Digital Operational Resilience Act (DORA)

Your expert for questions

Philipp Schulz
Partner, DORA Lead at PwC Germany
E-Mail

Harmonising security across the EU financial sector

With the DORA regulation (Digital Operational Resilience Act), the European Commission aims to strengthen the digital resilience of the financial sector in the EU. For the first time, the regulation creates a uniform framework for managing ICT and cyber risks, with a focus on maintaining business operations even in the event of severe IT disruptions or cyberattacks.

Given the increasing threat landscape, it is crucial for financial institutions to align their systems and processes with DORA at an early stage and to establish sustainable resilience. While implementation involves additional requirements and investments, it also presents an opportunity to structurally strengthen cyber resilience and sustainably harmonize security standards.

DORA therefore fundamentally changes how financial institutions view risk, resilience and regulation. At PwC, we go beyond pure compliance: we help you build operational resilience that protects your business, strengthens stakeholder trust and creates long-term value. Our experts support you throughout the entire DORA lifecycle – from strategic planning and technical implementation to audit preparation – with tailored services and deep industry expertise.

Key facts about the DORA regulation at a glance:

In a world of geopolitical uncertainty, cyber threats and digital dependencies, operational resilience is a strategic necessity. DORA establishes a harmonized framework for financial institutions to manage ICT risks, ensure continuity even in the event of severe ICT disruptions or cyberattacks, and protect the financial system.

DORA establishes uniform EU-wide requirements for ICT and cyber risk management, incident reporting, testing of implemented measures and the management of third parties. The focus is on five core areas: ICT risk management, incident management, resilience testing, third-party risk management and information sharing.

DORA entered into force on 16 January 2023 and has been applicable since 17 January 2025. Companies should now have completed their DORA compliance, as the final technical regulatory standards (RTS/ITS) were published in the first half of 2025 and all requirements are now known.

“DORA is more than a regulation – it is a wake-up call for the financial industry. Organisations need to rethink resilience: not as a compliance obligation, but as a competitive advantage. PwC supports you in turning this challenge into a strategic advantage.”

Philipp Schulz,Partner and DORA Lead at PwC Germany

What we stand for

We support our clients throughout the entire DORA lifecycle and ensure that no aspect is overlooked.

Our globally connected teams combine cross-functional expertise with international best practices to meet both regulatory and operational requirements.

We have successfully guided clients through complex resilience programmes and supervisory audits – so you can feel confident at every stage of your initiative.

We leverage strong partnerships with Microsoft, WIZ and Formalize to accelerate implementation, enhance resilience and deliver scalable solutions.

Our DORA services

Together, we assess your DORA maturity and identify prioritised areas for action.

We establish clear structures, roles and decision-making processes for your resilience.

Support in establishing effective controls and managing ICT and third-party risks.

Ongoing testing and monitoring to sustainably strengthen your operational resilience.

Strengthening audit readiness and secure audit support.

Increasing efficiency and automation through AI solutions and strong alliances.

Meet the team

Contact our experts

Operational resilience and risk management

Financial firms are obliged to put a comprehensive ICT risk management system in place, including:

Establishment and maintenance of robust ICT systems and tools that minimise the effects of ICT risks,
Key elements such as the identification, classification and documentation of critical functions,
Continuous monitoring of all sources of ICT risks, in order to put protection and prevention measures in place,
Immediate identification of abnormal activities,
Introduction of special and comprehensive business continuity guidelines and contingency and recovery plans, including annual tests of those plans, all of which cover supporting functions,
Establishment of mechanisms in order to learn both from external events, and from internal ICT incidents, and to continue to develop.

Management of ICT incidents and cyber security

Financial firms are obliged:

To develop a proven method to log/classify all ICT incidents and to determine serious incidents pursuant to the criteria listed in the regulation and further specified by the European supervisory authorities (EBA, EIOPA und ESMA),
To present an initial, interim and concluding report about ICT-related incidents,
To harmonize the reporting on ICT-related incidents based on the standard templates developed by the ESAs.

Digital Operational Resilience Testing

The regulation obliges all establishments to:

Conduct fundamental tests of ITC tools and systems each year,
Identify, attenuate and eliminate any weak points, gaps or deficiencies without delay, by taking countermeasures,
Regularly undertake advanced threat-lead penetration tests (TLPT) for ICT services impacting critical functions. Third-party providers of ICT services are obliged to take part in the tests and to cooperate fully.

Governance and management of third parties

The financial firms are obliged:

To ensure the solid monitoring of risks arising from employing third-party ICT service providers,
To provide a full register of outsourced activities, including internal group services and all changes to the outsourcing of critical services to ICT service providers,
To consider the IT concentration risk and the risks arising from sub-outsourcing activities,
To harmonize key elements of the service and the relationship with third-party ICT service providers in order to achieve “complete” monitoring,
To ensure that agreements with third-party ICT service providers contain all necessary details for monitoring and accessibility, such as a full description of the scope of services, providing the locations where the data is processed, etc.,
Critical ICT service providers will be subject to an EU supervisory framework that can issue recommendations to mitigate ICT risks that have been established. Financial firms must take account of their service provider’s ICT third-party risks if it does not observe the recommendations that have been laid down.

Information exchange

The regulation allows financial firms to reach agreements among themselves on the exchange of information and insights in relation to cyber threats.
The supervisory authority will provide financial firms with relevant anonymised information and insights in relation to cyber threats. Companies should therefore put mechanisms in place to examine the information that has been passed on by the authorities and take measures accordingly.

DORA Asset Library

Webcast recordings, whitepapers and practical guidance across the DORA pillars are available for download here. Register once to gain access to all DORA assets and secure all relevant insights.

Learn more (German)

Digital Operational Resilience Act (DORA)

Harmonising security across the EU financial sector

Key facts about the DORA regulation at a glance:

What we stand for

Our DORA services

Strategic preparation & gap analysis

Governance & operating model

Implementation & Third-Party Risk Management

Managed Services & continuous resilience

Audit preparation & support

AI and Tool Integration