Regulatory compliance

DORA Compliance

DORA, the digital operational resilience regulation, is now mandatory for the financial sector and its technology providers. We prepare you for the full cycle: ICT risk management, incident reporting, resilience testing, third-party management and the register of information that supervisors require.

Get in touch View compliance

Certified team (CISA, CISSP, CISM) with experience in operational resilience and ICT risk.

DORA status

It is already mandatory, and oversight is tightening

Unlike other rules still being processed, DORA is a European regulation that applies directly from January 2025. There is no transposition window: compliance is enforceable now.

DORA has applied since 17 January 2025 to the entire financial sector and to its ICT providers. The European authorities have already designated the first list of critical technology providers, subject to direct oversight, and have moved from reviewing documentation to demanding real evidence of resilience. The third-party register of information is submitted to supervisors every year.

It is not a future rule, it is present. Compliance is already enforceable and supervisors are actively reviewing.

It reaches ICT providers. If you provide technology services to the financial sector, DORA reaches you by contract, even if you are not a financial entity.

They ask for proof, not paperwork. Having the documentation is no longer enough: you have to demonstrate that resilience works, with evidence.

Who it binds

Does DORA apply to you?

DORA reaches around twenty types of financial entities and, very significantly, the ICT service providers that support them. The financial sector relies more and more on technology, and the rule carries that chain down to your providers.

BankingBanks and credit institutions

InsuranceInsurers and pension plans

InvestmentInvestment service firms

ICT providersWhoever provides technology services to the sector

Fintech, payment platforms, crypto-assets and many other profiles are covered too. If you have doubts about your case or that of your service, the applicability analysis clears them up.

The pillars

DORA, in its five pillars

01ICT risk management

02Incident management

03Resilience testing

04ICT third-party risk

05Information sharing

The heart of DORA

Resilience that is demonstrated, not declared

The "R" in DORA stands for resilience: the ability to keep operating and recover when something fails. And the rule is not satisfied with you saying so in a document, it requires you to prove it. That is where three things we do every day converge.

Testing for everyone

Every entity within the scope of DORA must carry out security testing: vulnerability assessments and penetration testing on their systems. Our pentesting team runs and documents them so they serve as evidence.

TLPT for the significant ones

Significant entities must go further with threat-led testing, at least every three years, simulating real attacks on production systems. It is high-demand red team work, and qualified providers are scarce: it is worth planning it well ahead of time.

Continuity that holds up

Resilience rests on continuity and recovery plans that genuinely work. We align them with ISO 22301 and put them to the test, because a plan that has not been tested is not a plan, it is an intention.

The annual tests feed the scope of the advanced ones, and everything rests on solid continuity. That is why we bring compliance, offensive security and continuity together in a single team: the three legs DORA asks you to demonstrate together.

Service

What compliance includes

Gap analysis against the five pillars of DORA and their technical implementing standards.

ICT risk management framework: governance, policies and management body responsibilities.

Incident management and reporting: classification of major incidents and the notification deadlines to the authority.

Operational resilience testing: testing programme and, for the entities that require it, advanced threat-led testing.

Register of information: the inventory of ICT third-party arrangements submitted to supervisors every year.

ICT third-party management: mandatory contractual clauses, exit strategies and concentration analysis.

Continuity and recovery: plans aligned with the operational resilience the rule requires.

Evidence dashboard: ready to demonstrate resilience in a review, which is what they now ask for.

Method

How we work

Diagnosis

Gap assessment against the five pillars and the technical standards, focused on critical or important functions.

Compliance plan

A risk-prioritized roadmap, approved by the management body, which the rule expressly holds accountable.

Implementation

ICT risk framework, incident reporting, third-party register, testing and continuity.

Evidence and maintenance

Evidence dashboard, annual register and support for supervisor reviews.

Synergies

If you already have ISO 27001 or ISO 22301, you have an advantage

DORA is not born in a vacuum: much of its ICT risk and resilience framework rests on practices that an ISMS (ISO 27001) or a continuity system (ISO 22301) already cover. We work with a mapping between frameworks to make the most of what you have, although DORA adds obligations specific to the financial sector: the third-party register, resilience testing and the direct oversight of critical providers. And since DORA requires advanced resilience testing, the kind known as TLPT, that capability rests on our Red Team, which is the foundation on which they are prepared.

What sets us apart: we are auditors as well as implementers. And since supervisors now ask for evidence, not paperwork, we prepare your compliance with demonstrating it in mind, which is exactly how we work.

ISO 27001 Consulting → Business continuity → NIS2 Consulting → Internal audit → Sondriva, SOC with AI →

Questions

Frequently asked questions

What is DORA and who does it bind?+

DORA is the European regulation on digital operational resilience for the financial sector. It binds around twenty types of entities, banking, insurance, investment, fintech and more, and very significantly the ICT service providers that support them. Its aim is for the financial system to withstand, respond to and recover from technology incidents.

Since when has it been mandatory?+

Since 17 January 2025. Unlike a directive such as NIS2, DORA is a regulation, so it applies directly across the entire European Union without the need for national transposition. Compliance is enforceable now, and supervisors are already carrying out active reviews.

I am an ICT provider, not a financial entity. Does it affect me?+

Very likely, if you serve the financial sector. DORA requires entities to pass requirements on to their providers by contract, and providers deemed critical fall under the direct oversight of the European authorities. Even if you are not critical, your financial clients will ask you to comply with DORA clauses in order to keep working with them.

What is the register of information?+

It is the inventory of all your arrangements with third-party ICT service providers, which entities must maintain and submit to supervisors every year. It documents who you depend on technologically and lets the authorities monitor concentration risk. Its quality matters: in the preliminary exercises, very few entities passed all the data quality checks.

What does resilience testing involve?+

DORA requires an operational resilience testing programme for all entities, and for the most significant ones, advanced threat-led testing that simulates real attacks on production systems. This is where offensive security and compliance meet, and where our pentesting team adds value.

Does my ISO 27001 help with DORA?+

It helps, quite a lot: the ICT risk framework and continuity rest on practices that an ISMS already covers, and we work with that mapping. But DORA is not the same as ISO 27001: it adds obligations specific to the financial sector such as the third-party register, resilience testing and the oversight of critical providers, which ISO does not address.