DORA and its impact on Swiss financial entities and ICT service providers

The EU’s Digital Operational Resilience Act (DORA) seeks to ensure the convergence and harmonisation of security and resilience practices across firms operating in the European Union (EU). The aim is to help mitigate the risks associated with rapid digitalisation and growing interconnections and dependencies within the financial sector and with third-party infrastructure and service providers.

Swiss entities need to act quickly to determine whether they fall within the scope of DORA, based on the broad range of financial markets activities included and whether those take place within EU jurisdictions.

Check if you are impacted

What is the background?

As of January 2025, around 22,000 financial entities and ICT service providers operating within the EU, as well as the ICT infrastructures supporting them from outside the EU, are required to comply with uniform regulatory standards. These have two main objectives:

Build, assure and review the operational integrity of the service and operating model to ensure the continued provision of (the quality of) the financial services, including throughout disruptions.
Limit the risk of contagion within the EU financial system by prescribing a harmonised minimum standard of digital operational resilience.

Over 22,000 financial entities in the EU must directly adhere to the regulations outlined in DORA. Entities located outside the EU will also be impacted.

What entities are in scope of DORA?

How should Swiss entities respond to DORA?

DORA has an extra-territorial effect, as Swiss financial entities that are affiliated to EU financial entities and deliver (intra-group) ICT services to their counterparts within the EU, such as a parent undertaking, branches, subsidiaries or sister companies, will be required to adhere to DORA standards. This is particularly relevant for group-internal outsourcing arrangements. These groups will likely adopt DORA-compliant global minimum standards across the board, regardless of the specific ICT services they provide.

Furthermore, Swiss ICT providers, including sub-providers, will be impacted indirectly by DORA when they offer ICT services to financial entities within the EU. The scope of ICT services is broadly defined to encompass a variety of digital and data services facilitated through ICT systems. This includes, but is not limited to, data storage or cloud services, data processing and reporting services, as well as data monitoring and data-driven business support services.

Scenarios where a Swiss entity falls within the scope of DORA

^{*"ICT services" means digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services.}

Impact on Liechtenstein

DORA is also applicable to member countries of the European Economic Area (EEA), i.e. Lichtenstein, Norway and Island.

This means that entities in EEA member countries which are in scope of DORA will also have to adhere to the DORA requirements, and
entities providing ICT services to such entities within the EEA are impacted as well.

To be applicable within the EEA, DORA has to be adopted in the EEA Agreement. This process is currently in progress. DORA will apply immediately after it has been incorporated into the EAA Agreement.

In addition, some of the provisions require implementation in Liechtenstein law. The Digital Operational Resilience Implementation Act (DORA-DG), due to come into force in Liechtenstein at the same time DORA is incorporated into the EEA Agreement, serves this purpose.

The Financial Market Authority of Lichtenstein currently assumes that DORA will come into force in Lichtenstein at the same time as within the EU, i.e. in early 2025.

DORA sets the regulatory focus on five key pillars

DORA introduces a holistic framework for effective risk management, ICT and cybersecurity functions, the treatment and reporting of errors, and for the management of external providers, thereby guaranteeing the consistent provision of services across the entire value chain. Five core topics play a particular role: ICT risk management, management of ICT incidents, digital operational resilience testing, management of third parties, and information exchange.

Financial entities are required to set up a comprehensive ICT risk management framework. This includes:

Setting up and maintaining resilient ICT systems and tools that minimise the impact of ICT risk
Identifying, classifying and documenting critical or important functions and assets
Continuously monitoring all sources of ICT risks to establish protection and prevention measures
Establishing prompt detection of anomalous activities
Putting in place dedicated and comprehensive business continuity policies and disaster and recovery plans, including yearly testing of the plans, covering all supporting functions
Establishing mechanisms to learn and evolve both from external events and the entity’s own ICT incidents

Financial entities are required to:

Develop a streamlined process to log/classify all ICT incidents and determine major incidents according to the criteria detailed in the regulation and further specified by the European Supervisory Authorities (EBA, EIOPA and ESMA)
Submit an initial, intermediate and final report on ICT-related incidents
Harmonise the reporting of ICT-related incidents through standard templates as developed by the ESAs

These requirements also apply to operational or security payment-related incidents and to major operational or security payment-related incidents, where they concern credit institutions, payment institutions, account information service providers and electronic money institutions.

