Joint ESAs Report on DORA Article 58: Statutory Auditors and Digital Operational Resilience

Understanding the Joint ESAs Report on DORA Article 58

The Joint ESAs Report on DORA Article 58, published in December 2025, represents a significant consultation response from the three European Supervisory Authorities—the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA), and the European Securities and Markets Authority (ESMA)—to the European Commission regarding the potential extension of digital operational resilience requirements to statutory auditors and audit firms.

Article 58(3) of the Digital Operational Resilience Act (DORA) mandated the European Commission to consult with the ESAs on whether statutory auditors should be subject to strengthened digital operational resilience requirements, either through inclusion in DORA’s scope or through amendments to Directive 2006/43/EC (the Audit Directive). This consultation reflects the growing recognition that digital resilience in financial services extends beyond the financial entities themselves to encompass their wider ecosystem of service providers and professional advisors.

The report provides a balanced assessment that considers multiple perspectives: the role of auditors in the financial system, the nature and risks of their digital operations, the potential benefits and costs of enhanced regulation, and the broader market implications of extending compliance requirements to the audit profession. For context on regulatory frameworks in financial services, see our business education program resources.

The Role of Statutory Auditors in the Financial Sector

Statutory auditors and audit firms play a critical role in the financial sector by providing independent assurance on the accuracy and completeness of financial statements, including those of public-interest entities. This assurance function contributes to market transparency, investor protection, and financial stability by verifying the reliability of the financial information on which market participants and regulators rely.

During the audit process, auditors access highly sensitive financial information, including confidential data about financial positions, risk exposures, and strategic plans. The confidentiality, integrity, and availability of this information during the audit process is critical—any breach could have significant consequences for the audited entity and broader market confidence.

However, the ESAs report makes an important distinction: audit activities do not form part of the operational value chain of the audited financial entity. Unlike ICT service providers whose services directly support the continuity of financial services, auditors provide an assurance function that, while important, does not directly affect the ability of a financial institution to deliver its services to customers.

Assessment of Digital Operational Resilience Risks in Audit

The report examines the digital operational resilience risks associated with statutory audit activities. Audit firms increasingly rely on digital tools and technologies for data collection, analysis, testing, and documentation, creating dependencies on ICT systems that could be disrupted by cyber attacks, system failures, or other digital incidents.

Key risk areas include the security of audit data in transit and at rest, the reliability of audit management systems and analytical tools, the cybersecurity of remote audit access to client systems, and the resilience of communication channels between audit teams and audited entities. These risks are real and growing as audit processes become increasingly digital.

However, the report also notes that existing regulatory frameworks already impose obligations on audit firms regarding data protection, professional standards, and quality control. The International Standards on Auditing (ISAs) and the European audit regulatory framework include requirements for maintaining the security and confidentiality of audit information that partially address digital resilience concerns. The International Auditing and Assurance Standards Board continues to develop standards relevant to digital audit practices.

Market Concentration and Competition Implications

The report identifies market concentration as a significant consideration in the assessment of extending DORA to audit firms. The EU audit market is already highly concentrated, with the Big Four firms (Deloitte, EY, KPMG, and PwC) dominating the audit of large financial institutions and public-interest entities.

Extending DORA requirements to audit firms could raise fixed compliance costs that disproportionately burden smaller firms, potentially reinforcing market concentration by making it more difficult for smaller firms to compete for the audit of DORA-regulated entities. This could reduce choice and competition in the audit market, potentially affecting audit quality and pricing.

The ESAs recognize the tension between the desire for enhanced digital resilience and the need to maintain a competitive audit market. Any regulatory intervention must be carefully calibrated to address genuine risks without creating barriers to entry or participation that could ultimately undermine the quality and diversity of audit services available to financial entities.

Analysis of Extending DORA Scope to Auditors

The report provides a multi-dimensional analysis of the implications of extending DORA’s scope to statutory auditors and audit firms. This analysis considers the market perspective, the supervisory perspective, the proportionality of regulation, and the practical challenges of implementation.

