Digital Operational Resilience Act (DORA)

Consumer protection and financial stability

The European Union is striving with new laws and regulations for a competitive financial sector that provides consumers with access to innovative financial products and at the same time guarantees consumer protection and financial stability. The need for new laws and regulations stems from the increasing dependence of the financial market on ICT.

Legislative proposal DORA

On 24 September 2020, the European Commission published its draft Digital Operational Resilience Act (DORA) as part of the Digital Finance Package (DFP). Consequently, the voluminous DFP presented by the Commission includes, among others, the following: a digital finance strategy, legislative proposals on crypto-assets and digital resilience, and a renewed retail payments strategy. On 10 November 2022, the European Parliament voted on the Digital Operational Resilience Act (DORA) and the Amending Directive regarding Digital Operational Resilience requirements.

The legislative proposal largely builds on regulatory initiatives introduced by various European regulators, including the European Central Bank (ECB), and combines them in one regulation. Basically every financial market participant is impacted by DORA, such as banks, investment firms, management companies, crypto asset providers, insurance companies, trading venues and more. DORA shifts the focus from only guaranteeing firms’ financial resilience to also ensuring they can maintain resilient operations through an incident of severe operational disruption.

New compliance obligations

DORA is a cornerstone of the EU’s work on digital finance. With DORA, organisations widen the focus: the financial resilience of companies should not only be analysed, but also proven to be able to withstand, respond to and recover from all types of ICT related disruptions and threats.

DORA introduces new compliance obligations across the entire EU financial sector. In addition, DORA will give financial supervisors direct oversight over ICT providers that are critical to the EU financial system.

The Act entered into force on 16 January 2023.

How can PwC help you?

Due to our broad experience regarding the interpretation and implementation of new regulations, our experts can help you to understand the new obligations and support you in the ICT transformation. Understanding the obligations  is key for a proper transformation, so we recommend:

  • Performing a DORA readiness assessment and gap analysis to determine your current level of compliance and the most adequate path towards remediation.
  • Directly work on acceleration of DORA compliance items you may have already identified, such as the (re) design of your ICT risk management framework and operating model, planning and executing operational resilience testing, accelerate your third party risk management efforts, or adjusting your current information sharing arrangements. This also includes leveraging -where applicable- your current compliance activities to minimize the efforts to ultimately achieve DORA compliance in a cost effective manner.

For more details on how the Digital Operational Resilience Act (DORA) helps your business continuity here.

Please don’t hesitate to reach us in order to discuss any of these matters. We’re happy to support you.

Contact us

Anthony Kruizinga

Anthony Kruizinga

Partner, Risk & Regulation lead, PwC Netherlands

Tel: +31 (0)61 308 76 37

Follow us