Digital Operational Resilience Act (DORA)

About DORA

In November 2022, the European Union (EU) adopted the Digital Operational Resilience Act (DORA) – an innovative regulatory framework that addresses risks posed by the digital transformation of financial services as well as the increase in volume and severity of cyber attacks within the sector. DORA has since been formally adopted and entered into force at the start of 2023. 

DORA targets businesses and organisations that operate in the financial sector as well as critical third parties that offer information and communication technology (ICT)-related services to financial entities. With a relatively tight preparation and implementation period of 24 months, financial entities will be expected to be compliant by Q4 2024. 

Competent authorities of the Member States will ensure compliance oversight and enforce the regulation, where necessary through administrative penalties and remedial measures on members of the management body of the financial entity in question.

Who is impacted?

More than 22,000 financial institutions and ICT service providers based in the EU will be subject to DORA. All financial market participants including banks, investment companies, insurance companies and intermediaries, as well as data reporting providers and cloud service providers, will be subject to the regulatory framework introduced by DORA.

  • Banks/Payments and e-money providers
  • Insurance providers

  • Reinsurance providers

  • Capital markets entities

  • Brokers/CSDs/CCPs

  • Investment firms/Pension Funds

  • Credit Institutions/Credit rating agencies


  • Cloud providers/SaaS/Outsourcers
  • Software providers

  • Critical ISV and systems integration providers

  • Fraud management providers

  • Penetration testing providers

  • Collaborative tools providers

  • Data storage solution providers

  • Information management systems/CRM solution providers

  • Payment solutions providers

When will DORA impact my organisation? 

DORA officially entered into force in 2023 after its adoption and publication in the Official Journal of the European Union.  

The draft technical standards, which include Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS), are currently being developed by the European Supervisory Authorities (ESAs). These include stringent requirements on key areas of compliance including ICT and third-party risk management, incident classification and reporting. Three RTSs from the first deadline have already been approved by the European Commission. The final version is expected to be published in the Official Journal later this year.  

As we are officially in the DORA applicability period of 24 months, before the official enforcement in 2025, financial entities have to implement and comply with a large number of binding obligations. The following timeline outlines the key phases in the development and enforcement of DORA. 

Development of RTS and ITS

Multiple RTS and ITS will be defined and communicated by the ESAs, to provide financial entities with technical specifications and guidance on how to implement specific DORA provisions. The following have already been published and approved by the European Commission:

  • RTS on Classification of major ICT-related incidents and significant cyberthreats 

  • RTS on ICT Third Party (TPP) policy 

  • RTS on ICT Risk Management Framework 

  • ITS on Register of information on all contractual arrangements on the use of ICT services 

The following are expected later this year:

  • RTS on Reporting of major ICT-related incidents and significant cyberthreats 

  • RTS on Advanced threat-led penetration testing 

  • RTS on Key contractual requirements for subcontracting ICT services

  • RTS on Information to be provided by ICT TPP 

Enforcement and supervision

While requirements for DORA are applicable from the moment the regulation enters into force, they are enforceable by early 2025. During this preparation period of 24 months, financial entities are expected to work towards full compliance.

What is digital operational resilience?

DORA introduces a five-pillar framework of ICT Risk Management, Incident Reporting,  Operational Resilience Testing, Third-Party Risk Management (TPRM) and information-sharing, ensuring a consistent provision of services across the entire digital value chain.  

ICT risk management framework

Under DORA, financial entities are required to set up a comprehensive ICT Risk Management Framework (ICT-RMF), which is based on key performance indicators and risk metrics which are continuously monitored.  

As detailed in the draft RTS, as part of the ICT-RMF, financial entities must:

  • Set up and maintain resilient ICT security policies, procedures, protocols and tools that minimise the impact of ICT risk.

  • Set up a coherent human resources policy, as well as identity management and access control systems.

  • Develop mechanisms enabling a prompt detection of anomalous activities with the potential of becoming ICT-related incidents.

  • Map their ICT assets and dependencies as well as identify ‘Critical or Important Functions’ (CIFs).

  • Establish dedicated and comprehensive Business Continuity Management (BCM) and Disaster Recovery (DR). While many financial entities might have such plans already in place, the regulatory requirements of DORA will increase supervisory pressure to develop more complex BCM/DR scenario-testing and incorporate redundancy and substitutability into the CIFs.

  • Continuously document and review the entire ICT-RMF.

In order to meet these requirements, financial entities will need to expand their existing resilience capabilities, clearly articulate their risk appetite for disruption across CIFs and adequately understand the interconnections between their delivery services and their ICT assets, processes and systems.

ICT incident classification and reporting

Under DORA, financial entities will be subject to a novel classification, notification and reporting framework on ICT-related incidents that will challenge existing collection, analysis and escalation processes within financial entities.

As part of this novel framework and in line with the draft RTS, financial entities must:

  • Develop a streamlined process to record and classify all major ICT-related incidents and significant cyberthreats which require mature incident management capabilities in order to monitor, handle and resolve all incidents.

  • Assess the quantitative impact of all ICT incidents and analyse their root causes.

