DORA 2024 – Internal Audit’s Role and Strategies Ahead of Compliance Deadline

The newest edition of the ECIIA paper, DORA: Impact of the Digital Operational Resilience Act (DORA) on the Internal Audit Function, has been published, offering valuable insights for the insurance industry. With the January 17, 2025, compliance deadline approaching, this paper outlines key strategies and actions to help internal audit teams ensure readiness.

The Digital Operational Resilience Act (DORA) represents the European Union’s strategic approach to managing systemic risk within the financial system. It aims to enhance cybersecurity and operational resilience across the financial services sector, becoming mandatory in 2025.

Key findings from a survey of 70 insurance industry respondents show that many companies are still in the early or moderate stages of implementing DORA. The paper outlines essential actions for internal audit teams, such as regular audits of ICT risk management frameworks, reviews of ICT response and recovery plans, and assessments of ICT third-party service providers. It also emphasizes the importance of internal auditors documenting Threat-led Penetration Tests (TLPT) and ensuring that contracts with ICT third-party providers adhere to all key provisions.

By focusing on these practical recommendations, the paper serves as a vital resource for internal audit professionals aiming to enhance their digital resilience and comply with DORA requirements.