Young Multiethnic Female Government Employee Uses Tablet Computer in System Control Monitoring Center. In the Background Her Coworkers at Their Workspaces with Many Displays Showing Technical Data.

DORA: A new era of Digital Operational Resilience

A photographic portrait of Marc Minar
Marc Minar

Partner, Technology Consulting | EY Switzerland

9 minute read 03 Jul 2025
Related topics
Cybersecurity
Risk
Consulting
Financial services

How resilient is your organization?

In brief

  • The EU’s Digital Operational Resilience Act (DORA) aims to enhance Digital Operational Resilience in the financial sector.
  • Swiss financial institutions must comply with DORA if they provide ICT services to EU entities.
  • Organizations must adapt their ICT risk management framework, testing and incident management programs and develop robust third-party risk management.
1

Chapter 1

Introduction

Why is DORA relevant and what does it entail?

Financial organizations are intricately interconnected through technology and shared supply chains. One consequence of these complex formal and informal links is that they are much more vulnerable to cyberattacks. A breach in one firm, or one of its suppliers, can quickly ripple across the entire sector, threatening assets, highly sensitive data, and even national and global security. Not surprisingly, the EY / IIF Global Bank Risk Management Survey 2025 revealed that cybersecurity risks remain the foremost concern for 75% of Global Chief Risk Officers (CROs), followed by Operational Resilience (cited by 38% of participants). This is consistent with our insights from the insurance sector, where 68% CROs view cybersecurity risk as the greatest emerging risk as they look ahead to the next three years (EY/IIF Insurance Risk Management Survey 2024).

Precisely with a view to mitigating such risks, the European Union (EU) introduced the Digital Operational Resilience Act (DORA). Effective since 16 January 2023 and mandatory since 17 January 2025, DORA aims to enhance Digital Operational Resilience (DOR) within the financial services sector, emphasizing a shift from a focus on security controls to a more comprehensive approach to Information and Communication Technology (ICT) risk management and the development of resilient enterprises. Specifically, DORA comprises four pillars as illustrated below.

Although Switzerland is not directly subject to DORA as an EU regulation, many of its financial institutions are affected. Specifically, centralized ICT services provided by Swiss-based legal entities or headquarters to entities located in the EU fall within the scope of DORA.

centralized ICT services provided by Swiss-based legal entities or headquarters to entities located in the EU fall within the scope of DORA.
2

Chapter 2

DORA readiness

What are the key challenges experienced by institutions and how can they be resolved?

In recent years, we’ve supported a large number of financial institutions with DORA-related projects. Below, we share key insights from our experience highlighting some of the challenges we observed across each of the four DORA pillars and lessons learned helping organizations tackle them.

3

Chapter 3

DORA next steps

How are institutions approaching the operationalization of newly introduced processes and controls?

In recent years, financial institutions have concentrated their efforts on achieving compliance with DORA, with a particular emphasis on design effectiveness and closing existing gaps. As organizations begin to move beyond the initial adaptation to DORA, many are now taking the next step by operationalizing the newly introduced processes and controls, integrating them into their existing systems.

A significant concern in the realm of Business Continuity Management (BCM) are the comprehensive requirements imposed by DORA for testing Business Continuity Plans (BCPs), particularly as regards third-party dependencies. Organizations must integrate third-party ICT services into their testing activities and take into account risks such as insolvency, service failures and political instability. Compliance with these requirements poses a considerable challenge; the EY Global TPRM 2024 Survey indicates that only 47.8% of organizations maintain BCPs for critical third-parties, and a mere 42.2% actively test them.

As financial institutions navigate DORA implementation, aligning incident response and reporting processes with obligations from FINMA and the Swiss National Cyber Security Centre (NCSC) is essential. Updated incident response protocols must be rigorously tested for operational effectiveness through cyber incident simulations tailored to specific threats. Furthermore, DOR testing should extend beyond TLPT for critical or important functions, incorporating a range of assessments such as vulnerability scanning, penetration tests and security risk evaluations to ensure robust DOR.