  • Notify clients and other financial entities in the event of a major ICT-related incident and provide them with information on mitigation measures. In the case of significant cyberthreats, financial entities shall inform clients who might be affected and provide information on appropriate protection measures.

  • Submit an initial, intermediate and final report to their competent national authorities on major ICT-related incidents.

DORA delegates the definition of classification and reporting to the European Supervisory Authorities (ESAs), which are currently in the process of developing common technical standards.

Operational resilience testing

DORA establishes digital operational resilience testing (ORT) requirements for financial entities, which will have to:

  • Annually conduct advanced security and resilience tests on critical ICT systems and applications, especially on those supporting critical or important functions.

  • Promptly eliminate any vulnerabilities, deficiencies or gaps through the implementation of mitigating measures.

  • Periodically (at least every 3 years) conduct advanced Threat-Led Penetration Testing (TLPT) for CIFs. ICT third-party service providers supporting such functions are required to participate and fully cooperate in these activities, something that is rarely done in exercises today.

In combination with the stringent BCM/DR requirements, ORT could evolve into a significant area of supervisory scrutiny and force financial entities to develop broader and more accurate testing and scenario analysis capabilities. Further requirements for identifying financial entities required to perform TLPT, testing scope, methodology and results will be detailed in the upcoming set of RTS on TLPT.

Third-party risk management

Under DORA, financial entities are legally obliged to implement TPRM requirements, including:

  • Conduct concentration risk assessments of all outsourcing contracts that support the delivery of CIFs.

  • Ensure that the contracts with the ICT third-party providers contain all the necessary monitoring and accessibility details and binding contractual terms.

  • Critical ICT third-party service providers will be subject to a Union Oversight Framework, which can issue recommendations on the mitigation of identified ICT risks.

Ensuring TPRM across their digital value chains will be a challenging task for financial entities and a comprehensive Supply Chain Resilience Framework could therefore become an area of increased supervisory scrutiny.  

Cyberthreat intelligence and information sharing

DORA allows financial entities to set up arrangements amongst themselves in order to exchange cyberthreat information, in line with the existing TIBER-EU framework. The supervisory authority will provide relevant anonymised information and intelligence on cyberthreats to financial entities. As such, financial entities should implement mechanisms to review and take action on the information shared by the authorities.

How can PwC assist your organisation? 

PwC can assist your organisation along the entire resilience journey towards compliance with DORA, from the assessment of your current readiness through to assisting you in the implementation of measures to meet the regulatory requirements and embed those in your risk, security, resilience and compliance management. 

Establishing effective governance across all DORA pillars requires collaboration across different functions within the organisation – from IT and cybersecurity teams to business leaders and the board of directors, so as to effectively address the challenges posed by digital disruptions and cybersecurity threats.

As stringent requirements are being set out even more in detail in the technical standards developed by competent authorities, it is of utmost importance for financial entities to make sure that they have all the elements to establish a comprehensive governance framework across all DORA controls. 

Our teams can help you define and improve your strategy to effectively implement, maintain and monitor your ICT risk management framework, along with planning the necessary training and awareness of management bodies and relevant stakeholders, and identify any areas that might require substantial investment and prioritisation. 

Testing is a complex task for financial organisations and digital operational resilience is among the key requirements of DORA. Financial entities are required to evaluate and test their governance and risk management, business continuity and crisis management procedures, as well as their incident response and recovery capabilities. 

Based on your needs, we can provide subject matter expertise to design tailored Resilience Testing and Advance Testing simulations in full compliance with DORA testing requirements. Learn more about our Crisis & continuity management services.

DORA requires financial entities to define a thorough management process for monitoring and recording ICT-related incidents. This entails having the necessary resources and capabilities from threat detection to response and recovery. 

Our specialised teams can help you strengthen your incident response capabilities, align your current procedures with DORA requirements and provide additional support for the monitoring of your IT infrastructure for attacks and breaches. We can implement tailored threat detection and response solutions to monitor critical infrastructure, systems and devices for attacks and breaches, as well as provide managed 24/7 SOC services to help you secure your infrastructure at all times. We provide assistance in designing and implementing your incident response and recovery.

A key pillar of DORA is the scrutiny on ICT third-party service providers, whereby supervisory authorities are now mandated to address operational risks directly with (critical) third-party service providers

Financial entities may only enter into contractual arrangements with ICT third-party service providers that comply with appropriate cyber security standards. It is therefore essential for financial entities to thoroughly assess their dependencies on third-party providers and strengthen their capabilities to test and monitor third-party risk. Our teams can help you establish, implement and monitor a comprehensive ICT third-party risk management framework throughout the whole contracting lifecycle with your third-party ICT service providers.

How we can help you with

Third-party risk management

Contact us

Gregory Joos

Gregory Joos

Partner, Head of Financial Services, PwC Belgium

Tel: +32 473 91 03 53

Koen Maris

Koen Maris

Assurance Partner, Cyber, Privacy & Resilience, PwC Belgium

Tel: +32 470 77 15 88

Roy Coppieters

Roy Coppieters

Director, PwC Belgium

Tel: +32 477 81 49 11

Carole de Vergnies

Carole de Vergnies

Director, PwC Belgium

Tel: +32 474 56 56 44

Connect with PwC Belgium