Digital Operational Resilience Act (DORA)

On 16 January 2023, the Digital Operational Resilience Act (DORA) entered into force

Today, information and communication technology (ICT) plays a vital role in the financial industry and the volume of data processed every day ever increases – with no end in sight. The regulatory landscape that addressed operational resilience with respect to services provided and regulatory compliance for financial entities in Europe was until the entry into force of DORA very heterogenous. Banking institutions were for example facing much higher regulatory standards on paper than other financial entities such as Management Companies, Alternative Fund Managers and Insurance Companies.



As of January 2025 around 22,000 of EU regulated financial entities (e.g. banks, insurance companies, management companies, AIFMs, PSF (expected)) are required to comply with uniform regulatory standards that have two main objectives:

  • Build, assure and review the operational integrity of the service and operating model to ensure the continued provision of (the quality of) the financial services including throughout disruptions; and 

  • Limit the risk of contagion within the EU financial system by prescribing a harmonised minimum standard of digital operational resilience. 

What topics does DORA cover?

DORA is establishing several pillars with detailed and specific requirements to be considered. Next to the pillars shown below, DORA also details Governance requirements that specifically address the expectation for skills and expertise, involvement and understanding of ICT at local (management) level as well as the establishment of a new 2nd line control function for operational ICT risk. 

Below you will find a selection of the topics that are relevant within the different DORA pillars.

  • Complete mapping of processes, information assets and ICT assets for critical/important business functions
  • Digital Operational Resilience Strategy
  • Enterprise architecture resilience & BCM

  • Reporting of ICT-related incidents & cyber threats
  • Root-cause analysis following ICT incidents
  • Identification and reporting of improvements

  • Annual ICT testing activities
  • (Threat-led) penetration testing
  • Collaboration with ICT third-party providers

  • Reporting complete "outsourcing" register
  • Ensuring complete monitoring of 3rd party services 
  • Implementation of specific contractual clauses

  • Arrangements for exchange of threat intelligence
  • Collaboration among trusted communities of financial entities
  • Mechanisms to review and act on shared intelligence

DORA enters into force in January 2025 – how should you start?

DORA is an all-encompassing regulation that will challenge every organisation to its core. We recommend the following approach:

Digital Operational Resilience Act - Steps

We recommend starting in 2023 as some of the foundations that are required to implement a successful DORA project will require a significant lead time and business decisions on the service and business model set-up.

Digital Operational Resilience Act - Steps


{{contentList.dataService.numberHits}} {{contentList.dataService.numberHits == 1 ? 'result' : 'results'}}

DORA roundtable event series

Contact us

Olivier Carré

Deputy Managing Partner, Technology & Transformation Leader, PwC Luxembourg

Tel: +352 49 48 48 4174

Koen Maris

Advisory Partner, Cybersecurity & Privacy Leader, PwC Luxembourg

Tel: +352 49 48 48 2096

Michael Horvath

Advisory Partner, Regulatory & Change Management, PwC Luxembourg

Tel: +352 49 48 48 3612

Patrice Witz

Advisory Partner, Technology Partner and Digital Leader, PwC Luxembourg

Tel: +352 62133 35 33