The Digital Operational Resilience Act (DORA) is a new EU regulation that came into force in January 2023. It is part of the EU Commission's digital financial package with the aim of increasing the digital resilience of the European financial market. The aim is to ensure that financial market participants can continue to operate safely and reliably even in the event of larger incidents concerning information and communication technology (ICT).
For companies affected by the regulation, there is a transition period until January 2025 for full implementation.
The new requirements for ICT security, operational resilience as well as reporting obligations in the event of cyber attacks, for example, are explained below.
Requirements & current developments
DORA also includes the concretisation of the requirements on the part of the ESAs (European Supervisory Authorities) through technical regulatory and implementation standards (RTS/ITS).
The following chart shows the overview and timeline of the concretisations provided in the first round (pink) and still pending in the next round (blue), broken down by DORA chapters. The current public consultation phase of the first round has been running since 19.6.2023 until 11.9.2023. The European Commission is then due to receive the revised drafts by 17.1.2024. The RTS/ITS of the second round for public consultation are expected at the end of November/beginning of December 2023:
Challenges for Customers
The introduction of the DORA regulation may pose a number of challenges for financial firms, as they may not be sufficiently prepared for the implementation of the new requirements.
In order to meet the requirements and continue to conduct business appropriately and successfully, ICT systems need to be updated, processes optimised and employees trained.
Legal Aspects
Regarding contract management, DORA specifies requirements for contracts with third-party ICT providers that must be incorporated into the contract management of financial institutions. In the implementation phase, it is necessary to categorize existing contracts, establish target requirements, conduct gap analyses, and address potential gaps.
Furthermore, DORA changes the requirements regarding the responsibility and liability risks of companies and executives concerning third-party ICT risks. For example, it is necessary to review and, if necessary, adjust the scope and conditions of insurance coverage.
How KPMG supports you
- KPMG has a comprehensive professional repertoire covering all relevant disciplines in the area of the DORA regulation, including management consulting, ISM (Information Security Management), IRM (Information Risk Management), BCM (Business Continuity Management), outsourcing and cloud solutions. We specialise in advising and supporting our clients in all aspects of these disciplines.
- We have a deep understanding of processes, risks and controls as well as governance structures. Our expertise and know-how enable us to support our clients in implementing effective control mechanisms and risk management strategies.
- Our extensive project experience with companies in the industry has provided us with valuable insights and knowledge that help us better understand our clients' challenges and requirements. With our proven process model, we apply these insights in a targeted manner and develop customised solutions, optimally tailored to the individual needs of our clients.
- We benefit from direct access to global expertise and experience through our corporate network. We work closely with our international teams and can draw on a broad range of experience and expertise specifically tailored to the financial sector.
- In addition to our technical and methodological expertise, we also offer know-how for the implementation of tools. We support our clients in the implementation of standard GRC tools to efficiently manage and control risks and controls. We also offer tools for the effective management of third-party providers and their contracts in the area of information technology (ICT).
Publications (in German only)
Blog Posts (in German only)
Webcasts (in German only)
Further Information
Your contacts
Nadine Schmitz
Partner, Financial Services
KPMG AG Wirtschaftsprüfungsgesellschaft
Peter Hertlein
Partner, Financial Services, IT Compliance & Cyber Resilience
KPMG AG Wirtschaftsprüfungsgesellschaft
Partner, Legal Financial Services
KPMG Law Rechtsanwaltsgesellschaft mbH
+49 174 9044502
Email
Senior Manager, Legal Financial Services
KPMG Law Rechtsanwaltsgesellschaft mbH
+49 151 55109012
Email
* Legal services are provided by KPMG Law Rechtsanwaltsgesellschaft mbH.