Digitalization of the financial sector has brought significant benefits but has also exposed businesses to rising technology risks, including cyberattacks, system outages, and third-party information and communications technology (ICT) failures. To ensure financial institutions (FIs) remain resilient in the face of these threats, the European Union’s Digital Operational Resilience Act (DORA) sets out detailed requirements for EU-based FIs to protect their key business processes (see sidebar “DORA’s scope”). While DORA has some overlap with other regulations (such as BAIT and VAIT in Germany1), it is the first regulation of its kind to focus on digital resilience across the European financial ecosystem.
As DORA’s enforcement date of January 17, 2025, approaches (some regulatory requirements are not yet finalized), McKinsey has conducted a survey with major European financial institutions and critical ICT third parties to understand their progress in achieving DORA compliance. The results are mixed: most institutions have started the journey, but many will need to do more to meet their obligations on time. In this article, we explore some of the most pressing issues highlighted in our survey, and we reflect on the steps that have put some institutions on a more promising DORA compliance path than that of their peers.
DORA implementation: Where does the industry stand?
European FIs and critical ICT service providers still have time to align their resilience capabilities with DORA requirements—but the window is closing. Our survey finds that 94 percent of FIs are fully engaged in understanding the detailed requirements of the legislation; most are doing so through a dedicated DORA program, with DORA as a board-level agenda item (see sidebar “How one large European financial company tackled the DORA challenge”).
As of April 2024, most organizations say they have completed a gap analysis and are in the process of designing or rolling out implementation programs. Nevertheless, every organization reports some uncertainty—for example, around the precise requirements of the legislation. In particular, respondents point to two challenges:
- limited clarity on the scope of key items (for example, the definitions of critical or important functions [CIFs] and of critical ICT third-party providers)
- concern over the timeline for implementation, considering that the second of two batches of the European Supervisory Authorities’ regulatory technical standards (RTSs) is only set to be finalized in July 2024, and that some regulatory requirements (for example, updating all relevant third-party contracts) require significant lead time for implementation
Regarding the first challenge, one chief information security officer said, “The breadth of the DORA program, given the broad range of topics, is unavoidable. However, the chosen depth of scoping significantly impacts the size of effort required to achieve compliance.”
At some institutions, uncertainty over scoping has led to increased budget allocations (Exhibit 1). Typically, an institution might have earmarked €5 million to €15 million for its DORA program strategy, planning, design, and orchestration. But early estimates for full implementation costs are coming in at five to ten times that range. One large FI reported that its final planned DORA implementation spend across the group amounted to nearly €100 million, split between program orchestration and technology control upgrades. According to our conversations with other FIs, we expect similar multiples across the financial industry—particularly at large companies or those that struggle to adopt a risk-based approach to scoping.
When it comes to DORA program capacity, about 40 percent of financial entities and ICT providers dedicate more than seven full-time equivalents (FTEs), while less than 20 percent have yet to assign dedicated FTEs (Exhibit 2). In our client engagements, several leading organizations say the broad scope of DORA requirements means that different functional areas are driving deliverables, albeit with central coordination. All told, these factors tend to reduce the number of dedicated FTEs.
Program steering is a vital cog in the implementation machine, but our research gives little indication that the industry has arrived at a standardized approach. At about 50 percent of surveyed institutions, the IT organization drives DORA implementation, whereas among the remaining group, a mix of business and oversight functions more commonly take control (Exhibit 3). The prevalent ownership distribution suggests many organizations still see digital resilience as an “IT problem” rather than a groupwide concern.
Regulatory compliance is rarely inexpensive, and most survey respondents feel that maintaining DORA compliance will incur ongoing costs. Among our survey respondents, 70 percent say continuing to meet DORA requirements will result in permanently higher run costs for technology and technology control.
Challenges facing industry participants and ICT service providers
Of the many challenges facing institutions, one that stands out in our survey responses is ICT third-party risk management (Exhibit 4). To manage third-party risk effectively, financial institutions must make significant efforts on two fronts: ensuring comprehensive oversight of all ICT service providers and their associated risk and proactively managing the digital risk associated with critical ICT third-party service providers. To achieve these goals in a cost-effective, end-to-end manner, leading FIs take a risk-based and holistic approach, in turn requiring dedicated processes and technologies.
Once more, a key variable is scoping, and our discussions with major FIs show wide variation in understanding of the legislation’s scope—even among companies working with similar numbers of ICT vendors. For example, in contract remediation, some organizations are focusing on as few as 20 remediations, whereas others plan to remediate as many as 3,000 contracts (see sidebar “Key scoping items for DORA remediation activities”).
An important factor in making remediation decisions is how to define a “critical” ICT third-party service provider. Under Article 31 of DORA, criteria for consideration include systemic impact on stability, continuity and quality of provision of financial services, the number of institutions relying on the provider, and interdependencies among institutions. Organizations must work closely with legal counsel to determine which interpretation of that definition optimally fulfills DORA requirements and boosts digital resilience.
