Download ECIIA's paper on DORA; The Digital Operational Resilience Act and its impact on internal audit in the financial services
The Digital Operational Resilience Act (DORA) is the European Union’s (EU) strategic approach to managing systemic risk within the financial system. DORA is designed to improve the cybersecurity and operational resilience of the financial services sector (as of 2025).
DORAspecifically addresses the digital operational resilience of Financial Institutions(FIs) and their supply chains by introducing dedicated operational resilience riskmanagement requirements. These include technical measures, procedures,processes, and real-life testing to support FIs in detecting anomalies,
containing cybersecurity incidents, and recovering from them. The new requirements are a regulatory response to increasing cybersecurity threats.
DORA provides the financial sector the opportunity to further improve andbroaden operational resilience. Harmonizing IT cybersecurity requirements,coupled with a ‘lex specialis’ approach, aims to streamline and prevent theduplication of efforts. Furthermore, improving oversight and alignment of audits inthis area can prevent multiple independent audits of the same critical ICT(Information and Communication Technologies) infrastructure provider by variousFIs
The paper explains the role internal auditors should play, specifically regarding third-party outsourcing.