The Digital Operational Resilience Act (DORA) came into force in January 2023 and has been adopted since 17 January 2025. This regulation is seen as a game changer in the regulatory landscape due to:

  • The broad spectrum of financial entities in scope which includes credit institutions, insurance undertakings, investment firms, alternative investment fund managers and many more as defined under DORA Article 2.
  • The uniformity in expectations set across multiple industries.
  • Its extension and explicit requirements for managing ICT (information and communication technology) third-party risk.

Digital advancements or technology transformation has been increasingly identified in strategic initiatives. Common objectives identified are enhancing the customer experience offering digital channels to enjoy services offered, as well as to optimise internal method of operations. Such transformation causes new or additional risks to emerge, many of which are intended to be mitigated by the requirements outlined in DORA.

What are its key topics:

Although DORA also makes reference to the principle of proportionality as well as explicitly excluding or limiting requirements for certain types of financial entities, in a nutshell, the regulation can be broken down into the following themes:

1. ICT risk management

a. Governance arrangements, responsibilities for the management body and the need to have a Digital Operational Resilience Strategy
b. A clearly defined ICT risk management framework
c. Additional requirements on business continuity, ICT business continuity, response and recovery, and communication plans

2. ICT related incident management

a. A clearly defined incident management cycle
b. Use of reporting templates for reporting on major ICT related incidents under specified reporting timelines
c. Awareness of the changes to existing reporting obligations on payment-related incidents
d. Incident classification thresholds

3. Digital operational resilience testing

a. A detailed digital operational resilience testing programme
b. Requirements to perform resilience tests
c. Additional threat-led penetration testing (TLPT) requirements

4. ICT third-party risk management:

a. The need to have a clearly defined vendor strategy and broader framework
b. The need to maintain and submit to the competent authority the register of information, in a specified format
c. Contractual provisions relevant to arrangements with third-party service providers of ICT services.
d. Additional requirements for ICT services supporting critical or important functions of the financial entity

5. Information sharing

The above themes are supplemented by a series of supplementary guidelines, as well as technical standards that have been circulated by the European Supervisory Authorities in 2024 for approval by the European Commission as Commission Delegated or Implementing Regulations. These provide further details on the requirements that are stated in DORA.

The effort for regulated entities to become DORA compliant varies and depends on the individual entity’s (or group) operating model, exposure and appetite towards ICT, as well as the pre-existing supervisory requirements applicable in each industry. It is therefore vital that Boards and Senior Management are informed of DORA’s expectations, its importance, and the need to set the tone from the top.

Key success factors to align and embed DORA in daily operations include:

  • Establish robust governance arrangements
  • Effectively enhance and operationalise risk management practices
  • Define policy requirements, processes, and templates
  • Regularly test your operational resilience
  • Clear definitions and scope of DORA to individual or group entities’ operations
  • Know your ICT third-party service providers and respective risks that these dependencies may pose
  • Complete and accurately populated registers of information
  • Ability to timely identify, assess, escalate, mitigate, report and monitor relevant incidents and third-party arrangements.

How can we help?

  1. Readiness Assessments: Current state assessment against DORA requirements to identify gaps that exist and propose relevant actions as next steps.
  2. DORA implementation: We work with you to implement DORA requirements across its multiple themes (i.e. Governance and ICT risk management, ICT-related incident management, ICT third-party risk management, and digital operational resil­ience testing).
  3. DORA third-party risk management: Hands-on support to develop and/or en­hance the existing third-party management framework, preparation of the register of information as well as legal contract review and enhancements.
  4. Digital Operational Resilience Testing: Via our specialist team, we can offer support in selected testing require­ments, including threat-led penetration testing.
  5. ICT audits: Assisting Internal Audit functions in planning and execution of ICT audits.
  6. ICT third-party service provider assessments: Performing periodic as­sessment of ICT third-party service provid­ers subject to such requirements under DORA.
  7. DORA Awareness Training: We provide tailored programs to enhance your team’s and/or Management’s awareness on the requirements under DORA. 

Authors

Andreas Potamaris

Senior Manager

Risk & Regulatory Consulting

Stelios Katsantonis

Senior Cybersecurity Specialist

Technology Consulting

Related content

circle on ring
Regulatory and risk advisory

Manage the regulatory landscape and mitigate risks.

blue purple dotted abstract
Technology Consulting

Business-led, digitally enabled, data-driven transformation.

Get in touch

contact-icon blog posts
Andreas Potamaris
Senior Manager
KPMG in Cyprus
Profile | | Phone
cy-stelios-katsantonis blog posts
Stelios Katsantonis
Senior Cybersecurity Specialist
KPMG in Cyprus
Profile | | Phone

Connect with us

Stay up to date with what matters to you

Gain access to personalized content based on your interests by signing up today