objectives;
- outlining the different mechanisms in place to detect, protect and prevent the impacts of ICT-related incidents;
- defining a holistic ICT multi-vendor strategy at the entity level, highlighting key dependencies on ICT third-party service providers and explaining the rationale behind the mix of third-party service providers; and
- reviewing the ICT risk management of third parties as it relates to the services provided.
ICT and cyber-related incident management
DORA requires financial entities to have an ICT-related incident management process that:
- establishes procedures to identify, track, log, categorise and classify ICT-related incidents according to the priority, severity and criticality of services impacted;
- assigns roles and responsibilities that need to be activated for different ICT- related incident types and scenarios;
- sets out plans for communication to staff, external stakeholders and media, and for notifications to clients and counterparts as appropriate;
- ensures that major ICT-related incidents are reported to relevant senior management and that the management body is informed of major ICT-related incidents, explaining the impact, response and additional controls to be established as a result of ICT-related incidents; and
- establishes ICT-related incident response procedures to mitigate the impacts and ensure that services become operational and secure in a timely manner.
Digital operational resilience testing
DORA requires all entities to implement a sound and comprehensive digital operational resilience testing programme. It should:
- take a risk-based approach, accounting for the evolving landscape of ICT and cyber risks, any specific threats to which the financial entity is — or might be — exposed, the criticality of information assets and services provided and so on;
- ensure that tests are undertaken by independent parties (internal or external);
- identify, mitigate and promptly eliminate any weaknesses, deficiencies or gaps; and
- ensure that all critical tools and applications are tested at least annually.
- Threat-led penetration testing is explicitly required by DORA, which includes requirements for the entity that extend to ICT/critical third-party service providers. The competent authorities must validate the scope of this testing.
ICT third-party risk management
DORA requires financial entities to manage ICT third-party risk as an integral component within their ICT risk management framework and in accordance with the principles defined. These principles include the following:
- The principle of proportionality when managing risk, taking into account the scale, complexity and importance of ICT-related dependencies; and the risks arising from contractual arrangements, taking into account the criticality or importance of the respective service, process or function, and the potential impact on the continuity and quality of financial services and activities at individual and group levels;
- Adopt an ICT third-party risk strategy and review it regularly; and
- The principle that financial entities shall maintain and update at the entity, sub-consolidated and consolidated levels a register of information concerning all contractual arrangements with ICT third-party service providers.
Critical third-party providers
DORA introduces an oversight framework for critical ICT third-party providers (CTTP), outlining specific criteria for designating a third-party as critical. CTPPs will be charged a fee to cover oversight costs. The oversight framework includes the provision of a ‘lead overseer’ for each CTPP, who will have the power to:
- conduct general investigations and inspections and request documentation;
- request reports after the completion of oversight activities specifying the remediation actions taken;
- address recommendations towards ICT CTPPs on, for example, the use of conditions and terms to minimise possible systemic impact;
- impose a periodic penalty payment to compel the CTPP to comply (a daily penalty of 1% of the prior year’s turnover for a maximum of six months); and
- request the termination of contractual arrangements with relevant firms if a CTTP opposes an inspection.
Information-sharing
DORA encourages financial entities to exchange among themselves cyber threat information and intelligence, including indicators of compromise, tactics, techniques, and procedures, cyber security alerts and configuration tools, to the extent that such information and intelligence sharing enhances the digital operational resilience of financial entities and is implemented through arrangements that protect the potentially sensitive nature of the information shared. The information-sharing arrangements should also define the conditions for participation, and financial entities must notify the competent authorities of their involvement in such information-sharing arrangements.
Technical standards
By July 2024, the final Regulatory Technical Standards and the Implementing Technical Standards will be published in relation to:
Incident management: reporting content for major ICT-related incidents and conditions under which an entity can delegate, on receipt of approval, reporting obligations to a service provider.
Digital operational resilience: criteria for testing all critical applications at least yearly and requirements concerning the scope of threat-led penetration testing, testing methodology, approach, results, remediation and closure.
Third-party risk management: details on the content for policies in relation to contractual arrangements and the types of information to be included in the register of information.
Preparing for DORA with confidence
DORA introduces new expectations, but also a chance to strengthen how your organisation manages digital risk.
Our dedicated IT Risk, Cybersecurity, and Project Management experts work alongside you at every stage, from readiness assessments to full implementation. We bring the structure, insights and experience needed to help you move forward with clarity and stay ahead of evolving expectations.
Where we support you
- Readiness assessments
- Implementation plans
- Project implementation
- Threat-Led Penetration Testing (TLPT)
- Governance, risk and compliance (GRC) services
Readiness assessments
Your first step toward compliance starts with understanding where you are now. Our readiness assessment and gap analysis examine the maturity of your ICT and cyber risk management practices. Pinpointing where you align with DORA, and where adjustments are needed.
While existing frameworks like NIS2, the EBA Guidelines on Operational Resilience and Cross-Industry Guidance on Outsourcing may provide a solid foundation, DORA’s requirements are more prescriptive. So, while these will be a useful starting point, they will not guarantee compliance with DORA.
Implementation plans
Once gaps are identified, we work with you to build a clear and actionable implementation roadmap. This plan outlines how to meet DORA’s requirements by January 2025, defining responsibilities, setting milestones, and ensuring every step is traceable and achievable.
Given the scope of the regulation, plans often involve enhancing current processes and controls, introducing new policies, and strengthening documentation. We help prioritise and structure those efforts, so you stay on track and ahead of deadlines.
