The Digital Operational Resilience Act (DORA) is the European framework for effective and all-inclusive management of digital risks in Financial Markets and applies to more than 22.000 financial entities and ICT service providers within the EU.
DORA introduces an end-to-end holistic framework of effective Risk management, ICT and cyber security operational capabilities, ICT incident management, Third Party management, ensuring a consistent provision of services across the entire value chain.
By introducing a single consistent supervisory approach across the relevant sectors, where the Austrian Financial Market Authority (FMA) is the regulator in Austria , DORA aims to assure that financial services firms can maintain resilient operations through a cybersecurity or ICT incident of severe operational disruption.
Although DORA is applicable since 17.01.2025 for financial institutions, digital transformation and technology implementation initiatives as well as additional managed services, automation and leveraging the AI are expected still to be a top-priority to further enhance resilience and support compliance to the regulation.
Which organizations are in scope?
DORA with a holistic approach has a wide scope of financial institutions addressed. Not only banks and insurance firms who were already familiar to such regulations with EBA / EIOPA guidelines on ICT security and outsourcing, but also central market infrastructures, credit risk agencies, crypto-asset service providers, investment and management firms, pension firms, payment service providers and trade repositories and venues are within the radar of the new framework.
FinTech's and start-ups due to their limited size are not exempted, if they operate under the entity types named under DORA regulation. Those firms that employ fewer than 10 persons together with an annual turnover limitation however are subject to a lighter scope of requirements.
ICT providers - including cloud service providers - provisioning services for financial institutions can be now subject to the Oversight Framework, if they would be designated as ‘critical ICT provider’. Although criteria for designation of critical ICT providers were already developed by the ESAs, the actual designation of those ICT providers will depend on the «registers of information» submitted by financial entities throughout Europe in April 2025 first.
What is the scope? Which particular topics are to be addressed?
- ICT Risk Management
- ICT-Related Incident Reporting
- Digital Operational Resilience Testing
- ICT Third-Party Risk Management
- Information Sharing
ICT Risk Management
Financial entities are required to set up a comprehensive ICT risk management framework, including:
- set-up and maintenance of resilient ICT systems and tools that minimise the impact of ICT risk,
- identification, classification and documentation of critical functions and assets,
- continuous monitoring of all sources of ICT risks in order to set-up protection and prevention measures,
- prompt detection of anomalous activities,
- establishment of dedicated and comprehensive business continuity policies and disaster and recovery plans, incl. yearly testing of the plans, covering all supporting functions,
- establishment of mechanisms prompting that entities learn from and evolve on both from external events as well as the entity’s own ICT incidents.
Further level 2 technical standards of the regulatory framework
developed by European Supervisory Authorities
DORA tasks European Supervisory Authorities (EBA, EIOPA and ESMA) to define further technical standards and guidelines under level 2 acts that will further guide financial institutions. Please note that the list does not include those technical standards that are within the Oversight Framework for critical ICT providers.
| Level 2 Regulatory Technical Standard | DORA Article | EUC adoption date | Link |
|---|---|---|---|
| ICT risk management tools, methods, processes, and policies and the simplified ICT risk management framework | Art. 15(4), Art. 16(3)(4) | March 2024 | Legal Text |
| Specifications on the detailed content of the policy regarding contractual arrangements on the use of ICT services supporting critical or important functions provided by ICT third-party service providers | Art. 28(10)(3) | March 2024 | Legal Text |
| Classification of ICT-related incidents and cyber threats, setting out materiality thresholds and specifying the details of reports of major incidents | Art. 18(4)(3) | March 2024 | Legal Text |
| Standard templates for register of information on contractual agreements related to ICT services | Article 29(9) | November 2024 | Legal Text |
| Content and time limits for the initial notification of, and intermediate and final report on, major ICT-related incidents, and the content of the voluntary notification for significant cyber threats | Art. 20(3) | Legal Text | |
| Specification of the elements which a financial entity needs to determine and assess when subcontracting ICT services supporting critical or important functions | Art. 30(5) | Legal Text (pdf, 25 MB) | |
| Specification of elements related to threat led penetration tests | Art. 26(11) | Legal Text (pdf, 25 MB) | |
| Joint Guidelines on the estimation of aggregated annual costs and losses caused by major ICT-related incidents | Art. 11(11) | Legal Text |
Our PwC services can further enhance your DORA compliance,
while supporting your digital transformation initiatives to boost your resilience.
Here's how:
- Mandatory regular trainings
- ICT audits for you and your ICT providers
- Digital operational resilience strategy
- DORA gap and compliance assessments
- Third party risk management & register of information
- Incident management
- Threat-led penetration testing (TLPT)
- Resilience testing framework and program
- Business and ICT continuity
Mandatory regular trainings
DORA requires:
Establishing training programme for ICT security awareness, digital operational resilience, ICT upskilling, as well as regular trainings for Management and Supervisory boards related to ICT risk by financial institutions, to ensure continuous learning and preparation for the evolving threat landscape.
Our services:
Security awareness trainings for your organization
Dedicated technical ICT upskilling trainings tailored for the needs of your ICT teams as well as your Internal Audit teams to enable them sufficient competence for internal ICT audits by DORA ICT risk management framework
Fit & proper trainings for your management teams
Digital operational resilience trainings for your key personnel
Review your HR training and competency management frameworks for employees and third-party providers to align with DORA requirements
Contact us
