Europe’s new resilience regime: The race to get ready for DORA

(9 pages)

Digitalization of the financial sector has brought significant benefits but has also exposed businesses to rising technology risks, including cyberattacks, system outages, and third-party information and communications technology (ICT) failures. To ensure financial institutions (FIs) remain resilient in the face of these threats, the European Union’s Digital Operational Resilience Act (DORA) sets out detailed requirements for EU-based FIs to protect their key business processes (see sidebar “DORA’s scope”). While DORA has some overlap with other regulations (such as BAIT and VAIT in Germany¹), it is the first regulation of its kind to focus on digital resilience across the European financial ecosystem.

As DORA’s enforcement date of January 17, 2025, approaches (some regulatory requirements are not yet finalized), McKinsey has conducted a survey with major European financial institutions and critical ICT third parties to understand their progress in achieving DORA compliance. The results are mixed: most institutions have started the journey, but many will need to do more to meet their obligations on time. In this article, we explore some of the most pressing issues highlighted in our survey, and we reflect on the steps that have put some institutions on a more promising DORA compliance path than that of their peers.

DORA implementation: Where does the industry stand?

DORA’s scope

The DORA regulation comprises five main content chapters, supported by two batches of regulatory technical standards (RTSs) and implementing technical standards. In total, the documents contain more than 600 pages and 1,100 lines of requirements relevant to financial institutions and ICT third parties. The chapters of the final text focus on the following components:

ICT risk management requires an internal risk-management framework and strategy; risk tolerance; policies, procedures, and protocols; and an independent control function.
ICT-related incident management, classification, and reporting involves defining, establishing, and implementing a process to manage and record incidents and cyberthreats—and to centralize reporting.
Digital operational resilience testing mandates a risk-based approach to all testing, including physical testing, application testing, technology resilience (“switchover”) testing, and threat-led penetration testing (TLPT).
Management of third-party risk requires an ICT risk-management framework, third-party register, risk assessments, analysis of concentration risk, and continued monitoring and auditing of ICT third-party service providers that support critical business services.
Information-sharing arrangements allow FIs to exchange cyberthreat information and intelligence and require them to notify competent authorities of information-sharing arrangements.

European FIs and critical ICT service providers still have time to align their resilience capabilities with DORA requirements—but the window is closing. Our survey finds that 94 percent of FIs are fully engaged in understanding the detailed requirements of the legislation; most are doing so through a dedicated DORA program, with DORA as a board-level agenda item (see sidebar “How one large European financial company tackled the DORA challenge”).

As of April 2024, most organizations say they have completed a gap analysis and are in the process of designing or rolling out implementation programs. Nevertheless, every organization reports some uncertainty—for example, around the precise requirements of the legislation. In particular, respondents point to two challenges:

limited clarity on the scope of key items (for example, the definitions of critical or important functions [CIFs] and of critical ICT third-party providers)
concern over the timeline for implementation, considering that the second of two batches of the European Supervisory Authorities’ regulatory technical standards (RTSs) is only set to be finalized in July 2024, and that some regulatory requirements (for example, updating all relevant third-party contracts) require significant lead time for implementation

How one large European financial company tackled the DORA challenge

An EU-based, market-leading financial institution with operations in more than 50 countries had just completed a major technology risk-remediation program in 2023 and had to rapidly shift efforts to meet DORA requirements. In the fourth quarter of 2023, the organization established a small DORA program focused on compliance in a few defined areas, but it lacked the ability to scale and execute across the group in a risk-based way, given the highly complex intrafunctional and geographic setup. In addition, some senior stakeholders had a lack of focus, and working-level teams were misaligned.