The regulation requires all entities to:

Annually perform basic ICT testing of ICT tools and systems
Identify, mitigate and promptly eliminate any weaknesses, deficiencies or gaps by implementing counteractive measures
Periodically perform advanced threat-led penetration testing (TLPT) for ICT services that impact critical functions; ICT third-party service providers are required to participate and fully cooperate in the testing activities

Financial entities are required to:

Ensure sound monitoring of risks emanating from reliance on ICT third-party providers
Harmonise key elements of the service and relationship with ICT third-party providers to enable a ‘complete’ monitoring approach
Report their complete register of outsourced activities, including intra-group services and any changes to the outsourcing of critical services to ICT third-party service providers
Critical ICT third-party service providers will be subject to a Union Oversight Framework, which can issue recommendations on the mitigation of identified ICT risks; financial entities must consider the ICT third-party risks of service providers who do not follow the defined recommendations
Take account of the risks of IT concentration and risks arising from sub-outsourcing activities
Ensure that all contracts with the ICT third-party providers contain the mandatory clauses specified by DORA (including by remediation of the existing contracts). Such clauses need to include all necessary monitoring and accessibility details such as a full-service level description, indication of locations where data is being processed, etc.

The regulation allows financial entities to establish arrangements amongst themselves to exchange cyber threat information and intelligence
The supervisory authority will provide relevant anonymised information and intelligence on cyber threats to financial entities. Therefore, entities should implement mechanisms to review and take action on the information shared by the authorities

When will DORA be enforced?

DORA entered into force on 16 January 2023. With an implementation period of two years, financial entities will be expected to be compliant with the regulation by early 2025.

2023 - Entered into force

DORA entered into force on 16 January 2023.

2024 - Regulatory Technical Standards (RTS) & Implementing Technical Standards (ITS)

Multiple regulatory and implementing technical standards are defined and issued by the European Supervisory Authorities (ESAs). They will provide entities with specifications and guidance on how to implement specific DORA requirements.

17 January 2024: Publication of the first set of RTS/ITS regarding the ICT risk management framework, ICT policy, classification of ICT incidents and register of information
17 June 2024: Publication of the second set of RTS/ITS, among other things to report ICT incidents, criteria, methodologies and requirements for testing digital operational resilience and requirements for designing sub-outsourcing arrangements

2025 - Enforcement

DORA requirements are enforceable 24 months after entry into force. Therefore, financial entities will be expected to be compliant with DORA by early 2025.

Your company has implemented FINMA Circular 2023/1 requirements: What's the impact by DORA and what can you leverage?

Generally, DORA and FINMA Circular 2023/1 on Operational Risk and Resilience (and, to some extent, FINMA Circular 2018/3 on Outsourcing) pursue the same purpose of increasing the operational resilience of financial entities. However, the approaches taken differ significantly. FINMA adopts a principle-based approach, granting supervised entities the discretion to determine how best to comply with its requirements. In contrast, DORA takes a rule-based approach, specifying requirements in greater detail.

If a Swiss financial entity is already compliant with FINMA Circular 2023/1, it will have addressed several of the areas covered by DORA. Nevertheless, all entities will have to review in detail whether every requirement of DORA can be met by the processes and organisation they have in place and determine where they need to extend operational resilience to comply with DORA in full.

Learn more

How can we support?

PwC can fully support your company along the road to adhering to the DORA regulations, from evaluating your current preparedness to helping you implement measures to meet the statutory requirements and embedding them in your risk management, security management, resilience management and compliance management system.

Following the adoption of DORA, financial institutions must seriously plan for the implementation of this regulation. If you get a head start, you can identify in good time the areas in which investment is required and what priorities must be set.

While DORA seeks to harmonise the regulatory framework for cybersecurity in the financial sector within the EU, some of the requirements have already been incorporated into existing (national) regulations and guidelines for the financial sector.

Nevertheless, it will become critically important for all financial firms to undertake a gap analysis and develop a strategy to achieve adherence to the regulations (by January 2025).

The financial system has not only become predominantly digital throughout the entire sector; digitalisation has also deepened the links and dependencies within the financial sector and with infrastructure and service providers.

A new element that has been introduced by DORA is the reviewing of third-party ICT service providers, with the supervisory authorities now being charged with directly discussing operational risks with (critical) third-party providers.

This represents both an opportunity and a challenge for third-party ICT service providers to improve the resilience of their services. Financial firms must thoroughly assess their dependencies on third-party providers and develop more refined methods to test and monitor their resilience.