Project implementation
Executing a DORA compliance plan alongside your day-to-day business can be complex. Our experienced teams support the delivery of each workstream, with clearly defined deliverables, timelines and ownership. We help monitor progress, anticipate bottlenecks, and keep everything moving.
Having supported organisations of all sizes, we bring insights into what works—and what to watch out for, so you can deliver your programme with confidence and clarity.
Threat-Led Penetration Testing (TLPT)
Strengthen your cyber security readiness with our TLPT services, aligned to DORA’s requirements. We simulate real-world cyberattacks to assess your defences, detect vulnerabilities, and test how your systems respond under pressure.
Using global threat intelligence and advanced tooling, we emulate the tactics of real threat actors, so you can proactively improve your resilience and comply with evolving regulations.
Governance, risk and compliance (GRC) services
Tackle the complexity of governance, risk and compliance with confidence. Our tailored GRC services help you design strong governance structures, build proactive risk frameworks, and ensure alignment with DORA, NIS2, and other regulatory expectations.
With a continuous monitoring approach, we help you stay compliant, reduce disruption, and build long-term value, so you can grow securely in a constantly changing environment.
The most important in 30 seconds
Why is DORA relevant?
DORA will apply to more than 22,000 financial entities and ICT service providers operating within the EU. The regulation will introduce specific and prescriptive requirements for all financial market participants including e.g. banks, investment firms, insurance undertakings and intermediaries, crypto asset providers, data reporting providers and cloud service providers.
DORA ensures a consistent provision of services across the entire value chain by introducing an end-to-end holistic framework for effective Risk management, ICT and cyber security operational capabilities, and Third Party management.
DORA’s five key pillars: ICT Risk Management, ICT-related Incident Management; Digital Operational Resilience Testing, ICT Third Party Risk Management, and Information Sharing Arrangements.
The regulation is unique in introducing a Union-wide Oversight Framework on critical ICT third-party providers, as designated by the European Supervisory Authorities (ESAs).
When will DORA be enforced?
DORA entered into force on 16 January 2023. With an implementation period of two years, financial entities will be expected to be compliant with the regulation by 17th January 2025.
DORA – Turning compliance into a competitive advantage
DORA presents both a challenge, and a real opportunity, for financial institutions across the EU. Its consistent, EU-wide requirements mean you’ll need to maintain a strong, unified level of cyber security and operational resilience across all your operations.
A comprehensive gap assessment can help you understand your current maturity, pinpoint areas needing investment, and set clear priorities.
Once you’ve made all the necessary assessments, you’ll be in a stronger position to tackle more complex requirements like third-party risk, threat intelligence, and advanced security testing—all while gaining a strategic edge in a highly competitive market.
DORA will set the regulatory focus on 5 key pillars
- ICT Risk Management
- ICT-related Incident Management
- Digital Operational Resilience Testing
- ICT Third-Party Risk Management
- Information Sharing
ICT Risk Management
Financial entities are required to set up a comprehensive ICT risk management framework, including:
set-up and maintain resilient ICT systems and tools that minimise the impact of ICT risk,
identify, classify and document critical functions and assets,
continuously monitor all sources of ICT risks in order to set-up protection and prevention measures,
establish prompt detection of anomalous activities,
put in place dedicated and comprehensive business continuity policies and disaster and recovery plans, incl. yearly testing of the plans, covering all supporting functions,
establish mechanisms to learn and evolve both from external events as well as the entity’s own ICT incidents.
ICT-related Incident Management
Financial entities are required to:
develop a streamlined process to log/classify all ICT incidents and determine major incidents according to the criteria detailed in the regulation and further specified by the European Supervisory Authorities (EBA, EIOPA and ESMA),
submit an initial, intermediate and final report on ICT-related incidents,
harmonise the reporting of ICT-related incidents through standard templates as developed by the ESAs.
Digital Operational Resilience Testing
The regulation requires all entities to:
annually perform basic ICT testing of ICT tools and systems,
identify, mitigate and promptly eliminate any weaknesses, deficiencies or gaps with the implementation of counteractive measures,
periodically perform advanced Threat-Led Penetration Testing (TLPT) for ICT services which impact critical functions. ICT third-party service providers are required to participate and fully cooperate in the testing activities.
ICT Third-Party Risk Management
Financial entities are required to:
ensure sound monitoring of risks emanating from the reliance on ICT third-party providers,
report their complete register of outsourced activities, incl. intra-group services and any changes to the outsourcing of critical services to ICT third party service providers,
take account of IT concentrating risk and risks arising from sub-outsourcing activities
harmonise key elements of the service and relationship with ICT third-party providers to enable a ‘complete’ monitoring,
ensure that the contracts with the ICT third-party providers contain all the necessary monitoring and accessibility details such as a full-service level description, indication of locations where data is being processed, etc.,
critical ICT third-party service providers will be subject to a Union Oversight Framework, which can issue recommendations on the mitigation of identified ICT risks. Financial entities must consider the ICT third-party risks of their service provider who do not follow the defined recommendation.
Information Sharing
The regulation encourages financial entities to set-up arrangements amongst themselves to exchange cyber threat information and intelligence,
The supervisory authority will provide relevant anonymized information and intelligence on cyber threats to financial entities. Therefore, entities should implement mechanisms to review and take action on the information shared by the authorities.
Contact us