Not wanting to lose momentum from its highly successful 2023 remediation efforts and knowing how much ground it had to cover to meet the DORA expectations, the company redoubled its DORA program efforts, starting at the very beginning of the first quarter of 2024, and set a target to meet the regulation’s requirements by January 2025. It completely redesigned its program by defining specific activity clusters focused on each of the regulation’s content areas, reorganizing governance and steering to include business and technology leaders across all key entities, and establishing enterprise-wide tracking and reporting of progress and documentation in a centralized tooling solution. Notably, it also brought all of its operating entities under the same program orchestration umbrella for end-to-end support and execution management. The company was highly efficient in those activities: it achieved its redesigned program structure within one month (more than 300 staff members onboarded, full planning and gap assessment complete). Now with a better, more holistic structure in place, it turned to the activation plan.

Key to its successful activation was the strong sense of accountability the company placed on its delivery leaders: the activity cluster leads, plus the single points of contact for each operating entity. That approach had dual effects: the company drove strong execution of DORA-related activities, of course; more significantly, it created a culture of technology risk management throughout the organization, while training and upskilling the entire staff.

By taking such strong, positive steps—both toward central, strategic orchestration and planning and toward action-oriented, leader-driven accountability for delivery—the company has started to see tech risk management not as a “nonfunctional task” but, instead, as a key driver of business value. This truly strategic, business- and risk-based, holistic, structured approach has set the company on a much steeper DORA preparation trajectory than that of its peers across Europe.

Regarding the first challenge, one chief information security officer said, “The breadth of the DORA program, given the broad range of topics, is unavoidable. However, the chosen depth of scoping significantly impacts the size of effort required to achieve compliance.”

At some institutions, uncertainty over scoping has led to increased budget allocations (Exhibit 1). Typically, an institution might have earmarked €5 million to €15 million for its DORA program strategy, planning, design, and orchestration. But early estimates for full implementation costs are coming in at five to ten times that range. One large FI reported that its final planned DORA implementation spend across the group amounted to nearly €100 million, split between program orchestration and technology control upgrades. According to our conversations with other FIs, we expect similar multiples across the financial industry—particularly at large companies or those that struggle to adopt a risk-based approach to scoping.

Most surveyed institutions plan to spend €5 million–15 million on Digital Operational Resilience Act strategies, planning, design, and orchestration.

When it comes to DORA program capacity, about 40 percent of financial entities and ICT providers dedicate more than seven full-time equivalents (FTEs), while less than 20 percent have yet to assign dedicated FTEs (Exhibit 2). In our client engagements, several leading organizations say the broad scope of DORA requirements means that different functional areas are driving deliverables, albeit with central coordination. All told, these factors tend to reduce the number of dedicated FTEs.

Companies dedicate varying numbers of full-time employees to their Digital Operational Resilience Act–compliance programs.

Program steering is a vital cog in the implementation machine, but our research gives little indication that the industry has arrived at a standardized approach. At about 50 percent of surveyed institutions, the IT organization drives DORA implementation, whereas among the remaining group, a mix of business and oversight functions more commonly take control (Exhibit 3). The prevalent ownership distribution suggests many organizations still see digital resilience as an “IT problem” rather than a groupwide concern.

Organizational responsibility for driving alignment with the Digital Operational Resilience Act is often in the IT function.

Regulatory compliance is rarely inexpensive, and most survey respondents feel that maintaining DORA compliance will incur ongoing costs. Among our survey respondents, 70 percent say continuing to meet DORA requirements will result in permanently higher run costs for technology and technology control.

Challenges facing industry participants and ICT service providers

Of the many challenges facing institutions, one that stands out in our survey responses is ICT third-party risk management (Exhibit 4). To manage third-party risk effectively, financial institutions must make significant efforts on two fronts: ensuring comprehensive oversight of all ICT service providers and their associated risk and proactively managing the digital risk associated with critical ICT third-party service providers. To achieve these goals in a cost-effective, end-to-end manner, leading FIs take a risk-based and holistic approach, in turn requiring dedicated processes and technologies.

Management of third-party information and communications technology risk is seen as a key challenge.

Key scoping items for DORA remediation activities

Below are key scoping areas companies should consider when assessing their DORA compliance.

