DORA (Digital Operational Resilience Act)

The Council of the European Union formally adopted the Digital Operational Resilience Act (DORA) to ensure that digital infrastructure, including systems and networks that underpin critical services in the financial sector, is secure and resilient to potential threats.

Financial institutions have a relatively short time to comply with regulatory requirements. Their deadline starts on 16 January 2023, when the Digital Operational Resilience Act (DORA) came into force, and runs for two years.

dora

Objectives of the DORA

DORA aims to improve the cybersecurity and operational resilience of all regulated European financial institutions and key third parties that provide ICT-related services to these institutions. While cyber attacks cannot be avoided, financial stability in Europe can still be achieved if organisations mitigate the impact of cyber threats on information and communication technologies (ICT).
dora

Who is responsible for compliance?

Responsibility for compliance with the requirements imposed by DORA rests with management. It will be responsible for reviewing, approving, implementing and updating the risk management framework. Management should therefore have a full understanding of ICT usage, services and risk profile. Companies should weigh up reassessing how the current system of reporting by ICT teams to senior management works in practice. Financial institutions covered by DORA will be required to designate a senior manager who will be responsible for digital operational resilience and incident reporting to the relevant authorities.

DORA timetable


What does this mean for the entity and how can BDO help?

To comply with DORA, banks will need to have robust risk management systems and processes in place. 

  • We will conduct a GAP analysis of compliance with regulatory requirements
  • We will assist in aligning business strategy with cyber risk management and maintaining a comprehensive and effective risk management framework

The aim of DORA is to harmonise incident classification and reporting processes. Early detection of incidents and rapid response are essential. 

What can BDO help with?

  • We will suggest how to adapt to the new EU rules in terms of reporting and align internal processes in this regard to optimise resource allocation.

What can BDO help with?

  • We can perform vulnerability scanning and penetration testing. If required, we will implement robust business continuity and disaster recovery testing.
  • We will design and develop an appropriate solution, help with process integration and tool support to share information about these threats.

Banks should assess whether their response and recovery strategies and plans adequately address the enhanced risk management rules 

What can BDO help with?

  • BDO's cybersecurity services are based on leading practices and driven by global regulatory requirements.
  • As a result, we can provide our clients with a holistic solution to manage complexities within third-party ecosystems. 

Compliance with the Directive

Although the DORA regulation allows for a transition period until 17 January 2025, we recommend that organisations affected by the regulation start preparations immediately. We recommend that a phased approach is adopted, whereby entities in scope develop a DORA compliance programme with the aim of achieving compliance by the end of the transition period. Failure to achieve compliance may lead to severe penalties from January 2025.

Sanctions for breaches of obligations.

EU Member States will have the right to impose sanctions for breaches of obligations. This means that the governing body can impose significant penalties for non-compliance. These significant penalties will take the form of a penalty of 1% of the average daily worldwide turnover of the organisation in the previous financial year. This penalty will be applied by the lead inspector on a daily basis until compliance is achieved and for a maximum of six months.

Which entities are affected by DORA?

The Regulation applies to a number of EU regulated financial institutions, including credit institutions, payment institutions, securities dealers, insurance companies and others. It will also apply to ICT service providers.  

This category includes e.g. cloud service providers, software, data centres. On the other hand, some operators of payment and credit card systems are exempted. In particular, micro-businesses (up to 10 persons with an annual turnover of less than €2 million) are granted significant relief from certain obligations. For example, they are not obliged to establish, maintain and review a so-called comprehensive programme of operational resilience testing of digital systems. 

  • Credit institutions
  • Payment institutions
  • Account information service providers
  • Electronic money institutions
  • Investment companies
  • Cryptoasset service providers and issuers of tokens referencing assets
  • Central securities depositories
  • Central counterparties
  • Trading systems
  • Business storage
  • Alternative investment fund managers
  • Management companies
  • Data reporting service providers
  • Insurance and reinsurance companies
  • Institutions for occupational pension insurance
  • Insurance intermediaries, reinsurance intermediaries and supplementary insurance intermediaries
  • Critical Reference Level Managers
  • Rating agencies
  • Crowdfunding service providers
  • Securities repository

Third party ICT service providers

  • Cloud computing service providers
  • Data analysis services
  • Enterprises that are part of a financial group and provide ICT services mainly to their parent or to subsidiaries or branches of their parent.
  • Data centre service providers
  • Software
  • Financial entities providing ICT services to other financial entities
  • Participants in the payment services ecosystem that provide payment processing activities or operate payment infrastructure.

* The entities listed are examples of third party ICT service providers.


  • Alternative investment fund managers as referred to in Article 3(2) of Directive 2011/61/EU;
  • Insurance and reinsurance undertakings referred to in Article 4 of Directive 2009/138/EC;
  • Institutions for occupational retirement provision which operate pension schemes which together have no more than 15 members;
  • Natural or legal persons exempted under Articles 2 and 3 of Directive 2014/65/EU;
  • Insurance intermediaries, reinsurance intermediaries and supplementary insurance intermediaries which are micro, small or medium-sized enterprises;
  • Post office giro institutions as referred to in Article 2(5)(3) of Directive 2013/36/EU.

A practical approach to DORA compliance


Compliance with the DORA Directive: Our solution

At BDO we offer services in the field of information and cyber security. We can help you secure your information and assets to minimize potential threats. We comply with other legislative requirements, in particular ISO standards and the Cyber Security Act (CSA). 

  • We provide expert advice on DORA compliance, including risk assessment and gap analysis, incident management, business continuity plans, cybersecurity, continuous support and monitoring.  

  • We can also help you implement and provide services to ensure the security and resilience of your IT infrastructure against potential threats, including penetration testing, vulnerability assessment and incident response planning, and building a system to manage incidents.  

  • We will train your staff to understand the purpose of DORA regulation and the principles of the measures in place. We will explain how they can play their part in helping to meet the requirements. 

Main contacts