Digital Operational Resilience Act (DORA)
About DORA
In November 2022, the European Union (EU) adopted the Digital Operational Resilience Act (DORA) – an innovative regulatory framework that addresses risks posed by the digital transformation of financial services as well as the increase in volume and severity of cyber attacks within the sector. DORA has since entered into force at the start of 2023, and became applicable on 17 January 2025, date since when financial entities are expected to be compliant.
DORA is based on five pillars impacting financial entities:
- The management of risks related to Information and Communication Technologies (ICT)
- The management of incidents related to ICT
- The testing of their digital operational resilience
- The management of risks related to third-party service providers providing ICT services
- Information-sharing arrangements
Additionally, under the 4th pillar, DORA provides how competent authorities will conduct the oversight of ICT third-party service providers designated as "Critical" for the financial sector at European level.
DORA is also a full package of 10 delegated acts (RTS), 2 implementing acts (ITS), and guidelines, that complete the Regulation, showing the broad coverage, granularity, and complexity of the framework applicable to the financial entities.
Who is impacted?
More than 22,000 financial institutions and ICT service providers based in the EU will be subject to DORA. All financial market participants including banks, payment institutions, investment companies, as well as insurance companies and intermediaries, will be subject to the regulatory framework introduced by DORA.
Additionally, the European Supervisory Authorities (ESAs) designate Critical ICT Third Party Service Providers whose disruption or failure to provide services will impact greatly the financial sector. These CTPPs also fall under the supervision of ESAs under DORA.
Competent authorities of the Member States will ensure compliance oversight and enforce the regulation, where necessary through administrative penalties and remedial measures on members of the management body of the financial entity in question.
- Credit institutions
- Payments and e-money providers
- Insurance and reinsurance providers
- Insurance intermediaries
- Capital markets entities
- Investment firms
- Pension Funds
- Crowdfunding service providers
- Securitisation repositories
- Credit rating agencies
What is digital operational resilience?
DORA introduces a five-pillar framework of ICT Risk Management, Incident Reporting, Operational Resilience Testing, Third-Party Risk Management (TPRM) and information-sharing, ensuring a consistent provision of services across the entire digital value chain.
- ICT risk management framework
- ICT incident classification and reporting
- Operational resilience testing
- Third-party risk management
- What is an ICT service under DORA?
- Cyberthreat intelligence and information sharing
ICT risk management framework
Under DORA, financial entities are required to set up a comprehensive ICT Risk Management Framework (ICT-RMF), which include over 20 policy and procedures expected from the regulator, from ICT asset management to information security, including also HR, access management, or vulnerability and patch management as well. The framework also extends to additional exercises and assessments, that require the creation of new methodologies, as well as documentation and review obligations for the financial entities.
- To manage their ICT risks effectively, financial entities are also required to maintain a comprehensive view on its own functioning and capabilities, with an established architecture of their functions, including the identification of critical or important functions (CIF), the distribution of roles and responsibilities, the information assets used and processed, and the supporting technology assets.
- Entities are also expected to bring a culture of risk to the ICT domain, by ensuring their risk framework is sufficiently adapted and inclusive of ICT-specific aspects and included in their risk appetite considerations. This also includes the management body, which becomes more aware of ICT topics and their related risk, in order to be able to take decisions - the ICT domain is no longer delegated to the sole control or supervision of the IT department.
- Operational resilience and ICT risk become a key component of the functioning of financial entities, integrated in their longer-term development vision under a Digital Operational Resilience Strategy their senior management has to develop and approve to give the impulse necessary for greater ICT risk management practice.
- An ICT risk control function becomes mandatory for all financial entities, to ensure sufficient knowledge and expertise within the entities to control and review the management of ICT risks.
- A new ICT risk report is also foreseen, which will have to be submitted to the authorities upon their request, or reviewed in case of major incident, containing information on the way ICT risks have been managed, as well as incidents or changes, over the covered period.
In order to meet these requirements, financial entities will therefore need to expand their existing resilience capabilities, clearly articulate their risk appetite for disruption, especially across CIFs, and adequately understand the interconnections between their delivery services and their ICT assets, processes and systems.
ICT incident classification and reporting
Under DORA, financial entities will be are subject to a novel classification, notification and reporting framework on ICT-related incidents. that will challenge existing collection, analysis and escalation processes within financial entities. As part of this novel framework and in line with the draft RTS, financial entities must:
- Develop a streamlined process to detect, record and classify all major ICT-related incidents and significant cyberthreats which require mature incident management capabilities in order to monitor, handle and resolve all incidents.
- Assess the impact of all ICT incidents and analyse their root causes. In particular, entities must now take into account the criteria provided by the European framework while assessing if the incident is major or not, thanks to a set of defined impact thresholds that will dictate whether the incidents needs to be notified or not to the competent authority.
- Particular attention is also brought to recurring incidents, for which dedicated measures must be defined to ensure their proper detection, resolution, and reporting as applicable.
- The notification of major incident to the competent authority is divided in three stages - initial, intermediary, final - each and every with their own report.
