DORA

Laying the groundwork for digital resilience and transformation

Insight
June 30, 2025

Since entering into force on 16 January 2023 and becoming applicable two years later, the EU’s Digital Operational Resilience Act (DORA) has marked a pivotal shift in how financial entities and ICT third-party service providers (TPPs) across and beyond Europe approach and manage all digital-related risks.

If not adequately managed and mitigated, cyber threats, operational disruptions and system failures – including those stemming from ICT TPPs – can cause severe harm to the European financial sector.

Therefore, DORA should be seen as a blueprint for building a robust, digitally-enabled financial sector, and implementing it is a shared responsibility across the C-suite. The focus must shift from planning to execution, and from compliance to competitive advantage.

As in-scope entities come to grips with the regulation and its numerous provisions, the senior management of financial entities and ICT TPPs, alongside policymakers and regulators, need to keep a keen eye on several key matters:

CEOs: Act fast, think bold

84%

of financial entities believe that failing to adopt AI and digitalisation within the next five years will negatively impact their business models, underscoring the urgency of transformation.

49%

of respondents expect AI to reduce their cost base by at least 10%, highlighting its potential as a lever for efficiency.

22%

view DORA as a key enabler that drives and accelerates the financial sector’s digital transformation.

From market consolidation among smaller financial entities and ICT TPPs, to the need to be agile when embracing AI, DORA is accelerating structural shifts in the market.

CEOs must guide strategic sourcing, define critical business functions, and ensure transversal implementation of DORA while navigating their firms’ AI adoption and cost/income pressures in a more transparent, resilience-driven market.

COOs: Simplify to scale

45%

of financial entities expect onboarding times for ICT TPPs to increase by over 20%.

56%

anticipate spending between 6 and 10 days per provider annually.

51%

report challenges in embedding DORA into their existing policy and control frameworks.

Chief Operating Officers must reassess their ICT landscapes, streamline internal processes, and embed resilience into the operational core through structured data management and proactive vendor strategies. Cost efficiency and agility will be the defining traits of successful operating models under DORA.

CIOs: Build resilience by design

55%

of financial entities are in the process of developing methodologies to define their critical ICT functions and assets.

86%

have implemented ICT risk taxonomies, indicating strong momentum in formalising risk governance.

66%

see GenAI as the most prominent emerging ICT risk.

As DORA demands a clear understanding of critical ICT functions, a structured risk taxonomy, and proactive management of emerging technologies, Chief Information Officers must translate these regulatory expectations into robust, scalable, harmonised and modern digital infrastructure.

CROs: Make risk measurable and strategic

39%

of financial entities have completed their framework for ICT risk quantification.

61%

are still in the process of developing their framework for ICT risk quantification.

73%

are increasing their ICT security budgets.

DORA is a call to embed ICT risk into the core of the firm’s risk management strategy, and Chief Risk Officers must embed quantitative-driven risk intelligence into decision-making, ensuring that resilience becomes a competitive advantage.

ICT Service Providers: Compete through compliance

68%

of financial entities require critical ICT TPPs to be DORA-compliant.

17%

require all their ICT TPPs to be DORA-compliant.

26%

are expecting to terminate at least one ICT TPP in 2025 due to DORA-related issues.

Compliance with DORA is a commercial differentiator for ICT TPPs. They must invest in transparency, governance, and resilience to remain relevant in a consolidating market.

European policymakers & regulators: Enable innovation, focus on impact

Policymakers: Align DORA with the European Commission’s strategies and action plans on AI, innovation and startups

Regulators: Rething the DORA Register and focus on material items to ensure the regulation remains practical, proportionate, and effective

Policymakers must ensure that DORA supports the EU’s ambition to lead in AI and digital innovation, while regulators, should focus on material risks and streamline tools such as the DORA Register to ensure they are practical and effective. A balanced, innovation-friendly approach will be key to fostering both resilience and growth across the financial sector

DORA

Laying the groundwork for digital resilience and transformation

Download our report

Contact us

Olivier Carré

Deputy Managing Partner, Technology & Transformation Leader, PwC Luxembourg

Tel: +352 49 48 48 4174

Michael Horvath

Advisory Partner, Sustainability Leader, PwC Luxembourg

Tel: +352 49 48 48 3612

Cécile Liégeois

Clients & Markets Leader, PwC Luxembourg

Tel: +325 621 332 245

Patrice Witz

Advisory Partner, Technology Partner and Digital Leader, PwC Luxembourg

Tel: +352 62133 35 33

Xiaoyi Fang

Senior Manager, Advisory, PwC Luxembourg

Tel: +352 62133 25 05

Vojtech Volf

Senior Manager, Advisory, PwC Luxembourg

Tel: +352 621 334 132

Maxime Pallez

Cybersecurity Director, PwC Luxembourg

Tel: +352 62133 41 66

Thomas Wittische

Audit Managing Director, Risk Assurance, PwC Luxembourg

Tel: +352 621 334 181

Content & events Careers Contact us Manage your PwC Luxembourg Preferences

© 2018 - 2025 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details.