Site Search Site Search

Menu

Events (de)

Loading Results

Digital Operational Resilience Act (DORA)

The new regulatory framework is now fully applicable as of 17.01.2025 for financial institutions that are subject to DORA.

Do you already have a dedicated roadmap to continuously enhance your security and resilience and comply with DORA as a whole?​

The Digital Operational Resilience Act (DORA) is the European framework for effective and all-inclusive management of digital risks in Financial Markets and applies to more than 22.000 financial entities and ICT service providers within the EU.​

DORA introduces an end-to-end holistic framework of effective Risk management, ICT and cyber security operational capabilities, ICT incident management, Third Party management, ensuring a consistent provision of services across the entire value chain.​

By introducing a single consistent supervisory approach across the relevant sectors, where the Austrian Financial Market Authority (FMA) is the regulator in Austria , DORA aims to assure that financial services firms can maintain resilient operations through a cybersecurity or ICT incident of severe operational disruption.​

Although DORA is applicable since 17.01.2025 for financial institutions, digital transformation and technology implementation initiatives as well as additional managed services, automation and leveraging the AI are expected still to be a top-priority to further enhance resilience and support compliance to the regulation.

Required fields are marked with an asterisk(*)

By submitting your email address, you acknowledge that you have read the Privacy Statement and that you consent to our processing data in accordance with the Privacy Statement (including international transfers). If you change your mind at any time about wishing to receive the information from us, you can send us an email message using the Contact Us page.

Which organizations are in scope?​

  • DORA with a holistic approach has a wide scope of financial institutions addressed. Not only banks and insurance firms who were already familiar to such regulations with EBA / EIOPA guidelines on ICT security and outsourcing, but also central market infrastructures, credit risk agencies, crypto-asset service providers, investment and management firms, pension firms, payment service providers and trade repositories and venues are within the radar of the new framework.​

  • FinTech's and start-ups due to their limited size are not exempted, if they operate under the entity types named under DORA regulation. Those firms that employ fewer than 10 persons together with an annual turnover limitation however are subject to a lighter scope of requirements.​

    ICT providers - including cloud service providers - provisioning services for financial institutions can be now subject to the Oversight Framework, if they would be designated as ‘critical ICT provider’. Although criteria for designation of critical ICT providers were already developed by the ESAs, the actual designation of those ICT providers will depend on the «registers of information» submitted by financial entities throughout Europe in April 2025 first.

DORA - Digital Operational Resilience Act | Which organisations are in scope? ICT Risk Management, Incident Reporting, Oversight Framework of critical ICT providers

What is the scope? Which particular topics are to be addressed?

ICT Risk Management

Financial entities are required to set up a comprehensive ICT risk management framework, including: 

  • set-up and maintenance of resilient ICT systems and tools that minimise the impact of ICT risk,
  • identification, classification and documentation of critical functions and assets,
  • continuous monitoring of all sources of ICT risks in order to set-up protection and prevention measures,
  • prompt detection of anomalous activities, 
  • establishment of dedicated and comprehensive business continuity policies and disaster and recovery plans, incl. yearly testing of the plans, covering all supporting functions,
  • establishment of mechanisms prompting that entities learn from and evolve on both from external events as well as the entity’s own ICT incidents.
Risk identification

ICT-Related Incident Reporting

Financial entities are required to:

  • develop a streamlined process to log/classify all ICT-related incidents and determine major incidents according to the criteria detailed in the regulation and further specified by the European Supervisory Authorities (EBA, EIOPA and ESMA),
  • submit an initial, intermediate and final report on ICT-related incidents,
  • harmonise the reporting of ICT-related incidents through standard templates as developed by the ESAs.
Incident Reporting

Digital Operational Resilience Testing

The regulation requires all entities to:

  • annually perform basic ICT testing of ICT tools and systems,
  • identify, mitigate and promptly eliminate any weaknesses, deficiencies or gaps by implementing counteractive measures,
  • periodically perform advanced Threat-Led Penetration Testing (TLPT) for ICT services which impact critical functions. ICT third-party service providers are required to participate and fully cooperate in the testing activities. 
Resilience Testing

ICT Third-Party Risk Management

Financial entities are required to: 