Defining critical or important functions (CIFs). Accurately defining CIFs is a cornerstone of DORA scoping (for example, mapping of IT assets to CIFs, defining recovery times). The challenge for institutions is that no industry-wide framework determines which functions should be deemed as CIFs. Instead, industry participants tend to rely on individual third-party frameworks, such as BaFin’s RRP (recovery and resilience plan) or the Bank of England’s IBS (important business services), and on the European Banking Authority’s technical guidance.
Scoping ICT service providers. DORA defines an ICT service provider as “an undertaking providing ICT services; digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services, which include the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services.” Given this broad language, it is up to market participants themselves to decide whether individual ICT providers meet the definition. Some decision makers believe that services provided by companies outside traditional IT, such as law firms and consultancies, could fall within the legislation’s scope; some, however, do not. In addition, organizations often lack a consolidated view of third-party relationships across business units, geographies, parents/subsidiaries, or group/legal entities. Such lack of alignment could yield different classifications of the same provider, causing confusion during an onsite examination.
Understanding feasible and acceptable recovery times for different scenarios. Financial entities report challenges in determining appropriate target recovery time objectives (RTOs) and recovery point objectives. For example, achieving four-hour recovery times (a standard RTO) would be reasonable in the event of a small, contained incident, but it would be nearly impossible after a large-scale ransomware attack leading to a major outage. Leading organizations take a use case and criticality-oriented approach to set recovery times, often tied to business impact analyses.
Defining and choosing appropriate test scenarios to conduct thread-led penetration testing. Some organizations say they struggle to define the right test scenarios for TLPT, a particular concern when testing critical or important functions. It may make sense to agree on a joint definition of critical scenarios, or on a respective sharing/recognition of testing results with critical third-party providers—or on both.

Once more, a key variable is scoping, and our discussions with major FIs show wide variation in understanding of the legislation’s scope—even among companies working with similar numbers of ICT vendors. For example, in contract remediation, some organizations are focusing on as few as 20 remediations, whereas others plan to remediate as many as 3,000 contracts (see sidebar “Key scoping items for DORA remediation activities”).

An important factor in making remediation decisions is how to define a “critical” ICT third-party service provider. Under Article 31 of DORA, criteria for consideration include systemic impact on stability, continuity and quality of provision of financial services, the number of institutions relying on the provider, and interdependencies among institutions. Organizations must work closely with legal counsel to determine which interpretation of that definition optimally fulfills DORA requirements and boosts digital resilience.

In terms of engagement with third parties, many FIs report challenges when negotiating with smaller entities. One difficulty is that smaller third parties often lack sufficient talent or resources to achieve full DORA compliance and, thus, may struggle to meet requirements on time. Such variations in capabilities among organizations are likely to lengthen the time frame for some implementation programs.

A common structural challenge for a financial institution is in its dual role of engaging with providers and being a provider for others. For instance, a financial institution may offer payments services on behalf of another financial institution, while also using third parties to support its own business services. These twin dynamics can expose the institution to regulatory scrutiny from two angles: it may need to both initiate and respond to contract remediation exercises.

Across the industry, timing is likely to be a significant concern in the months ahead. In our survey, just about a third of financial institutions express confidence that they can fulfill all DORA regulatory expectations by January 2025. Moreover, all expect at least some DORA efforts to continue beyond then (Exhibit 5). Even those that believe they can achieve compliance by January 2025 say that implementation and rollout into “business as usual” across geographies will continue beyond the legal enforcement date.

Surveyed institutions are uncertain that they can meet the Digital Operational Resilience Act deadline.

Taking action: Four strategic imperatives

Preparations for DORA will continue to accelerate in the coming months. As decision makers navigate the process, best practice will be not only to focus on complying with the regulation, but also to reflect broader business goals. We have seen some leading organizations anchor their efforts on four strategic principles.

