Digital Operational Resilience Act (DORA)

Are you prepared for application from 2025?

The Digital Operational Resilience Act (DORA or “the Act”), forms part of the European Commission’s digital finance package, which aims to strengthen the resilience of the EU financial sector. Published in the Official Journal of the European Union (OJEU) on 27 December 2022, DORA entered into force on 16 January 2023.

The Act provides consistent rules addressing the digital operational resilience needs of all regulated financial entities and establishes an oversight framework for critical ICT third-party providers (CCTPs). Firms have less than 12 months left to implement the requirements and comply. The Act will apply from 17 January 2025.

DORA Level 1 requirements are also complemented by common draft regulatory technical standards (RTS) and implementation standards (ITS), which are to be developed by the European Supervisory Authorities (EBA, EIOPA and ESMA – the ESAs) in the 24 months after the entry into force of the Act. Following the public consultation which took place from 19 June to 11 September 2023 and one year before the application date, DORA’s first set of final draft technical standards was published on 17 January 2024, and has been submitted to the European Commission for adoption.


Grasp an understanding of these regulatory shifts by downloading our informative DORA brochure

  • Why was DORA introduced?

    The objective of DORA is to reduce the risks associated with digital transformation by implementing uniform rules on operational resilience throughout the EU. This has been initiated in order to:

    1. Mitigate risk posed by growing vulnerabilities, due to the increasing interconnectivity of the financial sector 
    2. Address the shift in risk profile as a result of the increase in financial services digital adoption
    3. Acknowledge and address the third-party reliance underpinning the stability of the financial sector 
    4. Adopt a single, consistent supervisory approach to operational resilience across the single market


  • Who is impacted by DORA?

    DORA is applicable to regulated financial institutions including traditional institutions such as credit institutions, payment institutions and insurers, as well as crypto-asset service providers (CASPs), crypto-asset issuers and electronic money institutions (EMIs). Financial information managers, data information service providers, credit rating agencies, and CCTPs (i.e., digital and data service providers, including cloud service providers, software, data analytics services, and data centers), are also in scope. 

    While the rules cover all financial entities, their applicability will depend on the size of the entity, its activity and the overall risk to which it is subjected. Micro-enterprises will benefit from this flexibility and will be subject to proportionate application of requirements on ICT risk management, digital resilience testing, reporting of major ICT-related incidents and oversight of critical CCTPs.

  • What does DORA entail?

    DORA provides a set of rules addressing digital operational resilience needs of all regulated financial entities and establishes an oversight framework for critical ICT third-party providers (CCTPs). The main pillars are:

    • ICT risk management
    • ICT-related incident reporting
    • Resilience testing
    • ICT third-party risk
    • Information sharing


Luxembourg perspective

While the DORA Regulation comes at the European level, developments locally in Luxembourg have also provided additional guidance and clarity on ICT-related matters.

New Circular CSSF Circular 24/847 (applicable from 1 April 2024 for most supervised entities, and from 1 June 2024 for management companies and investment firms) introduces a new ICT-related incident reporting framework aligned with DORA and NIS2 requirements.

Circular CSSF 22/806 on outsourcing arrangements strengthens levels of digital operational risk management required from supervised entities in the context of ICT cloud/non-cloud outsourcing.

Circular CSSF 22/811 on UCI administrators calls on UCI administrators to monitor upcoming requirements arising from DORA when implementing and monitoring ICT resources, business continuity planning and disaster recovery planning.

How EY can help?

Next steps for you and your business

Within our strategic consulting framework, we assist various stakeholders in the financial sector in creating, executing, or evaluating the effectiveness of their ICT risk protocols, compliance status, and ongoing risk management strategies (resilience). 

Furthermore, EY has formulated Third Party Security Risk Management (TPRM) solutions, supporting management bodies and enabling them to identify, assess, regulate and control the risks tied to third parties and contracts. A brief explanation of some of our services follows.

  • DORA readiness current state assessments & multi-year roadmap: We carry out evaluations using already available mapping data within your organization, such as business impact analysis, privacy data flow maps, and technology asset inventories.
  • Resilience testing & attack simulation: We can evaluate the resilience of your organization by simulating cyberattacks (red teaming, TIBER-LU, etc.), which allows us to test your detection and response capabilities.
  • Incident response services: We provide assistance to your organization in preparing for potential breaches and reducing the impact of any potential security incidents. In this regard, we support your organization in developing, sustaining, and testing your incident response strategy.
  • Third party profiling, and risk & controls assessments: We conduct risk profiling of services and implement global assessments both onsite and remotely across all risk domains. These domains include aspects such as resiliency, cyber risk, financial health, and regulatory compliance.