DORA: Why it is relevant to you

The Digital Operational Resilience Act (DORA) is a new European framework for effective and all-inclusive management of digital risks in Financial Markets. 

The framework shifts the focus from only guaranteeing firms’ financial soundness to also ensuring they can maintain resilient operations through an incident of severe operational disruption deriving from cyber security and ICT issues.

By introducing a single consistent supervisory approach across the relevant sectors, DORA ensures convergence and harmonization of security and resilience practices across the EU.

The most important in 30 seconds

Why is DORA relevant

  • DORA will apply to more than 22,000 financial entities and ICT service providers operating within the EU. The regulation will introduce specific and prescriptive requirements for all financial market participants including e.g. banks, investment firms, insurance undertakings and intermediaries, crypto asset providers, data reporting providers and cloud service providers.
  • DORA introduces an end-to-end holistic framework of effective Risk management, ICT and cyber security operational capabilities, to Third Party management, ensuring a consistent provision of services across the entire value chain.  
  • Five key topics are at the centre of DORA: ICT Risk Management, ICT-related Incidents; Digital Operational Resilience Testing, Management of Third Party Risk and Information Sharing. 
  • The regulation is unique in introducing a Union-wide Oversight Framework on critical ICT third-party providers, as designated by the European Supervisory Authorities (ESAs). 

When will DORA be enforced?

DORA will enter into force on 16 January 2023. With an implementation period of two years, financial entities will be expected to be compliant with the regulation latest by early 2025.  

On 24 September 2020, the European Commission published its draft Digital Operational Resilience Act (DORA) as part of the Digital Finance Package (DFP). 

Following the publications of the European Parliament and Council's proposals for DORA, the co-legislators held political and technical trilogues throughout H1 2022. The European Council adopted DORA on November 28th, 2022, after the European Parliament voted in favor of the act on November 10th.

DORA will enter into force on 16 January 2023. We expect the first regulatory and implementing technical standards (RTS and ITS) to be developed by the European Supervisory Authorities (ESAs). 

Multiple regulatory and implementing technical standards are defined and issued by the ESAs. They provide entities with specifications and guidance on how to implement specific DORA requirements. 

DORA requirements are enforceable 24 months after entry into force. Therefore, financial entities will be expected to be compliant with DORA by early 2025.

DORA will set the regulatory focus on 5 key pillars

ICT Risk Management

Financial entities are required to set up a comprehensive ICT risk management framework, including: 

  • set-up and maintain resilient ICT systems and tools that minimize the impact of ICT risk,
  • identify, classify and document critical functions and assets,
  • continuously monitor all sources of ICT risks in order to set-up protection and prevention measures,
  • establish prompt detection of anomalous activities, 
  • put in place dedicated and comprehensive business continuity policies and disaster and recovery plans, incl. yearly testing of the plans, covering all supporting functions,
  • establish mechanisms to learn and evolve both from external events as well as the entity’s own ICT incidents.
Follow us

Contact us

Nikolaos Karamesinis

Nikolaos Karamesinis

Director, Cybersecurity, PwC Greece

Dimitra Xintara

Dimitra Xintara

Advisory, Cyber Security & Privacy Senior Manager, PwC Greece

Tel: +30 210 6874400