The DORA Art. 58 Question: Should Auditors Be Subject to Digital Resilience?
The Review Clause Activated
Article 58(3) of DORA contains a deceptively simple mandate: "By 17 January 2026, the Commission shall, after consulting the ESAs and the Committee of European Auditing Oversight Bodies, review the appropriateness of strengthened requirements for statutory auditors and audit firms as regards digital operational resilience." In December 2025, the ESAs delivered their side of the equation — a Joint Report submitted to the Commission assessing the digital resilience landscape of the audit profession.
The Art. 58 review represents one of DORA's built-in expansion mechanisms. The regulation's framers recognized that the initial scope — focused on financial entities and their ICT third-party service providers — might not capture all systemically relevant participants in the financial ecosystem. Statutory auditors, who access the most sensitive financial data, systems, and processes of every regulated institution, are the most conspicuous gap.
The Case for Inclusion
Auditors as High-Value Targets
The four largest audit firms — Deloitte, EY, KPMG, and PwC — collectively audit the majority of Europe's systemically important financial institutions. In the course of their work, auditors gain access to:
- Core banking system data and configurations
- Risk management frameworks and their known limitations
- Regulatory capital calculations and internal models
- ICT asset inventories and vulnerability assessments
- Incident logs and remediation status
- Customer data at aggregate and sometimes individual levels
- Strategic plans and confidential board materials
This access profile makes audit firms high-value targets for threat actors seeking to compromise financial institutions indirectly. A breach at a major audit firm would not merely expose the firm's own data — it would potentially expose the audit workpapers of dozens of major financial institutions simultaneously.
| Data access type | Sensitivity level | Current protection regime |
|---|---|---|
| Client financial data | RESTRICTED | Audit firm internal controls; no DORA requirement |
| ICT risk management documentation | CONFIDENTIAL | Client-imposed NDAs; audit professional standards |
| Regulatory capital models | RESTRICTED | Regulatory confidentiality; national audit oversight |
| Incident and vulnerability data | CONFIDENTIAL | Audit firm internal controls; professional ethics |
| Strategic plans and board materials | RESTRICTED | Audit firm internal controls; engagement-level access controls |
The Systemic Concentration Problem
The audit market exhibits extreme concentration — more extreme, arguably, than the cloud market that DORA's Pillar IV already addresses. The Big Four firms audit approximately 95% of the largest financial institutions in the EU. A successful cyberattack against one of these firms could compromise audit data spanning multiple major banks, insurers, and investment firms simultaneously.
This concentration creates a systemic risk that mirrors the CTPP designation logic: a small number of entities whose failure or compromise would affect a critical mass of the financial sector. If AWS's designation as a CTPP is justified by the financial sector's cloud concentration, the audit sector's concentration on four firms presents an analogous argument.
The Supply Chain Logic
DORA's Pillar IV addresses ICT third-party risk because financial institutions' resilience depends on the resilience of their technology providers. The same logic applies to audit firms. A financial institution may have impeccable ICT risk management — but if its auditor's systems are compromised, and the auditor had privileged access to the institution's most sensitive data, the institution's resilience is breached through the audit supply chain.
Art. 28 requires financial entities to manage ICT third-party risk. But audit firms are not typically classified as "ICT third-party service providers" under DORA, even though they increasingly provide their services through digital platforms, cloud-based audit tools, and automated data extraction systems. The audit engagement of 2025 is an ICT-dependent service — the regulatory classification has not caught up with the operational reality.
The Case Against Inclusion
Existing Regulatory Frameworks
Audit firms are already regulated under the EU Audit Regulation (537/2014) and the Audit Directive (2014/56/EU), with national implementation through audit oversight bodies. These frameworks impose quality control requirements, independence rules, and inspection regimes. The International Standard on Quality Management (ISQM 1) requires audit firms to maintain information security as part of their quality management systems.
The counter-argument is that these existing frameworks adequately address audit firm resilience without the additional burden of DORA compliance. Adding DORA requirements on top of existing audit regulation creates duplicative compliance costs — particularly for mid-tier audit firms that lack the scale to absorb regulatory overhead as efficiently as the Big Four.
Proportionality Concerns
Art. 4's proportionality principle is already a pressure point for smaller financial entities. Extending DORA to audit firms would raise the same proportionality questions with even greater intensity. A two-partner audit firm that audits a small insurance company has a fundamentally different risk profile than PwC auditing a globally systemically important bank. Applying the same DORA requirements to both creates a proportionality challenge that the regulation's current framework may not adequately address.