See the regulation as a resilience opportunity rather than a tick-box exercise

As many as 80 percent of remediation programs fail because they lack a strategic foundation. To prevent DORA programs from succumbing to the same fate, decision makers need to see the program for what it can be: a transformational opportunity to reorganize and enhance processes, tools, and technologies, while boosting resilience. But if institutions simply update policy documents and define system mappings to do the bare minimum, they risk turning their DORA programs into paper tigers—inflating costs with limited impact beyond paper. If, conversely, institutions implement DORA with digital resilience as an objective—by using their DORA program to identify and eradicate ICT risk at scale—they will create a fundamentally stronger financial ecosystem and improve customer trust.

Make resilience business-led

As in many transformative projects, leadership is a critical enabler. We see two vital building blocks:

Drive the transformation from the top. For an effective transformation, senior managers need to formulate a clear strategy, enhanced by programmatic support structured around the business and its priorities. Regulators’ expectations will be relevant in this context. In one recent examination, the regulator requested evidence that IT risk-management efforts were business-led and involved leaders from the business. Our experience suggests that linking regulatory remediation deliverables to business objectives is key to measuring resilience success, which is possible only when business colleagues are at the helm in driving implementation.
Appoint a single accountable program owner. While DORA affects multiple functions, a single accountable owner provides a point of coordination and steering. This approach will sharpen strategic oversight and lead to better prioritization and communication throughout the program.

Scope astutely: Take a risk-based approach; define ‘done’ clearly

From our survey, scoping is a significant challenge—and opportunity—as DORA preparations reach their final stages. Our surveyed FIs commonly report struggling with seemingly unending regulatory programs that “boil the ocean” in terms of interpreting and meeting regulatory expectations, consequently with ever-growing scope and costs.

Organizations that precisely define the regulation’s risk-based aims are most likely to execute effectively. They engage in two best practices:

Implementing requirements based on risk. Leading companies take a risk-based approach to resilience, identifying their most critical processes and prioritizing capability requirements according to risk. This means not creating “one control requirement set to rule them all” but defining risk-differentiated policies and controls based on the business value of different processes. Such an approach yields a more streamlined, efficient application of DORA requirements, optimizing both DORA spend and time to compliance.
Explicitly defining “done”: when DORA requirements are met and risk is mitigated. Often in the course of regulatory and remediation programs, organizations run into the challenge of proliferating requirements and ever-lengthening timelines. That may occur when internal stakeholders seek to add their own priorities to the list, increasing the effort required. By agreeing from the outset on how to define “done,” a company can save months of program extension, spend, and iteration.

Collectively collaborate to ensure systemic resilience

Business leaders may feel it is counterintuitive to collaborate with competitors on regulatory alignment, but information sharing can actually streamline the implementation process and build trusted networks. We have seen, time and again, the power and impact of cross-industry collaboration on security and regulatory topics. Consider these approaches:

Invest in information sharing and exchange; candidly communicate how you view scope requirements and challenges. Given that DORA expressly aims to strengthen the resilience of the entire financial ecosystem, it should catalyze collaboration across the European financial industry. Lean into the fact that it makes sense for FIs to work together.
Use DORA to build digital trust. ICT service providers and FIs can use DORA to boost transparency and build trust in their digital products and services. As quality, resilience, and security improve, so will uptime, access, and fraud-mitigation outcomes. Digital trust can become a value differentiator for customers.

As the deadline for DORA implementation approaches, financial institutions and ICT service providers have their work cut out to achieve the expected level of digital resilience. Scoping exercises and closure of gaps against the final text and RTS batches will demand significant attention in the months ahead.

That said, DORA also presents a valuable opportunity. Institutions have a chance to revisit critical challenges around digital resilience, bring diverse parts of the organization together, and transform fundamental capabilities that will maintain the resilience of the financial ecosystem. Given the systemic reach of digital technologies, financial institutions and ICT providers can work together to increase trust in the industry and create value for the long term.