2 minute read 9 Aug 2022
Digital Operational Resilience Act new regulations

How will the Digital Operational Resilience Act impact your organization?

By EY Denmark

Multidisciplinary professional services organization.

2 minute read 9 Aug 2022
Related topics Risk

The proposed Digital Operational Resilience Act (DORA) aims to harmonize ICT risk requirements across Europe. What does that mean for you?

The Digital Operational Resilience Act (DORA) Proposal was published in response to the European Commission’s Digital Finance Strategy (September 2020), which tackles digital transformation risk mitigation through prescriptive and consistent rules on digital operational resilience. It aims to create one unified approach across Europe, across regulators and across the financial services industry.

Whilst official regulation is still in draft form within Europe, regulators expect financial institutions to begin focussing on operational resilience. Moreover, we see an increased interest in the Danish financial services sector. The December 2020 Statement issued by the European Central Bank (ECB) regarding supervisory cooperation on operational resilience focused on the following key points:

  • The importance of operational resilience and the ability of banks to recover from operational disruption,
  • The recognition of activities undertaken by the industry to date (while acknowledging that more work is to be done to ensure resilience against operational disruption),
  • The requirement to ensure that banks are resilient to potential operational disruptions from all hazards, including severe but plausible cybersecurity incidents,
  • The ECB’s commitment to working closely with the Fed and PRA to coordinate supervisory approaches.

Operational Resilience is an existing key strategic theme across the financial services industry as well as wider across Information Communications and Technology companies providing services to financial services firms. To date, we have seen a number of interest groups publish their approach to Operational Resilience and DORA specifically. We also see an increased focus on operational resilience in countries such as the UK and the US which further drive the need for alignment.

DORA will apply to the whole financial sector. It will also apply to firms captured within the expanded regulatory perimeter under the term ‘critical ICT third-party service providers’, which will include services such as cloud resources, data analytics and audit.

Although the Act is currently still in draft form and the final regulations are only expected to be published by 2022, it is imperative for firms to start thinking about, and working on, their operational resilience journey.

Below you may find DORA’s specific objectives:

  1. Address ICT risks and strengthen digital resilience,

  2. Streamline ICT-incident reporting,

  3. Provide access for supervisors to ICT incident-related information,

  4. Ensure assessment of preventive and resilience measures,

  5. Facilitate cross-border acceptance of testing results,

  6. Govern the monitoring of ICT third-party providers,

  7. Oversee critical ICT third-party providers,

  8. Exchange threat intelligence.

Despite this regulation being brand new, EY can help you prepare. We have a track record of delivering operational resilience transformation projects through our multidisciplinary teams, and can help you evolve, grow and comply in this rapidly changing regulatory environment.



While DORA is not expected to enter into force before 2022, firms should start getting ready. Indeed, the regulation covers a wide range of aspects, with 8 specific objectives for which all financial services institutions need to be prepared.

About this article

By EY Denmark

Multidisciplinary professional services organization.

Related topics Risk