- The notification obligation also covers any relevant third-party and stakeholders. (clients, and other financial entities, suppliers, etc.) in the event of a major ICT-related incident and provide them with information on mitigation measures. In the case of significant cyberthreats, financial entities shall inform clients who might be affected and provide information on appropriate protection measures. It also means that financial entities must be organised and have the means and proper plans to organise such communication.
Obligations under DORA does not exclude other incident reporting obligations under relevant frameworks (e.g., GDPR, NIS 2, CERD, AI act).
Operational resilience testing
DORA establishes digital operational resilience testing (ORT) requirements for financial entities, which will have to:
- Set up an annual testing and exercising program covering their tools and systems, using various and appropriate testing methodologies such as vulnerability assessments and scans, open source analyses, network security assessments, gap analyses, physical security reviews, questionnaires and scanning software solutions, source code reviews where feasible, scenario-based tests, compatibility testing, performance testing or end-to-end testing.
- Annually conduct advanced security and resilience tests on critical ICT systems and applications, especially on those supporting critical or important functions.
- Promptly eliminate any vulnerabilities, deficiencies or gaps through the implementation of mitigating measures.
- For the entities and ICT third-party service providers designated by the authorities, periodically (at least every 3 years) conduct advanced Threat-Led Penetration Testing (TLPT). ICT third-party service providers supporting CIFS are required to participate and fully cooperate in these activities, something that is rarely done in exercises today.
In combination with the stringent BCM/DR requirements, ORT could evolve into a significant area of supervisory scrutiny and force financial entities to develop broader and more accurate testing and scenario analysis capabilities.
Third-party risk management
Under DORA, financial entities are legally obliged to implement TPRM requirements, including:
- Putting in place a TPRM framework, with also a definition of dedicated roles and responsibilities.
- Ensuring the adequacy of the potential service providers, by performing due diligence to collect sufficient information and risk assessments to ensure the proper identification of risks linked to the provision of services by third parties and the effectiveness of controls and mitigation measures on each party's sides.
- Ensuring that the contracts with the ICT third-party providers contain all the necessary and binding contractual terms, including e.g., on audit and access rights, monitoring, subcontracting, or termination support. Where service providers do not want to cooperate and help the financial entity to comply, it puts at risk the financial entity, meaning the contractual relationship may need to be reconsidered and terminated, causing important operational and legal challenges.
- Monitoring the performance of their ICT third-party providers and conduct (on-site) audits on those supporting CIFs. It also mean having monitoring plans in place, agreeing on internal standards and defining KPIs that are adequate and can bring value when tracked, and organising internal roles and responsibilities and notably a dedicated function in the second Line of Defence controlling and ensuring the proper implementation of oversight activities.
- Notifying authorities in case of a new contractual arrangement for an ICT service supporting CIFs, considering the applicable local rules.
- Having an understanding of their dependencies on vendors by conducting concentration risk assessments, as well as on their capacity to take over the service internally, and of alternatives on the market, by drafting and testing exit strategies and plans of all outsourcing contracts that support the delivery of CIFs.
Additionally, under this pillar, European Supervisory Authorities review and analyse on a yearly basis the registers of information provided by financial entities in order to identify and designate Critical ICT third-party service providers (CTPPs). Once designated, these CTPPs become subject to the oversight of European Supervisory Authorities.
What is an ICT service under DORA?
DORA provides for a broad definition of ICT services that may fall under its scope, from hardware to software, from cloud to on-premise services, from network and telecommunication to ICT project management and development. That approach created a real shift in the way third-party service providers are considered compared to the previously applicable outsourcing framework, often ending in a great extension of the number of contracts in scope of the regulatory obligations.
The Implementing Regulation (EU) 2022/2554 on the Register of Information provides us with an indication of which ICT services may fall under the definition:
- ICT project management
- ICT development
- ICT help desk and first level support
- ICT security management services
- Provision of data
- Data analysis
- ICT, facilities and hosting services (excluding Cloud services)
- Computation
- Non-Cloud data storage
- Telecom carrier
- Network infrastructure
- Hardware and physical devices (hardware-as-a-service)
- Software licencing (excluding SaaS)
- ICT Consulting
- ICT Risk management
- Cloud services: IaaS, PaaS, and SaaS
Cyberthreat intelligence and information sharing
DORA allows financial entities to set up arrangements amongst themselves in order to exchange cyberthreat information. The supervisory authority will provide relevant anonymised information and intelligence on cyberthreats to financial entities. As such, financial entities should implement mechanisms to review and take action on the information shared by the authorities.
How can PwC assist your organisation?
PwC can assist your organisation along the entire resilience journey towards compliance with DORA, from the assessment of your current readiness through to assisting you in the implementation of measures to meet the regulatory requirements and embed those in your risk, security, resilience and compliance management.
- Document reviews and gap assessment
- Implementation and remediation support
- Risk & DORA methodology, documentation, reporting
- Incident response - managed services
- Crisis & continuity management
- TPRM
- Internal audit
- External audit of your ICT third-party service providers
- Training
Document reviews and gap assessment
Your first step towards compliance starts with understanding where you are now. Our gap assessment methodology will examine your current framework and its maturity to identify compliance gaps and the maturity of your ICT risk management practice, incident management framework, testing programme, and TPRM. We will suggest room for improvement where needed, from both a regulatory compliance perspective and a best market practice one.
