Digital Operational Resilience Act (DORA)

Are you prepared for application from 2025?

The Digital Operational Resilience Act (DORA or “the Act”), forms part of the European Commission’s digital finance package, which aims to strengthen the resilience of the EU financial sector. Published in the Official Journal of the European Union (OJEU) on 27 December 2022, DORA entered into force on 16 January 2023.

The Act provides consistent rules addressing the digital operational resilience needs of all regulated financial entities and establishes an oversight framework for critical ICT third-party providers (CCTPs). Firms have less than 12 months left to implement the requirements and comply. The Act will apply from 17 January 2025.

DORA Level 1 requirements are also complemented by common draft regulatory technical standards (RTS) and implementation standards (ITS), which are to be developed by the European Supervisory Authorities (EBA, EIOPA and ESMA – the ESAs) in the 24 months after the entry into force of the Act. Following the public consultation which took place from 19 June to 11 September 2023 and one year before the application date, DORA’s first set of final draft technical standards was published on 17 January 2024, and has been submitted to the European Commission for adoption.

How EY can help?

Next steps for you and your business

Within our strategic consulting framework, we assist various stakeholders in the financial sector in creating, executing, or evaluating the effectiveness of their ICT risk protocols, compliance status, and ongoing risk management strategies (resilience). 

Furthermore, EY has formulated Third Party Security Risk Management (TPRM) solutions, supporting management bodies and enabling them to identify, assess, regulate and control the risks tied to third parties and contracts. A brief explanation of some of our services follows.

• DORA readiness current state assessments & multi-year roadmap: We carry out evaluations using already available mapping data within your organization, such as business impact analysis, privacy data flow maps, and technology asset inventories.
• Resilience testing & attack simulation: We can evaluate the resilience of your organization by simulating cyberattacks (red teaming, TIBER-LU, etc.), which allows us to test your detection and response capabilities.
• Incident response services: We provide assistance to your organization in preparing for potential breaches and reducing the impact of any potential security incidents. In this regard, we support your organization in developing, sustaining, and testing your incident response strategy.
• Third party profiling, and risk & controls assessments: We conduct risk profiling of services and implement global assessments both onsite and remotely across all risk domains. These domains include aspects such as resiliency, cyber risk, financial health, and regulatory compliance.