error
Subscriptions are not available for this site while you are logged into your current account.
close
Skip to main content
Submit RFP

      While the EU's Digital Operational Resilience Act (DORA) originates in Europe, its ripple effects are spreading worldwide. Although the January 17, 2025 deadline has come and gone, global financial institutions continue to struggle with developing sustainable business-as-usual (BAU) operating models for DORA compliance. For firms headquartered outside the EU, translating regulatory requirements into enduring operational practices presents unique challenges that extend far beyond initial implementation.

      To navigate these complexities, non-EU firms must focus on the following critical areas:

      simran-singh
      Simran Singh

      Director - Operational Resilience, KPMG in the UK

      KPMG in the UK

      Jonathan Day
      Jonathan Day

      Senior Manager - Operational Resilience , KPMG in the UK

      KPMG in the UK

      Management body oversight

      DORA places significant emphasis on the role of management bodies in overseeing digital operational resilience. However, the interpretation and application of these requirements can vary across EU jurisdictions. Non-EU firms must navigate this landscape while ensuring their global governance framework aligns with EU-specific demands. To effectively implement this, firms need to consider the following key areas:

      • Harmonising global governance

        Balancing global governance structures with EU-specific requirements necessitates a nuanced approach. Firms must identify key areas of divergence and develop tailored strategies for each jurisdiction.

      • Demonstrating effective oversight

        The concept of effective oversight can be interpreted differently across EU member states. Firms need to understand these nuances and tailor their documentation and reporting strategies accordingly.

      • Cross-border communication

        Clear communication and reporting between EU entities and global headquarters are crucial for demonstrating compliance. This includes establishing reporting strategies, aligning on documentation expectations and ensuring consistent data sharing.

      Integrating ICT risk management and digital operational resilience strategy

      DORA mandates a robust, thoroughly documented ICT risk management framework, anchored by a clear digital resilience strategy that outlines practical implementation. For non-EU institutions, the challenge lies in seamlessly integrating these requirements into existing frameworks while navigating the complexities of cross-border operations. This requires not just compliance, but strategic alignment that accounts for jurisdictional variations while maintaining global operational coherence. To achieve this, firms should focus on the following:

      • Harmonising global governance

        Firms need to assess their existing ICT risk management frameworks and identify areas requiring alignment with the DORA regulations. This includes harmonising global policies and procedures with EU-specific requirements.

      • Comparative analysis

        Understanding the implementation challenges faced by firms in different EU member states is crucial for developing effective strategies. This comparative analysis can highlight best practices and potential pitfalls.

      • Third-party risk management

        Managing third-party risk across international boundaries is a key challenge. Firms need to develop robust due diligence processes and ensure effective oversight of third-party providers.

      • Testing and compliance

        DORA mandates rigorous testing of digital operational resilience capabilities. Firms must navigate variations in testing requirements across jurisdictions and develop practical compliance approaches.

      • Resource allocation

        Cost-effective resource allocation is essential for successful DORA implementation. Firms can learn from successful global-local integration approaches observed across different markets.

      Business As Usual (BAU) operating model and preparing for regulatory inspections

      Financial institutions must develop robust BAU operating models that continuously demonstrate compliance while efficiently managing regulatory interactions. As national competent authorities exercise their inspection powers, an effective operating model becomes the cornerstone of sustainable compliance. Firms must prepare for these inspections by understanding the unique expectations of each EU jurisdiction while maintaining operational efficiency. Key considerations include:

      • BAU Operating Model

        Establish a sustainable compliance framework that integrates DORA requirements into everyday operations through embedded controls, clear accountability structures, automated monitoring capabilities, and efficient resource allocation.

      • Multi-Jurisdictional Governance Framework

        Establish governance mechanisms that accommodate regulatory variations across EU jurisdictions while maintaining operational cohesion. This framework should incorporate escalation paths, decision rights, and accountability structures tailored to each relevant authority's expectations.

      • Managing Simultaneous Requirements

        Develop strategies for addressing concurrent regulatory demands from multiple EU jurisdictions, while tracking enforcement trends and focus areas to prioritise efforts and prepare effectively for inspections.

      The post-deadline DORA landscape presents a strategic inflection point for global institutions. Success requires more than checkbox compliance – it demands an orchestrated approach that balances jurisdictional nuances with operational efficiency.

      Forward-thinking firms are now pivoting from DORA implementation to integration, creating resilient frameworks that withstand both regulatory scrutiny and operational disruptions. They are also future proofing their approach by embedding emerging regulatory readiness into an enduring operational resilience capability that serve their global footprint and customer base holistically.

      KPMG's specialised DORA team brings cross-border expertise to this complex challenge, helping global firms transform regulatory requirements into sustainable business advantages. Ready to elevate your approach? Connect with KPMG experts to develop a sustainable DORA approach that works across borders.

      Our advisory insights

      Something went wrong

      Oops!! Something went wrong, please try again

      Get in touch

      Read enough? Get in touch with our team and find out why organisations across the UK trust us to make the difference.

      Contact us
      Person smiling whilst using a mobile phone