You have already completed DORA? Our teams can support you for your annual review of your framework, giving you a trained external perspective on possible modifications to make!
Implementation and remediation support
Translating regulatory requirements into concrete controls and actions (such as revising framework documents, performing risk assessments, or defining new governance structures, roles, and responsibilities) can be challenging, especially when encountering these requirements for the first time or when long-term familiarity makes it difficult to identify areas for improvement.
Our experienced teams support the preparation of implementation plans, and can execute your DORA compliance project and implement best practices, supporting each pillar with clearly defined deliverables, timelines and ownership.
With experience supporting organisations of all sizes, we offer practical insights into effective strategies and potential pitfalls, empowering you to deliver your programme and improve your current practice and controls with confidence and clarity.
Risk & DORA methodology, documentation, reporting
DORA brings a lot of new assessments, from the identification of critical or important functions to major incidents or the testing of exit strategy and plans, as well as new documentation and reporting obligations such as the ICT risk report. Whether you need a new methodology or template, or would like a review of yours, we work together with you to find the most tailor-made and proportionate approach for you, in line with best market practices and regulatory expectations.
Incident response - managed services
Helping you preparing your business to be resilient to incidents, investigating your ICT assets to detect and mitigate threats, answering and handling your incidents, and investigating the root cause. We make sure in every stage to help you reinforcing your resilience thanks to our Belgian and global team of experts present 24/7 around the world and accessible through our hotline in times of crisis, and guiding you through the notification process in case of major ICT incident.
Crisis & continuity management
With strong expertise in crisis and continuity management, we help you preparing, responding, and emerging stronger from times of crisis. We guide you and conduct with you the testing of your business continuity plans, and also provide you with the tools meant to answer these events.
TPRM
The TPRM (Third-Party Risk Management) pillar is among the most demanding, consistently causing delays across remediation projects. Its expanded scope, now covering a broader range of services compared to the previous outsourcing framework, requires greater involvement across the organisation. More staff must be trained and engaged, more service providers contacted and persuaded to collaborate or renegotiate contracts, and more assessments and monitoring activities carried out. Additionally, both ad hoc and recurring document reviews become more frequent and complex.
Our expert team is equipped to support your repapering project, assisting with both coordination and execution of tasks related to the complete lifecycle of your contractual arrangements, including but not limited to:
- Helping you in drafting and implementing a "scoping" methodology, to better identify whether there services you receive from third parties fall within DORA's (or other TPRM regulations) scope.
- Performing risk assessments on the service providers. We also help you reviewing the adequacy and completeness of your ICT risk methodology and ICT risk taxonomy based on best market practices and regulatory expectations.
- Engaging with your service providers to conduct due diligence involves preparing the request for information, coordinating the process, and reviewing the responses and documents submitted to ensure they meet your expectations and standards accurately.
- Bringing to you best practice and framework for the monitoring of the performance of your third-parties, including setting up a monitoring plan, and helping your teams in better identifying and selecting the right indicators to be tracked.
- Reviewing your contractual arrangements, ensuring they align with the regulatory expectations.
- Drafting realistic and feasible exit strategies and plans, to better prepare you in case of an unexpected termination of your contractual agreement. We are also supporting you for their annual testing and review to ensure they still represent the best approach to take in case of termination.
Internal audit
In today’s regulatory landscape, internal audit functions play a critical role in safeguarding digital resilience. PwC helps you stay ahead by delivering tailored internal audits that address the full scope of DORA such as the ICT risk and third-party management risks. Our experts support you in updating your risk assessment, designing effective audit plan and executing audits — all in line with the IIA’s standards and its Third Party topical requirement. Whether you're strengthening your third line of defence or navigating complex compliance requirements, PwC brings the insight, methodology, and assurance you need to lead with confidence.
External audit of your ICT third-party service providers
Our teams combine deep knowledge of DORA compliance and audit expertise, and risk assurance experience to help you fulfil your obligation to audit your ICT third-party service providers supporting critical or important functions. Using PwC’s proven methodology and IT audit standards, we assess whether your ICT service providers meet expectations in terms of digital operational resilience, security, and regulatory compliance.
Looking to share the effort? We can help you design, and coordinate and execute a joint audit programme with other financial entities in Belgium or across Europe, allowing you to pool resources, reduce costs, and benefit from shared expertise.
Training
Developing a training program to guarantee that both your teams and senior management possess sufficient knowledge and expertise regarding ICT-related risks is not only mandated by DORA, but is also a vital element in nurturing a risk-aware culture within your company. Looking to enhance your understanding and skills related to DORA, whether by revisiting the fundamentals, delving deeper into the subject, or exploring new areas you haven't encountered yet? Our experts are prepared to offer a training program tailored to your specific needs (DORA 360° or focused topics) and your audience (Senior Management, Risk, IT, Procurement, etc.).
How we can help you with
Third-party risk management
Contact us