In view of the increasing reliance on third-parties, there is a corresponding increased need for organizations to implement effective risk monitoring measures. According to the EY Global & Swiss Cybersecurity Leadership Insights Study 2023, 61% of Swiss Chief Information Security Officers express concerns about supply chain risks, highlighting the urgent need for a comprehensive TPRM risk assessment framework and suitable tools. In response to the growing demand for TPRM resources and expertise, financial institutions are actively exploring options like TPRM as a service, co-sourcing, and AI-driven solutions for semi-automated assessments. Notably, 50% of organizations plan to leverage AI for TPRM assessments within the next two to three years, while 65% aim to increase the use of TPRM co-sourcing services and 46% prefer managed TPRM solutions.

of organizations plan to increase their use of TPRM co-sourcing services over the next two to three years.
4

Chapter 4

DORA assurance

What is the most efficient way to achieve DORA assurance?

With DORA requirements mandatory since January 2025, many companies are expressing concerns about DORA assurance and how to address it efficiently for the three main use cases:

Three key domains

How EY can help

DORA assurance requirements for legal entities directly subject to DORA: Financial institutions are required to establish a multi-year internal audit plan that encompasses the ICT risk management framework, demonstrating both the frequency and focus of audits. Additionally, internal auditors must enhance their skills related to ICT risks to effectively address these challenges.

 

DORA assurance requirements for intra-group third-parties providing ICT services to affected legal entities: When a legal entity directly subject to DORA uses ICT services from another legal entity within the same group, the latter is deemed an intra-group third-party. DORA treats these providers similarly to traditional third-parties, meaning that the consuming legal entity must ensure that the services provided are DORA compliant. Conducting separate audits for each legal entity using the same service is inefficient; instead, the group’s internal audit team or external auditor should produce a single audit report for distribution to all legal entities consuming the service.

 

DORA assurance for third-parties: DORA requires financial institutions to go beyond exclusively relying on third-party certifications and assurance reports. Instead, they must perform their own audits or engage external auditors. This marks a significant shift from previous regulations that did not require external audits and it will demand additional resources. However, organizations can reduce audit effort and frequency by using assurance reports specifically extended to cover DORA requirements, such as such as in accordance with the AICPA’s System and Organization Controls (SOC) and International Standards on Assurance Engagements (ISAE).

Summary

While many companies have successfully designed their DORA frameworks, the journey toward Digital Operational Resilience is far from complete. Organizations must ensure that new processes are effectively operationalized and rigorously tested. Additionally, it is essential to consider where third-parties need to be involved and how to do so effectively. Finally, ongoing monitoring of compliance and oversight requires carefully considered strategic decisions around DORA assurance, both within the organization and with respect to third-parties.

Acknowledgement

Many thanks to Sebastian Pfaffen, Yulia Brun and Nikita Amitabh for their valuable contribution to this article.


About this article

A photographic portrait of Marc Minar
Marc Minar
Partner, Technology Consulting | EY Switzerland
15+ years in Financial Services. Specialized in Cyber Security and IT Risk Management. Licensed airplane pilot, enthusiastic golfer and passionate traveler.
Related topics
Cybersecurity
Risk
Consulting
Financial services

Related Content

Building Resilience: Safeguarding Financial Institutions from Modern Cyber Threats

Proactive cyber risk management is crucial for modern financial institutions to help quickly respond to threats and disruptions.

Find out more

Risk & IT-Sicherheit

Navigating cyber risks in AI: safeguarding financial services

Deep-dive into critical vulnerabilities that Swiss financial services organizations deploying AI in cloud environments can be exposed to.

Find out more

Request for proposal (RFP) - exclusively for Switzerland

|

Submit your request now!

Submit Request

EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Limited, each of which is a separate legal entity. Ernst & Young Limited is a Swiss company with registered seats in Switzerland providing services to clients in Switzerland.