In terms of engagement with third parties, many FIs report challenges when negotiating with smaller entities. One difficulty is that smaller third parties often lack sufficient talent or resources to achieve full DORA compliance and, thus, may struggle to meet requirements on time. Such variations in capabilities among organizations are likely to lengthen the time frame for some implementation programs.
A common structural challenge for a financial institution is in its dual role of engaging with providers and being a provider for others. For instance, a financial institution may offer payments services on behalf of another financial institution, while also using third parties to support its own business services. These twin dynamics can expose the institution to regulatory scrutiny from two angles: it may need to both initiate and respond to contract remediation exercises.
Across the industry, timing is likely to be a significant concern in the months ahead. In our survey, just about a third of financial institutions express confidence that they can fulfill all DORA regulatory expectations by January 2025. Moreover, all expect at least some DORA efforts to continue beyond then (Exhibit 5). Even those that believe they can achieve compliance by January 2025 say that implementation and rollout into “business as usual” across geographies will continue beyond the legal enforcement date.
Taking action: Four strategic imperatives
Preparations for DORA will continue to accelerate in the coming months. As decision makers navigate the process, best practice will be not only to focus on complying with the regulation, but also to reflect broader business goals. We have seen some leading organizations anchor their efforts on four strategic principles.
See the regulation as a resilience opportunity rather than a tick-box exercise
As many as 80 percent of remediation programs fail because they lack a strategic foundation. To prevent DORA programs from succumbing to the same fate, decision makers need to see the program for what it can be: a transformational opportunity to reorganize and enhance processes, tools, and technologies, while boosting resilience. But if institutions simply update policy documents and define system mappings to do the bare minimum, they risk turning their DORA programs into paper tigers—inflating costs with limited impact beyond paper. If, conversely, institutions implement DORA with digital resilience as an objective—by using their DORA program to identify and eradicate ICT risk at scale—they will create a fundamentally stronger financial ecosystem and improve customer trust.
Make resilience business-led
As in many transformative projects, leadership is a critical enabler. We see two vital building blocks:
- Drive the transformation from the top. For an effective transformation, senior managers need to formulate a clear strategy, enhanced by programmatic support structured around the business and its priorities. Regulators’ expectations will be relevant in this context. In one recent examination, the regulator requested evidence that IT risk-management efforts were business-led and involved leaders from the business. Our experience suggests that linking regulatory remediation deliverables to business objectives is key to measuring resilience success, which is possible only when business colleagues are at the helm in driving implementation.
- Appoint a single accountable program owner. While DORA affects multiple functions, a single accountable owner provides a point of coordination and steering. This approach will sharpen strategic oversight and lead to better prioritization and communication throughout the program.
Scope astutely: Take a risk-based approach; define ‘done’ clearly
From our survey, scoping is a significant challenge—and opportunity—as DORA preparations reach their final stages. Our surveyed FIs commonly report struggling with seemingly unending regulatory programs that “boil the ocean” in terms of interpreting and meeting regulatory expectations, consequently with ever-growing scope and costs.
Organizations that precisely define the regulation’s risk-based aims are most likely to execute effectively. They engage in two best practices:
- Implementing requirements based on risk. Leading companies take a risk-based approach to resilience, identifying their most critical processes and prioritizing capability requirements according to risk. This means not creating “one control requirement set to rule them all” but defining risk-differentiated policies and controls based on the business value of different processes. Such an approach yields a more streamlined, efficient application of DORA requirements, optimizing both DORA spend and time to compliance.
- Explicitly defining “done”: when DORA requirements are met and risk is mitigated. Often in the course of regulatory and remediation programs, organizations run into the challenge of proliferating requirements and ever-lengthening timelines. That may occur when internal stakeholders seek to add their own priorities to the list, increasing the effort required. By agreeing from the outset on how to define “done,” a company can save months of program extension, spend, and iteration.
Collectively collaborate to ensure systemic resilience
Business leaders may feel it is counterintuitive to collaborate with competitors on regulatory alignment, but information sharing can actually streamline the implementation process and build trusted networks. We have seen, time and again, the power and impact of cross-industry collaboration on security and regulatory topics. Consider these approaches:
- Invest in information sharing and exchange; candidly communicate how you view scope requirements and challenges. Given that DORA expressly aims to strengthen the resilience of the entire financial ecosystem, it should catalyze collaboration across the European financial industry. Lean into the fact that it makes sense for FIs to work together.
- Use DORA to build digital trust. ICT service providers and FIs can use DORA to boost transparency and build trust in their digital products and services. As quality, resilience, and security improve, so will uptime, access, and fraud-mitigation outcomes. Digital trust can become a value differentiator for customers.
As the deadline for DORA implementation approaches, financial institutions and ICT service providers have their work cut out to achieve the expected level of digital resilience. Scoping exercises and closure of gaps against the final text and RTS batches will demand significant attention in the months ahead.
That said, DORA also presents a valuable opportunity. Institutions have a chance to revisit critical challenges around digital resilience, bring diverse parts of the organization together, and transform fundamental capabilities that will maintain the resilience of the financial ecosystem. Given the systemic reach of digital technologies, financial institutions and ICT providers can work together to increase trust in the industry and create value for the long term.