The Digital Operational Resilience Act (DORA) aims to enhance the ability of banks, insurance companies, investment firms and other financial entities to withstand, respond, and recover from Information and Communication Technology (ICT) disruptions, including cyberattacks and system failures.
Under Article 58(3) of DORA, the European Commission (EC), after consulting the European Supervisory Authorities (ESAs) and the Committee of European Auditing Oversight Bodies (CEAOB), must, by 17 January 2026, assess whether DORA or the Audit Directive is the most appropriate framework to strengthen digital-resilience requirements for statutory auditors and audit firms.
Accountancy Europe outlines in its response to the EC DORA consultation why auditors differ fundamentally from financial entities. Auditors:
Auditors already use ICT risk tools to perform their work, which is governed by strict standards and oversight. The audit profession is subject to strong requirements on quality management, business continuity and incident reporting, as set out in the Audit Directive and the International Standard on Quality Management (ISQM 1). These frameworks already ensure a high level of digital and operational resilience
Including auditors in the DORA framework would duplicate existing obligations, increase costs, and add complexity with no improvement to market stability. Given the EU’s current focus on simplification and proportionality, we do not believe expanding DORA’s scope to include auditors or changing the Audit legislation is pertinent.
Accountancy Europe remains committed to contributing constructively to the EC’s review process, to ensure that any digital resilience framework for auditors remains proportionate, coherent, and fit for purpose.
