The Digital Operational Resilience Act (DORA) creates a regulatory framework under which firms must ensure that they can withstand, respond to and recover from all types of ICT-related disruptions. DORA entered into force from 16 January 2023 and into application on 17 January 2025.
Many financial institutions have made significant progress on their DORA compliance journeys, and our Risk Consulting team has seen firsthand the scale and complexity of the implementation effort when supporting the businesses. Now that DORA is in effect and regulatory scrutiny is increasing, the focus must shift from programme delivery to embedding operational resilience into day-to-day operations.
The Risk Consulting team, led by Jackie Hennessy, share their views and guidance below.
Compliance excellence
The next phase of your DORA journey
As DORA programmes wind down and transition into business-as-usual (BAU), this is a valuable moment to take stock. Revisiting your initial gap assessments and the enhancements made during the programme can help validate the progress achieved and ensure your organisation is well-positioned to maintain ongoing compliance.
As financial institutions across Europe continue to invest heavily in their Digital Operational Resilience Act (DORA) programmes, one truth is becoming increasingly clear: implementation alone isn’t enough.
The real challenge—and opportunity—lies in ensuring that these strategies are effective, embedded, and resilient. That’s where quality assurance (QA) steps in, not as a compliance afterthought, but as a strategic imperative.
For senior management, DORA isn’t just another regulatory hurdle; it’s a shift in accountability. Leaders are now directly responsible for ensuring their organisations can withstand and recover from digital disruptions.
This accountability demands more than dashboards and documentation—it requires confidence that the programme is working as intended. Quality assurance provides that confidence.
Transforming resilience into reality
How quality assurance strengthens DORA implementation
Quality assurance goes beyond merely fulling requirements —it’s about uncovering vulnerabilities that can derail even the most well-funded DORA programmes. It enables organisations to proactively identify and address challenges in some of the areas that we have identified as the most challenging across the industry:
- Service and asset mapping: QA validates the completeness of mapping between critical services and underlying assets, ensuring resilience strategies are built on solid foundations.
- Ownership and BAU integration: It assesses whether DORA responsibilities are clearly defined and embedded into day-to-day operations, making the DORA-related operations sustainable beyond initial rollout.
- Resilience reporting: QA evaluates the relevance and effectiveness of existing KPIs, ensuring board-level reporting reflects the true state of resilience.
- Third and fourth-party resilience: It uncovers gaps in vendor oversight, helping organisations manage ICT risks across their extended supply chain.
- Scenario testing maturity: QA reviews the design and execution of resilience testing, moving organisations from checkbox exercises to meaningful preparedness.
- Integration with existing capabilities: It ensures DORA is not a standalone initiative but is aligned with and enhances existing risk, compliance, and IT frameworks.
By addressing these areas, quality assurance becomes a strategic enabler—helping senior management demonstrate accountability, build stakeholder trust, and unlock the full value of their DORA investment.
Quality assurance (QA) review of your DORA design and implementation should be tailored to your organisation and strategic goals. Below are 5 key benefits of completing a quality assurance review:
A QA review helps to validate the operationalisation of DORA requirements in the BAU environment and can identify any implementation gaps.
Regulatory bodies are intensifying their focus on operational resilience. A QA review helps to ensure you are confident in your DORA position and prepared for engagement with the competent authorities of your regulated entities, as well as engagement with 2LOD and 3LOD.
Trust is paramount in financial services. Ensuring DORA compliance demonstrates a commitment to protecting customers and fosters trust among customers and stakeholders alike.
Increasingly complex supply chains require a proactive approach and stringent oversight measures to safeguard operations and ensure resilience.
Increasingly sophisticated cyber-attacks have underscored the need for robust resilience measures to proactively manage risks and respond effectively.
How KPMG can help
An independent review of your DORA implementation can provide clarity and confidence. Drawing on deep cross-functional expertise, we can help assess whether your current design aligns with both regulatory expectations and your broader strategic objectives – supporting a smooth transition into sustained, resilient operations.
KPMG services across your DORA journey:
- Governance
- Assessment
- Remediation
- Compliance & Quality Assurance
- Target Operating Model
- Technology Enablement
- People & Change
For more information, explore our insights and framework in our DORA Quality Assurance services brochure.
Get in touch
Whether you require additional resources or expert knowledge, the skills across our Consulting practice can be drawn upon to aid with the various aspects of your DORA programme.
If you would like to discuss how KPMG can provide guidance and support on your DORA compliance journey, please get in touch with our Technology Risk Consulting Team. We’d be delighted to hear from you.
