The Digital Operational Resilience Act (DORA) entered into force in January 2023 and will apply from 17 January 2025, just under a year from now. Over the past year, businesses have been navigating DORA, deciphering its implications, and determining the necessary organisational and technical changes for compliance.
Assessing activities across the DORA policy areas has been a priority, with firms identifying and remediating gaps through the implementation of suitable processes.
Throughout this journey, our Cyber and Technology Risk teams, led by Dani Michaux and Jackie Hennessy, have supported firms in discovering opportunities to leverage existing frameworks and activities, particularly those outlined in the Central Bank's guidance on Outsourcing, Operational Resilience, and IT & Cybersecurity Risk.
What's in tranche 2?
The second tranche of standards, which are currently going through public consultation and due for finalisation on the 17th of June 2024, will provide further guidelines on the following areas:
How KPMG can help
DORA requirements will apply in full to both financial entities and by extension their ICT Service Providers by the 17th of January 2025. These will include any potential further clarifications from the ESAs as a result of the finalisation of the second tranche of the regulation.
Our team of technology risk and cyber experts have extensive knowledge across the Digital Operational Resilience obligation areas, paired with deep Governance, Risk and Compliance expertise. We have delivered DORA support programmes to leaders in the financial sector and aided numerous clients on their wider Operational Resilience journeys over the years.
The KPMG view on the DORA compliance journey takes us through 4 key stages:
Assess
While some requirements will only involve minor improvements to existing processes and structures, there will be other areas which will require specific expertise, planning, time and collaboration across different organisational functions.
To understand the implementation effort required to achieve DORA compliance, the first stage that all clients need to go through, is the assessment of their current frameworks to be able to size, prioritise and plan for remediation and reviewing these in the context of their short-, medium- and long-term resilience objectives.
Design
During DORA design, it is crucial to establish a fit-for-purpose DORA programme that shifts the focus to how DORA is going to be implemented for your business.
This may include the design of control frameworks across key remediation areas, the design of a Target Operating Model (TOM) to support DORA through the transition to the business-as-usual environment, establishing a DORA compliance function to continuously review the DORA compliance status, and determining the right technology to support the implementation of DORA.
Deliver
Based on the prioritisation of delivery elements defined during the design phase, it’s time for executing the remediation.
During delivery, we support our clients to implement and remediate the controls in line with the agreed prioritisation and we support the deployment of technology which allows clients optimise DORA processes and controls, achieve scale and consistency, and enhance the ability to manage risk and compliance.
During delivery, we support our clients to implement and remediate the controls in line with the agreed prioritisation and we support the deployment of technology which allows clients optimise DORA processes and controls, achieve scale and consistency, and enhance the ability to manage risk and compliance.
Monitor
Lastly, KPMG have continuous DORA assurance offerings, to carry your organisation from January 2025 and beyond as you continue to monitor and ensure ongoing compliance with DORA requirements.
Our model
KPMG offers a resource-on-demand model which can be tailored to suit your organisational needs as you continue along your DORA compliance journey, and specifically, we can help you with the following:
- Gap analysis to assess DORA compliance
- DORA Programme Support via programme design, governance and assurance
- Target Operating Model (TOM) design
- Technical remediation support across ICT risk management, infrastructure, business continuity, IAM, digital texting, incident management and third-party risk
- People and change management via trainings, skills plans, communications packs, etc.
- Tech enablement
- Compliance Programme to ensure future alignment
For more, download our guide to DORA
Get in touch
Whether you require additional resources or expert knowledge, the skills across our Consulting practice can be drawn upon to aid with the various aspects of your DORA programme.
If you would like to discuss the potential impact of DORA on your business, please contact Dani Michaux or Jackie Hennessy of our Digital Operational Resilience team. We look forward to hearing from you.
Dani Michaux
Partner, EMA Cyber Leader
KPMG in Ireland
Jackie Hennessy
Partner
KPMG in Ireland
