• 1000

What do you need to know about the new resilience regulation affecting financial entities and ICT-providers?

The Regulation on digital operational resilience for the financial sector, also known as the Digital Operational Resilience Act or DORA, was published in the Official Journal of the European Union on 27 December 2022. The Regulation entered into force on 16 January 2023 and will apply from 17 January 2025.

The European Commission proposed this entirely new regulatory framework for digital risk management for financial entities and certain ICT service providers already in September 2020.  

DORA aims to improve ICT risk management in finance. In contrast to other EU legislation in the field of cybersecurity (most notably the GDPR and NIS), DORA is not a principle-based piece of legislation but contains detailed lists of requirements designed to boost operational and security capabilities of financial entities. Although DORA builds upon previous EU and Member State legislation, supervisory authority guidance and well-known international security and ICT risk management standards, DORA represents the first attempt to harmonise qualitative requirements on ICT risk management at an EU-level.

DORA lifts the requirements to a level of binding regulation and brings financial entities & TPP:s to the same table

Complying with the new requirements should be a common interest for financial entities and their critical third-party ICT providers (TPPs).

While not all the requirements are entirely new, it is worth noticing that the criteria that needs to be fulfilled are now based on binding EU and national laws and regulations - not only to ICT standards and authorities’ guidelines - which has largely been the case so far.

Another implication of importance is that ICT providers are becoming semi-supervised entities, that is, the ESAs will be authorized to assess and, accordingly, give them guidance and even sanctions in cases of non-compliance.

Not only financial services entities but also their critical ICT providers are also obliged to review their procurement agreements to comply with DORA. This intervention to the principle of freedom of contract may come unexpectedly to some.

Who does DORA apply to?

As one of the main goals of the Regulation is to harmonize the rules on ICT risk management, DORA’s scope of application is very broad. It covers all financial actors from credit institutions to AIFMs, payment institutions, insurance companies and statutory auditors, you name it. 

Notably, DORA would also regulate critical third-party ICT providers. According to the proposal, critical ICT service providers will each have a Lead Overseer (either EBA, ESMA or EIOPA) supervising the provider’s procedures and arrangements to manage the ICT risks they could pose to financial actors. The powers of the Lead Overseer would range from asking for information to conducting investigations, to imposing periodic penalty payments on service providers. The agreed oversight framework is further tasked with supervising ICT concentration risk across the financial sector.

Financial entities regulated under DORA

Credit institutions
Payment institutions and electronic money institutions
Investment firms
Crypto-asset service providers
Central securities depositories
Central counterparties
Trading venues and trade repositories
AIFMs and management companies
Data reporting service providers
Insurance and reinsurance undertakings and intermediaries
Institutions for occupational retirement pensions
Credit rating agencies
Statutory auditors and audit firms
Administrators of critical benchmarks
Crowdfunding service providers
Securitisation repositories

What are some of the key obligations under DORA?

DORA sets out a comprehensive framework for managing risks associated with increased digitalisation of the financial sector. Requirements for financial entities are divided into the following areas of cyber security and operational resilience:

ICT Risk Management

The management body of the financial entity bears the final responsibility for managing ICT risk. To that effect DORA sets out a list of duties and obligations to which management is subject, including an explicit obligation on members of management to develop and maintain their knowledge of ICT risk.

Financial entities are further required to identify their ICT risk landscape and have in place a comprehensive ICT risk management framework guiding and steering all work relating to ICT risk management. Financial entities other than microenterprises are required to implement an internationally recognized information security management system. 

Classification and Reporting of ICT-related Incidents

Financial entities are required to put in place an ICT-related incident management process and develop capabilities to monitor, handle and follow-up on such incidents.

Incidents are to be classified according to factors outlined in the Regulation, such as the geographical spread of the incident, the criticality of the services effected and the duration of the incident. Major incidents must be reported to the relevant competent authority in line with a three-tiered process set out in the Regulation.

Digital Operational Resilience Testing

DORA outlines an obligation to implement a proportional and risk-based digital operational resilience testing programme. The programme must provide for the execution of a full range of appropriate tests, such as vulnerability assessments and scans, open source analyses and network security assessments. 

Critical ICT systems and applications must be tested annually, and certain financial entities are required to carry out so-called advanced threat led penetration testing once every three years.

Information and Intelligence Sharing between Financial Entities

Financial entities may share with each other cyber threat information and intelligence, provided such exchange of information aims at enhancing the digital operational resilience of financial entities, takes place within trusted communities and is carried out in accordance with applicable legislation (e.g. data protection, trade secrets and competition).

Vendor Management

ICT third-party risk is considered an integral component of the ICT risk management framework. Financial entities are therefore required to adopt and regularly review a strategy on ICT third-party risk and to maintain a Register of Information outlining all contractual arrangements with ICT third-party service providers.

Dora also sets out key steps for procuring new ICT services, requirements for ending them and specific contractual provisions to be included in contracts with ICT third-party service providers. It further requires financial entities to perform ICT concentration risk assessments before entering into new contractual arrangements. 

Examples of documents to be included in the ICT risk management framework

Digital resilience strategy
Information security policy
Policies on access management
Policies on ICT change management
Policies for ”patches and updates”
ICT multi-vendor strategy
Strategy on ICT third-party risk
ICT Business Continuity Policy
ICT Disaster Recovery Plan
Backup policy
Communication plans enabling responsible disclosure of ICT-related incidents or major vulnerabilities
Register of Information in relation to all contractual arrangements on the use of ICT services provided by ICT third-party service providers

The regulative future

Luckily the big picture is now somewhat clarified. However, the details of the newly established requirements will be set by the European Supervisory Authorities (ESAs) using Level 2 measures such as Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS). We recommend all interested parties to follow closely the oncoming Level 2 consultations giving strong indication of the final requirements in detail.

How can we help?

Financial entities and ICT service providers and outsourcing partners, including cloud service providers, that provide critical services to the financial sector are advised to plan the implementation of the vast range of tightened or totally new requirements to be compliant by end of 2024. Some of the requirements will not pose major changes to current frameworks and arrangements whereas others will require a lot of time, coordination, and effort from very different professionals within organisations.

We at KPMG frequently provide advice in the field of ICT risk management, resiliency, cyber security, TPRM and financial sector regulative framework. KPMG cross-professional teams are used to bringing together different stakeholders in our client organisations.

Please reach out to us if you’re interested in hearing more or request a proposal for e.g.

  •  Gap analysis to develop a roadmap to complying with the required operational resilience framework
  • Identifying & registering your critical ICT providers
  • Developing advanced digital operational resilience scenario testing
  • Vendor management / outsourcing / third party risk management (TPRM)
  • Legal review of your procurement / outsourcing agreements
  • Improving your ICT risk governance including documentation
  • Incident management & reporting
  • Assessing your business continuity & disaster recovery

Jannica Boucht

Senior Manager, Legal counsel

+358 40 184 8863

Karri Tomula

Advisory Director

+358 40 749 0262


Tuomas Ilveskoski

Audit & Assurance Partner

+358 40 632 6088