Digital Operational Resilience Act (DORA)

The new regulatory framework is now fully applicable as of 17.01.2025 for financial institutions that are subject to DORA.

Do you already have a dedicated roadmap to continuously enhance your security and resilience and comply with DORA as a whole?​

The Digital Operational Resilience Act (DORA) is the European framework for effective and all-inclusive management of digital risks in Financial Markets and applies to more than 22.000 financial entities and ICT service providers within the EU.​

DORA introduces an end-to-end holistic framework of effective Risk management, ICT and cyber security operational capabilities, ICT incident management, Third Party management, ensuring a consistent provision of services across the entire value chain.​

By introducing a single consistent supervisory approach across the relevant sectors, where the Austrian Financial Market Authority (FMA) is the regulator in Austria , DORA aims to assure that financial services firms can maintain resilient operations through a cybersecurity or ICT incident of severe operational disruption.​

Although DORA is applicable since 17.01.2025 for financial institutions, digital transformation and technology implementation initiatives as well as additional managed services, automation and leveraging the AI are expected still to be a top-priority to further enhance resilience and support compliance to the regulation.

Stay up to date on significant developments around DORA!

We got you covered! Send us your contact data here and we will provide you with regular news, updates and good market practices related to DORA:​

Required fields are marked with an asterisk(*)

By submitting your email address, you acknowledge that you have read the Privacy Statement and that you consent to our processing data in accordance with the Privacy Statement (including international transfers). If you change your mind at any time about wishing to receive the information from us, you can send us an email message using the Contact Us page.

Which organizations are in scope?​

  • DORA with a holistic approach has a wide scope of financial institutions addressed. Not only banks and insurance firms who were already familiar to such regulations with EBA / EIOPA guidelines on ICT security and outsourcing, but also central market infrastructures, credit risk agencies, crypto-asset service providers, investment and management firms, pension firms, payment service providers and trade repositories and venues are within the radar of the new framework.​

  • FinTech's and start-ups due to their limited size are not exempted, if they operate under the entity types named under DORA regulation. Those firms that employ fewer than 10 persons together with an annual turnover limitation however are subject to a lighter scope of requirements.​

    ICT providers - including cloud service providers - provisioning services for financial institutions can be now subject to the Oversight Framework, if they would be designated as ‘critical ICT provider’. Although criteria for designation of critical ICT providers were already developed by the ESAs, the actual designation of those ICT providers will depend on the «registers of information» submitted by financial entities throughout Europe in April 2025 first.

DORA - Digital Operational Resilience Act | Which organisations are in scope? ICT Risk Management, Incident Reporting, Oversight Framework of critical ICT providers

What is the scope? Which particular topics are to be addressed?

ICT Risk Management

Financial entities are required to set up a comprehensive ICT risk management framework, including: 

  • set-up and maintenance of resilient ICT systems and tools that minimise the impact of ICT risk,
  • identification, classification and documentation of critical functions and assets,
  • continuous monitoring of all sources of ICT risks in order to set-up protection and prevention measures,
  • prompt detection of anomalous activities, 
  • establishment of dedicated and comprehensive business continuity policies and disaster and recovery plans, incl. yearly testing of the plans, covering all supporting functions,
  • establishment of mechanisms prompting that entities learn from and evolve on both from external events as well as the entity’s own ICT incidents.
Risk identification

Further level 2 technical standards of the regulatory framework

developed by European Supervisory Authorities

DORA tasks European Supervisory Authorities (EBA, EIOPA and ESMA) to define further technical standards and guidelines under level 2 acts that will further guide financial institutions. Please note that the list does not include those technical standards that are within the Oversight Framework for critical ICT providers.​

Level 2 Regulatory Technical Standard DORA Article EUC adoption date Link
ICT risk management tools, methods, processes, and policies and the simplified ICT risk management framework Art. 15(4), Art. 16(3)(4)​ March 2024​ Legal Text
Specifications on the detailed content of the policy regarding contractual arrangements on the use of ICT services supporting critical or important functions provided by ICT third-party service providers Art. 28(10)(3)​ March 2024​ Legal Text
Classification of ICT-related incidents and cyber threats, setting out materiality thresholds and specifying the details of reports of major incidents Art. 18(4)(3)​ March 2024​ Legal Text
Standard templates for register of information on contractual agreements related to ICT services Article 29(9)​ November 2024​ Legal Text
Content and time limits for the initial notification of, and intermediate and final report on, major ICT-related incidents, and the content of the voluntary notification for significant cyber threats Art. 20(3)​   Legal Text
Specification of the elements which a financial entity needs to determine and assess when subcontracting ICT services supporting critical or important functions Art. 30(5)​   Legal Text (pdf, 25 MB)
Specification of elements related to threat led penetration tests Art. 26(11)​   Legal Text (pdf, 25 MB)
Joint Guidelines on the estimation of aggregated annual costs and losses caused by major ICT-related incidents Art. 11(11)​   Legal Text
DORA - Digital Operational Resilience Act | Level 2 Regulatory Technical Standard

Our PwC services can further enhance your DORA compliance,

while supporting your digital transformation initiatives to boost your resilience.