The Cost Transfer Problem
DORA compliance costs money. If audit firms are brought within scope, those costs will ultimately be borne by the financial entities that pay for audit services. The compliance cost transfer would be regressive — affecting smaller financial entities (which pay proportionally more for audit services relative to their size) more than large institutions.
| Argument for inclusion | Argument against inclusion |
|---|---|
| Auditors access the most sensitive financial data | Existing audit regulation addresses information security |
| Big Four concentration = systemic risk analogous to CTPPs | Proportionality concerns for mid-tier and small firms |
| Audit is increasingly ICT-dependent | Cost transfer to financial entities through higher audit fees |
| Supply chain logic: resilience requires supply chain resilience | Duplicative compliance burden on already-regulated entities |
| Post-breach impact would be catastrophic and cross-institutional | Risk of deterring auditors from financial sector, reducing competition |
What the ESAs' Joint Report Likely Addresses
While the full content of the ESAs' December 2025 Joint Report is not public at the time of writing, the terms of Art. 58(3) and the ESAs' mandate suggest the report addresses several key dimensions:
Risk assessment. An empirical assessment of the digital operational resilience risk posed by statutory auditors and audit firms, based on their access to sensitive financial data, their ICT dependency, and the potential impact of a compromise.
Existing framework adequacy. An analysis of whether existing audit regulation (EU Audit Regulation/Directive, ISQM 1, national audit oversight) provides sufficient digital resilience safeguards, or whether DORA-specific requirements would add material protection.
Scope definition. If inclusion is recommended, which auditors and audit firms should be in scope? All statutory auditors of financial entities? Only auditors of significant institutions? Only the globally systemically important audit firms?
Proportionality mechanism. How would DORA's requirements be proportionately applied to audit firms of different sizes and risk profiles? Would Art. 16's simplified framework apply?
Implementation timeline. If inclusion is recommended, what transition period would be appropriate? Audit firms would need time to assess their compliance posture, build capabilities, and negotiate with technology providers for Art. 30-compliant contracts.
The Commission's Decision Framework
The Commission's decision on Art. 58(3) is not binary. Several outcomes are possible:
Full inclusion. Statutory auditors and audit firms of financial entities are brought within DORA's scope, subject to the proportionality principle. This would be the most expansive outcome and would require amending DORA's Art. 2 entity list.
Targeted inclusion. Only auditors of systemically important financial institutions — or only the largest audit firms above a size threshold — are included. This addresses the systemic concentration risk while limiting the proportionality burden.
Enhanced existing framework. Rather than bringing auditors under DORA, the Commission could propose amendments to the EU Audit Regulation that incorporate DORA-equivalent digital resilience requirements. This avoids the complexity of extending DORA's scope while addressing the identified risk.
Monitoring with future review. The Commission could acknowledge the risk but defer inclusion, establishing monitoring mechanisms and scheduling a subsequent review (perhaps by 2028) to reassess based on additional evidence.
No action. The Commission could conclude that existing frameworks are adequate and that the cost and complexity of inclusion outweigh the risk reduction. This outcome seems least likely given the Commission's demonstrated appetite for expanding digital resilience regulation.
The Implications for Financial Entities
Regardless of the Commission's decision, the Art. 58 review has practical implications for financial entities:
Vendor risk management for audit relationships. Even if audit firms are not formally brought under DORA, the review highlights the risk that audit relationships create. Prudent institutions should apply third-party risk management principles to their audit engagements: assess the auditor's ICT security posture, include information security provisions in engagement letters, and monitor for audit firm incidents that could affect data confidentiality.
Contract provisions. Art. 30's mandatory contractual provisions for ICT third-party service providers provide a useful template for audit engagement terms — even if audit firms are not technically "ICT third-party service providers" under DORA. Provisions on data access controls, subcontracting (audit firms increasingly use third-party data analytics platforms), and termination procedures are relevant to audit engagements.
Board awareness. The management body should be aware of the Art. 58 review and its potential outcomes. If audit firms are brought within DORA's scope, the institution's audit committee will need to factor DORA compliance into auditor selection and evaluation.
The Broader Question
Art. 58 is not just about auditors. It is about the boundaries of operational resilience regulation. DORA's initial scope was drawn around financial entities and their ICT service providers. But the financial ecosystem includes many other participants whose digital resilience affects the sector's overall resilience: credit rating agencies, financial advisors, data analytics providers, regulatory technology vendors, and — yes — auditors.
The Art. 58 review is the first formal test of whether DORA's scope will expand. The Commission's decision will signal how aggressively the EU intends to extend digital resilience requirements beyond the financial sector's core entities. For the audit profession, for the broader financial ecosystem, and for the technology providers that serve both, the answer matters.
This analysis reflects DORA Regulation (EU) 2022/2554 Article 58(3) and the ESAs' Joint Report submitted in December 2025. The Commission's decision on scope expansion is pending at the time of publication.