  • ensure sound monitoring of risks emanating from the reliance on ICT third-party providers,
  • report their complete register of outsourced activities, incl. intra-group services and any changes to the outsourcing of critical services to ICT third-party service providers,
  • take account of IT concentration risk and risks arising from sub-outsourcing
  • harmonise key elements of the service and relationship with ICT third-party providers to enable a ‘complete’ monitoring,
  • ensure that the contracts with the ICT third-party providers contain all the necessary monitoring and accessibility details such as a full-service level description, indication of locations where data is being processed, etc.,
  • critical ICT third-party service providers will be subject to a Union oversight framework allowing for the competent authorities to issue recommendations on the mitigation of identified ICT risks. Financial entities must consider the ICT third-party risks of their service provider not abiding by the defined recommendation.
third party reporting

Information Sharing

  • The regulation allows financial entities to set-up arrangements amongst themselves to exchange cyber threat information and intelligence.
  • The supervisory authority will provide relevant anonymised information and intelligence on cyber threats to financial entities. Therefore, entities should implement mechanisms to review and take action on the information shared by the authorities.
Information sharing

Further level 2 technical standards of the regulatory framework

developed by European Supervisory Authorities

DORA tasks European Supervisory Authorities (EBA, EIOPA and ESMA) to define further technical standards and guidelines under level 2 acts that will further guide financial institutions. Please note that the list does not include those technical standards that are within the Oversight Framework for critical ICT providers.​

Level 2 Regulatory Technical Standard DORA Article EUC adoption date Link
ICT risk management tools, methods, processes, and policies and the simplified ICT risk management framework Art. 15(4), Art. 16(3)(4)​ March 2024​ Legal Text
Specifications on the detailed content of the policy regarding contractual arrangements on the use of ICT services supporting critical or important functions provided by ICT third-party service providers Art. 28(10)(3)​ March 2024​ Legal Text
Classification of ICT-related incidents and cyber threats, setting out materiality thresholds and specifying the details of reports of major incidents Art. 18(4)(3)​ March 2024​ Legal Text
Standard templates for register of information on contractual agreements related to ICT services Article 29(9)​ November 2024​ Legal Text
Content and time limits for the initial notification of, and intermediate and final report on, major ICT-related incidents, and the content of the voluntary notification for significant cyber threats Art. 20(3)​   Legal Text
Specification of the elements which a financial entity needs to determine and assess when subcontracting ICT services supporting critical or important functions Art. 30(5)​   Legal Text (pdf, 25 MB)
Specification of elements related to threat led penetration tests Art. 26(11)​   Legal Text (pdf, 25 MB)
Joint Guidelines on the estimation of aggregated annual costs and losses caused by major ICT-related incidents Art. 11(11)​   Legal Text
DORA - Digital Operational Resilience Act | Level 2 Regulatory Technical Standard

Our PwC services can further enhance your DORA compliance,

while supporting your digital transformation initiatives to boost your resilience.

Here's how:

Mandatory regular trainings

DORA requires:

Establishing training programme for ICT security awareness, digital operational resilience, ICT upskilling, as well as regular trainings for Management and Supervisory boards related to ICT risk by financial institutions, to ensure continuous learning and preparation for the evolving threat landscape.​

Our services:​

  • Security awareness trainings for your organization​

  • Dedicated technical ICT upskilling trainings tailored for the needs of your ICT teams as well as your Internal Audit teams to enable them sufficient competence for internal ICT audits by DORA ICT risk management framework​

  • Fit & proper trainings for your management teams​

  • Digital operational resilience trainings for your key personnel​

  • Review your HR training and competency management frameworks for employees and third-party providers to align with DORA requirements

ICT audits for you and your ICT providers

DORA requires:

Regular ICT audits on the ICT risk management framework, including those for ICT third-party providers supporting critical or important functions when a financial entity outsources any of its ICT services. Those audits must be conducted by personnel with sufficient ICT competence and experience.​

Our services:​

  • Support you and your internal audit teams in developing a regular multi-year ICT audit program to be executed on yearly basis​

  • Conducting ICT audits based on the ICT risk management framework of DORA, executed by our top ICT and DORA experts​

  • Dedicated DORA ICT audits for your critical ICT third-party providers to ensure their controls satisfy DORA requirements

Digital operational resilience strategy

DORA requires:

Development of a digital operational resilience strategy framework (aligned with the business strategy) to drive continuous improvement for higher resilience in the organization, learning from experiences, risks, and incidents that have occurred.​

Our services:​

  • Establish a digital operational resilience strategy framework through dedicated workshops​

  • Support you developing a strategic and tactical roadmap for your resilience strategy

DORA gap and compliance assessments

It is our recommendation to conduct a post-implementation compliance check related to DORA, at least once in the first year of the regulation, and then every few years as part of your digital operational resilience testing program.​

Our services:​

  • Dedicated and proportional FIT/GAP assessments on your policy framework and the controls implemented, to ensure all DORA requirements are appropriately satisfied.​

  • Compliance dashboard that helps you to prioritize, track and mitigate the gaps identified, together with the relevant risks they pose.​

Third party risk management & register of information

DORA requires:

Development and implementation of a framework to manage the full life cycle of ICT third-party providers, from initial demand to termination. It is also required to document these agreements, along with additional information, in a dedicated register of information to be reported to regulators at least yearly.​

Our services:​

  • Developing a dedicated third-party risk management framework with you, proportional to your firm and services, ensuring appropriate categorization of ICT third-party providers and their criticality, relevant contractual clauses, and measures to manage these providers regularly based on their criticality, substitutability, and complexity of services provided​

  • Assist you in populating, reviewing, and updating the DORA register of information in line with regulatory expectations, using key risk indicators to highlight any weaknesses we then recommend you to focus on with specific mitigation strategies​

  • Legal advice in connection with the drafting, review and/or negotiation of DORA compliant ICT third-party service contracts (or other legal questions related to DORA) provided by our lawyers who also have deep expertise in DORA framework​

  • AI-based automated assessment of your ICT third-party service contracts (as well as those that support critical or important functions) to confirm that they satisfy contractual clause requirements of DORA​

Incident management

DORA requires:

By January 17, 2025, financial institutions must classify ICT incidents according to the DORA incident classification schema and report these incidents to regulatory authorities promptly. An end-to-end approach ensuring integration with ICT continuity plans as well as ICT response and recovery plans is needed, which aligns with business continuity and disaster recovery plans.​

Our services:​

  • Early warning service (EWaS) providing you a "head start" in detecting potential ICT incidents​

  • Incident response retainer services providing you assurance with immediate incident response and recovery​

  • Testing your preparedness with tabletop incident exercises, including DORA classification and reporting simulations for a relevant scenario that you select from your risk scenario assessments

Threat-led penetration testing (TLPT)

DORA requires:

Financial entities to plan and conducted dedicated threat-led penetration tests for all their critical or important functions every three years.​

Our services:​

  • Comprehensive end-to-end Threat-Led Penetration Testing (TLPT) exercises conducted by our local and global security experts, featuring certified offensive security experts to assist you through the preparation, threat intelligence, red team and closure phases.​

  • Provide support through our local red team.​

  • Enhance your capabilities with dedicated threat intelligence, leveraging our global threat intelligence services.​

  • Deliver expert Control Team support.

Resilience testing framework and program

DORA requires:

Establish and maintain a comprehensive digital operational resilience testing policy and programme with yearly testing plans, their documentation and reporting.​

Our services:​

  • Develop a resilience testing framework together with you, ensuring it fits your size, complexity, and the market risk you pose​

  • Provide dedicated testing plan templates to establish a solid baseline for your tests​

  • Support the execution of various resilience test types, such as penetration testing, architecture reviews, and exit and transition plans for third-party providers supporting critical or important functions

Business and ICT continuity

DORA requires:

Implement a comprehensive ICT continuity framework, supported by continuity plans as well as response and recovery plans. ICT continuity must be part of overall business continuity and the criticality of business functions designated with BIA and dedicated criticality assessments..​

Our services:​

  • Increase process maturity on BIA and criticality assessments with our good practices that not only ensure DORA compliance, but also provide you a concrete, objective and well-documented criticality schema that delivers a proportionality. ​

  • Oganize and orchestrate dedicated continuity tests and table-top exercises, including crisis scenarios in order to increase awareness throughout the organization and highlight improvement areas with prioritization.​

  • Support you drafting your ICT continuity plans and ICT response and recovery plans.