From a market perspective, the potential benefits of enhanced digital resilience among auditors must be weighed against the costs of compliance and the risk of unintended consequences for market structure. The analysis considers whether the existing regulatory framework already provides adequate protection or whether additional DORA-specific requirements would meaningfully improve resilience.

From a supervisory perspective, extending DORA to auditors would create additional supervisory responsibilities for authorities that may already face resource constraints. The report considers whether these supervisory costs are justified by the additional resilience benefits that would be achieved.

Proportionality Considerations and Alternative Approaches

The principle of proportionality is central to the ESAs’ analysis. The report considers whether full DORA compliance requirements are appropriate for audit firms, or whether a more targeted, proportionate approach would better balance resilience objectives with practical and competitive considerations.

Alternative approaches considered include amending the Audit Directive to include specific digital resilience requirements, developing profession-specific standards through the audit oversight framework, relying on existing professional standards and quality control requirements with enhanced enforcement, and applying DORA requirements selectively based on the size and significance of the audit firm.

The proportionality analysis recognizes that different audit firms face different risk profiles. A Big Four firm that audits dozens of major financial institutions has a very different digital risk profile than a smaller firm that audits one or two regulated entities. Any regulatory approach must account for this diversity to avoid imposing disproportionate burdens on smaller firms. For additional regulatory analysis, explore our business education resources.

The ESAs’ Supervisory Role and Limited Current Mandate

The report provides important context on the ESAs’ current limited role in the supervision of statutory auditors and audit firms. Under the existing regulatory framework, audit oversight is primarily the responsibility of national audit oversight authorities and professional bodies, with the ESAs having minimal direct supervisory interaction with audit firms.

This limited mandate means that the ESAs have restricted visibility into the digital operational resilience practices of audit firms. While the ESAs can assess the systemic risks posed by audit firm digital vulnerabilities from a financial stability perspective, they lack the detailed operational insight into audit firm practices that would inform a fully evidence-based recommendation.

The report acknowledges this limitation transparently, noting that a more detailed assessment of audit firm digital resilience would require engagement with audit oversight authorities, professional bodies, and the firms themselves. This transparency strengthens the credibility of the report’s analysis while highlighting the need for further investigation.

Implications for Financial Institutions and Audit Relationships

The potential extension of DORA to auditors has implications for financial institutions and their relationships with audit firms. Financial entities subject to DORA already have obligations to manage ICT third-party risk, and the treatment of audit firms within this framework is an area of practical uncertainty.

If auditors are brought within DORA’s scope, financial institutions may need to adjust their third-party risk management processes, contractual arrangements, and due diligence procedures to reflect the new regulatory status of their auditors. This could add complexity to audit engagement processes and potentially affect audit fees as firms pass through compliance costs.

Alternatively, if auditors remain outside DORA’s scope, financial institutions must still manage the digital risks associated with sharing sensitive information with audit firms through their existing ICT third-party risk management frameworks. The European Banking Authority provides guidance on how financial institutions should approach this risk management challenge.

Key Recommendations and Future Regulatory Direction

The ESAs’ report concludes with balanced observations rather than prescriptive recommendations, reflecting the complexity of the issues and the need for further consultation. The report provides the European Commission with a comprehensive analytical framework for making an informed decision about the regulatory treatment of audit firms under DORA.

Key considerations for the Commission include the materiality of digital resilience risks in the audit sector, the adequacy of existing regulatory frameworks to address those risks, the proportionality of extending DORA requirements, the potential impact on audit market structure and competition, and the supervisory resources needed to implement any new requirements.

The report suggests that the optimal approach may involve targeted enhancements to existing audit regulatory frameworks rather than full DORA application, recognizing that audit firms face distinct risks and operate in a different market context than ICT service providers. This nuanced approach would address genuine resilience concerns while avoiding disproportionate regulatory burden. For further regulatory compliance insights, explore our technology and regulatory education resources.