The EU’s Digital Operational Resilience Act (DORA) seeks to strengthen the European financial sector’s resilience, harmonise existing legislations on digital operational resilience, promote the integration of information and communication technologies (ICT) risks within overarching risk management policies, and provide transparency with regards to ICT third party providers. Given that it applies to virtually all financial entities in Europe, DORA is poised to significantly alter their internal operations and bring about the need for strategic business choices, new requirements in operational and ICT set-up as well as training and upskilling needs.
DORA has an extra-territorial component, as entities outside of the EU which provide ICT services to financial entities within the EU will be required to comply with its provisions.
DORA as a shared responsibility
Financial entities are in a race against time
They will need to be compliant with DORA by the beginning of 2025, and the C-Suite of the financial sector needs to act fast:
- Chief Executive Officers (CEOs)
- Chief Risk Officers (CROs)
- Chief Operating Officers (COOs)
- Chief Information Officers (CIOs)
- Chief Information Security Officers (CISOs)
Chief Executive Officers (CEOs)
Chief Executive Officers (CEOs) will have a pivotal role to play in steering their firms towards DORA compliance. CEOs should view DORA as a moment for strategic business transformation and, given the regulation’s multifaceted nature, should ensure a transversal implementation across the firm. The CEO will need to provide guidance to all relevant stakeholders within the firm, and should be informed of what other involved parties – such as the group functions (i.e. ICT, risk management, and COO) and supervisory authorities – anticipate with regards to DORA implementation. In addition, given that operational resilience incidents will become more visible via DORA, the CEO will need to weigh the different opportunities and risks involved in the whole transformation, particularly when it comes to outsourcing ICT services.
Chief Risk Officers (CROs)
Chief Risk Officers (CROs) will need to integrate and quantify a company's ICT risks in a holistic manner, and ensure that they are part of the overall risk evaluation alongside other existing risks. CROs will also need to evaluate internal and external risks, such as reputational and legal risks, in case a major cyber attack or operational incident takes place.
Chief Operating Officers (COOs)
Chief Operating Officers (COOs) will need to review existing processes and determine where the opportunities to scale operations are and review existing ICT outsourcing chains with the view of aligning operational resilience with efficiency and long-term scalability.
Chief Information Officers (CIOs)
Chief Information Officers (CIOs) play a key role in carrying out the initial transversal risk assessment and evaluation at the start of the DORA compliance journey. CIOs will also need to determine how their firms’ ICT landscapes can be simplified while simultaneously increasing operational resilience, and how more resilient solutions and a resilient-by-design approach can be achieved. Ultimately, the CIO is the focal point between the firm’s ICT department and the C-Suite management, and DORA presents an opportunity to question the current ICT situation, enhance corporate ICT governance, and redesign ICT architecture and service levels as well as provider management.
Chief Information Security Officers (CISOs)
Chief Information Security Officers (CISOs) are responsible for identifying and assessing all cybersecurity-specific risks, informing the firm’s leadership of such risks, and preparing plans to deal with the threats. The CISOs are also required to independently assess the company-wide risk treatment plan which the CIO prepares, as well as contributing to the development of the risk mitigation strategy for the firm and ensuring digital operational resilience by performing regulator controls and tests. Lastly, CISOs must inform the firm’s leadership about both attacks and major vulnerabilities, and educate them on ICT and security topics via informative meetings and workshops. In return, the leadership should contribute to the development of the target operating model and ensure that the firm’s cybersecurity apparatus is provided with all the resources necessary.
Failure to abide by DORA within the deadline prescribed could incur significant harm – be it large fines, significant reputational harm, or even criminal charges. Rather than seeing it as a mere compliance matter, financial entities should view it as an opportunity to enhance their digital operational resilience and proactively ready themselves for upcoming regulations pertaining to other facets of the digital realm, namely Artificial Intelligence.
DORA implementation timeline
DORA - What Matters Now for Your Business Resilience
Contact us
Olivier Carré
Deputy Managing Partner, Technology & Transformation Leader, PwC Luxembourg
Tel: +352 49 48 48 4174
Michael Horvath
Advisory Partner, Regulatory & Change Management, PwC Luxembourg
Tel: +352 49 48 48 3612
Patrice Witz
Advisory Partner, Technology Partner and Digital Leader, PwC Luxembourg
Tel: +352 62133 35 33