Gezielte Workshops

Wir bieten gezielte Workshops an, die auf Ihren aktuellen Prozessreifegrad abgestimmt sind:

  • DORA-Einführungsworkshops für das Management mit Schwerpunkt auf die strategischen DORA-Anforderungen

  • Erläuterung der Unterschiede zu den bestehenden EBA-/EIOPA-/PSD2-Richtlinien und der zusätzlichen Anforderungen, die DORA mit sich bringt

  • Vertiefende technische Workshops zu spezifischen DORA-Säulen, um die Akzeptanz auf allen Organisationsebenen sicherzustellen

  • Interne Kontrollen und Vorlagen

  • Und vieles mehr!

Reifegrad- und Fit-Gap-Bewertungen

Unsere Reifegradbewertungen sorgen dafür, dass Sie Ihren Implementierungsfahrplan klar und einfach festlegen können.

  • ​Wir führen unterschiedliche Analysen, angepasst an Ihren Compliance Stand, durch:
     

    1. Vollständiger DORA Fit-Gap
    2. Fokussierung auf zusätzliche DORA-Anforderungen gegenüber bestehenden EBA/EIOPA-Richtlinien
    3. Analyse der Umsetzung von spezifischen technischen Standards

  • Bottom-Up-Prozessüberprüfungen, basierend auf angeleiteten Interviews sowie dokumentenbasierter Analyse

  • Strategische top-down Resilienzplanung

  • Klare Priorisierung der Empfehlungen

  • Verknüpfung mit anderen bestehenden Verordnungen und Richtlinien

Cyber Compliance Dashboard

Bei PwC Österreich haben wir im Cybersecurity-Team einen klaren Fokus auf IT- und Informationssicherheitsvorschriften und -richtlinien, weshalb wir ein eigenes Cyber-Compliance-Dashboard entwickelt haben, das es Ihnen ermöglicht:

  • Ihre regulatorischen Cybersecurity-Risiken zu identifizieren

  • Die regulatorischen Anforderungen zu vergleichen

  • Inhalte nach Rollen, Funktionen und Sicherheitsrahmenwerken aufzuteilen und zu analysieren

  • Exemplarische interne Kontrollen und sonstige Templates zu nutzen

Fahrplan für die Implementierung von DORA

Ausgehend von Ihrer aktuellen Prozesslandschaft erstellen wir einen Fahrplan, mit der Sie die gewünschte Ausfallsicherheit erreichen und gleichzeitig die DORA-Anforderungen und regulatorischen Erwartungen erfüllen.

  • Priorisierung von Lücken und Empfehlungen sowie deren Aufwand und Zusammenhänge

  • Entwicklung eines zweckmäßigen Rahmens für die digitale operative Belastbarkeit

  • Optimierung und Rationalisierung von Prozessen

  • Erfüllung der DORA-Anforderungen in Übereinstimmung mit den regulatorischen Erwartungen

Sobald der Plan feststeht, können wir Sie bei der Umsetzung mit unserem Fachwissen und unseren Tools unterstützen.

A long road ahead

One that is by no means a one-shot compliance initiative. Given its complexity and further Level 2 regulatory standards to be set-up, DORA requires regular steering and alignment in the coming years.

Let us be the reliable partner that will keep you on the compliance path with clear guidance and regular steering for DORA over years to come.​

Required fields are marked with an asterisk(*)

By submitting your email address, you acknowledge that you have read the Privacy Statement and that you consent to our processing data in accordance with the Privacy Statement (including international transfers). If you change your mind at any time about wishing to receive the information from us, you can send us an email message using the Contact Us page.

Contact us

Georg Beham

Georg Beham

Partner, Cybersecurity & Privacy Leader, PwC Austria

Tel: +43 732 611750

Linkedin Follow X Follow Email
Peter Kleebauer

Peter Kleebauer

Senior Manager, Cybersecurity & Privacy, PwC Austria

Tel: +43 699 16305907

Linkedin Follow Email
Serhat Ada

Serhat Ada

Manager, Cybersecurity & Privacy, PwC Austria

Tel: +43 676 833 771 114

Linkedin Follow Email
Hide
Services Industries Issues About us Careers Newsletter (de) Publications (de) Events (de)

© 2017 - 2025 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details.