The Digital Operational Resilience Act (DORA) is a newly implemented EU regulation, effective from January 2023. This regulation is a crucial component of the EU Commission's digital financial package, aimed at enhancing the digital resilience of the European financial market. Its primary objective is to ensure that financial market participants can maintain safe and reliable operations, even in the face of significant disruptions in information and communication technology (ICT).

Companies affected by this regulation have been granted a transition period until January 2025 to achieve full compliance.

Navigating DORA compliance

Governance and ICT risk management

DORA places significant emphasis on responsibility of the management body for ensuring digital operational resilience. Management must guarantee adequate protection against ICT disruptions and cyber-attacks.

DORA envisions a comprehensive ICT risk management framework as essential for building resilient financial firms. This framework enables the identification, assessment, management, and monitoring of ICT risks. One example of DORA implementation is the establishment of resilient ICT systems adhering to a consistent standard in the European Economic Area.

Legal aspects

DORA specifies contract requirements with third-party ICT providers that must be incorporated into the contract management of financial institutions. Implementing DORA requires categorizing existing contracts, establishing target requirements, conducting gap analyses, and addressing potential gaps. Furthermore, DORA alters the responsibility and liability risks of companies and executives regarding third-party ICT risks, requiring a review and potential adjustment of insurance coverage.

ICT incidents

DORA aims to standardize reporting obligations for serious ICT incidents across the European financial industry. The goal is to enhance responses to these incidents and ensure effective cooperation between national and European authorities. Implementation includes the introduction of uniform procedures for monitoring, classifying, and reporting ICT incidents to relevant authorities.

Control ICT third-party risk

DORA facilitates effective monitoring of risks posed by third-party ICT providers, which is crucial as financial firms increasingly rely on these services for their IT systems and processes. Implementation includes penalties and termination options for non-compliant third-party ICT providers, ensuring robust risk monitoring by financial firms

Digital operational stability testing

Regular testing of the operational stability and security of critical ICT systems is essential for the seamless functioning of financial businesses. A risk-based testing approach is required to detect and address potential ICT disruptions. An example of implementation is conducting penetration tests on live production systems at least every three years to identify vulnerabilities and counter potential attack vectors.

Protection and prevention

Financial organizations must ensure that their ICT systems and processes can swiftly and effectively detect and respond to potential threats. DORA specifies requirements for processes and systems to promptly detect and defend against such threats. An example of implementation is automatic network isolation during cyber-attacks, minimizing data loss and system failure while expediting the restoration of normal operations.

Challenges for Customers

The introduction of DORA may pose challenges for financial firms, requiring updates to ICT systems, process optimization, and employee training to meet the new requirements.

Visual representation

Key areas KPMG professionals can assist

DORA compliance strategy and management consulting

KPMG professionals can help financial organizations formulate and execute effective strategies to achieve DORA compliance, including governance and risk management enhancements.

Information security management (ISM)

KPMG professionals specialize in bolstering information security measures, ensuring that ICT systems and processes align with DORA requirements, thereby safeguarding digital operational resilience.

Information risk management (IRM)

KPMG professionals assist in identifying, assessing, managing, and monitoring ICT risks, helping financial firms establish a robust risk management framework as mandated by DORA.

Outsourcing and cloud solutions

KPMG professionals provide expertise in evaluating and handling third-party ICT providers to mitigate risks, offering insights into contract management in line with DORA's specifications.

KPMG professionals offer wide-ranging professional expertise across various relevant disciplines related to DORA, including management consulting, Information Security Management (ISM), Information Risk Management (IRM), Business Continuity Management (BCM), technical security testing, and outsourcing and cloud solutions. KPMG firms’ specialized advisory services cover various aspects of these disciplines, leveraging deep understanding of processes, risks, and governance structures.

KPMG professionals’ project experience in the industry allows the development of customized digital solutions tailored to clients' specific needs. Having access to global expertise and experience through the global organization, working closely with international teams to offer tailored digital solutions to the financial sector. Additionally, KPMG professionals provide tools for efficient risk and control management, including coordinating of third-party providers and their contracts in ICT.

Related content

Get in touch

Andreas Tomek  

Partner, Advisory  

KPMG Austria

Benny Boegarts  

Partner, Technology Advisory  

KPMG Belgium

Juraj Bojko  

Manager, Management Consulting   

KPMG in Croatia

Mikael Johanesen


KPMG Denmark


Soren K. Lauritzen

Senior Manager

KPMG Denmark

Ivar Anton

IT Audit Team Lead

KPMG Estonia

Sophia Hauswurz

Manager, Head of Operational Continuity

KPMG in Finland


Karri Tomula

Cyber Advisory

KPMG Finland

Fayçal El Belghami

Associate, Cyber security and privacy

KPMG France

Vaike Metzger

Partner, Financial Services, Solution Lead IT Compliance & Cybersecurity

KPMG AG Wirtschaftsprüfungsgesellschaft

 Theodoros Stergiou  

Director, Risk Consulting   

KPMG Greece 

Lukács Kornél


KPMG Hungary

Diarmuid Curtin  


KPMG Ireland 

Luca Boselli 

Partner, Head of Information Risk Management  

KPMG Italy 

Lars Klossack


KPMG Liechtenstein

Laurent De La Vaissiere


KPMG Luxembourg

Elena Silanteva

Senior IT Advisor

KPMG Malta

Ali Alam

Senior Manager, IT Assurance

KPMG in the Netherlands


Augustinus Mohn

Senior Manager, Cybersecurity and Operational Resilience

KPMG in the Netherlands

Andreas Rieber

Executive Director

KPMG in Norway


Sebastien Fix

Director – Head of ServiceNow GRC & ESG

KPMG Norway

Marcin Kieszkowski

Senior Manager

KPMG in Poland


Michał Kurek

Partner - Head of Cybersecurity in Poland and CEE

KPMG Poland

Cristina Alberto

Director, Technology Consulting

KPMG in Portugal

Gheorghe Vlad

Director, Cyber

KPMG in Romania

Juan de Dios Lechuga


KPMG Spain

Nicklas Wallenborg

Consultant - Financial Risk Management

KPMG Sweden

Mihai Rada

Partner - Technology Risk

KPMG Switzerland

Indy Dhami


KPMG in the UK


Marija Devic


KPMG in the UK