Here's how:

Mandatory regular trainings

DORA requires:

Establishing training programme for ICT security awareness, digital operational resilience, ICT upskilling, as well as regular trainings for Management and Supervisory boards related to ICT risk by financial institutions, to ensure continuous learning and preparation for the evolving threat landscape.​

Our services:​

  • Security awareness trainings for your organization​

  • Dedicated technical ICT upskilling trainings tailored for the needs of your ICT teams as well as your Internal Audit teams to enable them sufficient competence for internal ICT audits by DORA ICT risk management framework​

  • Fit & proper trainings for your management teams​

  • Digital operational resilience trainings for your key personnel​

  • Review your HR training and competency management frameworks for employees and third-party providers to align with DORA requirements

Gezielte Workshops

Wir bieten gezielte Workshops an, die auf Ihren aktuellen Prozessreifegrad abgestimmt sind:

  • DORA-Einführungsworkshops für das Management mit Schwerpunkt auf die strategischen DORA-Anforderungen

  • Erläuterung der Unterschiede zu den bestehenden EBA-/EIOPA-/PSD2-Richtlinien und der zusätzlichen Anforderungen, die DORA mit sich bringt

  • Vertiefende technische Workshops zu spezifischen DORA-Säulen, um die Akzeptanz auf allen Organisationsebenen sicherzustellen

  • Interne Kontrollen und Vorlagen

  • Und vieles mehr!

Reifegrad- und Fit-Gap-Bewertungen

Unsere Reifegradbewertungen sorgen dafür, dass Sie Ihren Implementierungsfahrplan klar und einfach festlegen können.

  • ​Wir führen unterschiedliche Analysen, angepasst an Ihren Compliance Stand, durch:
     

    1. Vollständiger DORA Fit-Gap
    2. Fokussierung auf zusätzliche DORA-Anforderungen gegenüber bestehenden EBA/EIOPA-Richtlinien
    3. Analyse der Umsetzung von spezifischen technischen Standards

  • Bottom-Up-Prozessüberprüfungen, basierend auf angeleiteten Interviews sowie dokumentenbasierter Analyse

  • Strategische top-down Resilienzplanung

  • Klare Priorisierung der Empfehlungen

  • Verknüpfung mit anderen bestehenden Verordnungen und Richtlinien

Cyber Compliance Dashboard

Bei PwC Österreich haben wir im Cybersecurity-Team einen klaren Fokus auf IT- und Informationssicherheitsvorschriften und -richtlinien, weshalb wir ein eigenes Cyber-Compliance-Dashboard entwickelt haben, das es Ihnen ermöglicht:

  • Ihre regulatorischen Cybersecurity-Risiken zu identifizieren

  • Die regulatorischen Anforderungen zu vergleichen

  • Inhalte nach Rollen, Funktionen und Sicherheitsrahmenwerken aufzuteilen und zu analysieren

  • Exemplarische interne Kontrollen und sonstige Templates zu nutzen

Fahrplan für die Implementierung von DORA

Ausgehend von Ihrer aktuellen Prozesslandschaft erstellen wir einen Fahrplan, mit der Sie die gewünschte Ausfallsicherheit erreichen und gleichzeitig die DORA-Anforderungen und regulatorischen Erwartungen erfüllen.

  • Priorisierung von Lücken und Empfehlungen sowie deren Aufwand und Zusammenhänge

  • Entwicklung eines zweckmäßigen Rahmens für die digitale operative Belastbarkeit

  • Optimierung und Rationalisierung von Prozessen

  • Erfüllung der DORA-Anforderungen in Übereinstimmung mit den regulatorischen Erwartungen

Sobald der Plan feststeht, können wir Sie bei der Umsetzung mit unserem Fachwissen und unseren Tools unterstützen.

A long road ahead

One that is by no means a one-shot compliance initiative. Given its complexity and further Level 2 regulatory standards to be set-up, DORA requires regular steering and alignment in the coming years.

Let us be the reliable partner that will keep you on the compliance path with clear guidance and regular steering for DORA over years to come.​

We unite expertise and tech so you can outthink, outpace and outperform
See how
Hide

Contact us for your DORA compliance!

Let us enable you with our broad DORA services portfolio

Required fields are marked with an asterisk(*)

By submitting your email address, you acknowledge that you have read the Privacy Statement and that you consent to our processing data in accordance with the Privacy Statement (including international transfers). If you change your mind at any time about wishing to receive the information from us, you can send us an email message using the Contact Us page.

Contact us

Georg Beham

Georg Beham

Partner, Cybersecurity & Privacy Leader, PwC Austria

Tel: +43 732 611750

Peter Kleebauer

Peter Kleebauer

Senior Manager, Cybersecurity & Privacy, PwC Austria

Tel: +43 699 16305907

Serhat Ada

Serhat Ada

Manager, Cybersecurity & Privacy, PwC Austria

Tel: +43 676 833 771 114