DORA Consulting

DORA Regulation — Expert Consulting for Financial Entities Across Europe

The Digital Operational Resilience Act (DORA) is now fully enforceable. Our consulting services help financial entities meet their requirements — from ICT risk management frameworks to third-party oversight and resilience testing.

Digital Operational Resilience Is Now a Legal Obligation for Financial Entities

The financial sector runs on technology. Every transaction, every client interaction, every risk calculation depends on Information and Communication Technology (ICT) systems, many of which are operated by a small number of third-party providers. A single failure at one major cloud platform could simultaneously disrupt banks, investment firms, and insurers across the EU.

Before DORA, the EU's approach to managing this risk was fragmented. Rules varied by member state and by sector, creating gaps in oversight and inconsistencies in how financial entities managed ICT risk. The focus was primarily on capital adequacy, ensuring firms had enough money to absorb losses after an incident, rather than on the ability to prevent disruptions and continue operating through them.

DORA changes this. It shifts the regulatory focus from financial solvency to operational continuity: the ability to withstand, respond to, and recover from ICT-related disruptions. And it does so with a single, directly applicable regulation, no transposition into national law required, no room for member states to water down requirements.

For financial entities that have not yet aligned their ICT frameworks with DORA, the risk is no longer theoretical. The regulation has been enforceable since January 2025, and supervisory authorities across the EU now have the powers to investigate, impose corrective measures, and levy penalties for non-compliance.

20+
Types of financial entity covered by DORA
19
Critical ICT providers are now under direct ESA oversight

What DORA Actually Requires And Who It Applies To

The Digital Operational Resilience Act (Regulation (EU) 2022/2554) is a binding EU regulation that establishes a single set of requirements for the security and resilience of ICT systems across the financial sector. It entered into force on 16 January 2023 and became fully enforceable on 17 January 2025.

Unlike a directive, DORA applies directly in all 27 EU member states. Financial entities cannot wait for national transposition; the requirements are already in effect.

Who DORA applies to

DORA covers more than 20 categories of financial entities, including:

Banking & Payments

  • Credit institutions
  • Payment institutions
  • Account information service providers
  • Electronic money institutions

Insurance & Pensions

  • Insurance and reinsurance undertakings
  • Insurance intermediaries and ancillary insurance intermediaries
  • Institutions for occupational retirement provision

Investment & Capital Markets

  • Investment firms
  • Crypto-asset service providers and issuers of asset-referenced tokens
  • Central securities depositories
  • Central counterparties
  • Trading venues
  • Trade repositories
  • Alternative investment fund managers
  • Management companies

Market Infrastructure & Services

  • Data reporting service providers
  • Credit rating agencies
  • Administrators of critical benchmarks
  • Crowdfunding service providers
  • Securitisation repositories

The regulation also extends directly to ICT third-party service providers that serve these entities, a first for EU financial regulation. Providers designated as "critical" by the European Supervisory Authorities (ESAs) are now subject to direct oversight, including on-site inspections and the power to impose daily penalty payments.

Proportionality

DORA does not apply a one-size-fits-all standard. Requirements must be implemented in proportion to each entity's size, risk profile, and the nature and complexity of its operations. Microenterprises, defined as firms with fewer than 10 employees and annual turnover or balance sheet total below €2 million, are subject to a simplified framework that exempts them from the more complex governance and testing mandates.

Certain entities are fully exempt, including managers of alternative investment funds below specific asset thresholds and small insurance undertakings.

How DORA relates to NIS2 and GDPR

For the financial sector, DORA is lex specialis, the more specific law, in relation to the NIS 2 Directive. While financial entities fall within the scope of NIS2, they must comply with DORA's more stringent requirements rather than the general NIS2 obligations.

DORA and the General Data Protection Regulation (GDPR) are complementary rather than conflicting. DORA governs the operational resilience of network and information systems; GDPR governs the protection of personal data. A single ICT incident could trigger reporting obligations under both regulations, but with different timelines and to different authorities.

The Five Pillars That Define DORA Compliance

DORA is built on five interconnected requirements. A weakness in any one of them undermines the entire framework.

ICT Risk Management

This is the foundation. DORA requires financial entities to establish and maintain a comprehensive ICT risk management framework that covers identification, protection, detection, response, and recovery. Critically, DORA places direct accountability on the management body; your board and senior executives are personally responsible for defining, approving, and overseeing the framework. This is not delegable to IT. The framework must be reviewed at least annually and updated after any major ICT incident.

ICT-Related Incident Reporting

When a major ICT-related incident occurs, DORA mandates a strict, harmonised reporting process. Financial entities must classify incidents using criteria defined by the ESAs, submit an initial notification to their competent authority, followed by an intermediate and a final report. The timelines are tight, and the classification criteria are standardised across the EU, replacing the inconsistent national processes that existed previously. Significant cyber threats must also be reported on a voluntary basis.

Digital Operational Resilience Testing

DORA requires financial entities to maintain a comprehensive testing programme. At a minimum, this includes annual testing of ICT systems and tools, vulnerability assessments, open-source software analysis, network security assessments, and scenario-based testing. For entities identified as significant, DORA also mandates advanced Threat-Led Penetration Testing (TLPT) at least every three years. TLPT must be conducted by qualified external testers against live production systems, simulating the tactics of real threat actors.

ICT Third-Party Risk Management

Your operational resilience is only as strong as your most critical supplier. DORA requires financial entities to manage the full lifecycle of ICT third-party risk from pre-contract due diligence through ongoing monitoring to documented exit strategies. Contracts with ICT providers must include mandatory provisions covering service levels, audit rights, data location, incident support, and subcontracting conditions. Financial entities must maintain a Register of Information documenting all contractual arrangements with ICT third-party providers and submit it to their competent authority.

Information and Intelligence Sharing

DORA encourages (but does not mandate) financial entities to participate in trusted information-sharing arrangements to exchange cyber threat intelligence. The regulation provides a legal framework for sharing indicators of compromise, tactics, techniques, and procedures, helping the sector improve its collective defences. Any sharing must comply with existing data protection rules.

A Structured Path from Gap Analysis to Operational Compliance

Every financial entity starts from a different position. Some already have mature ICT risk frameworks that need targeted alignment with DORA's specific requirements. Others need to build foundational capabilities from scratch. Our role is to assess where you are, identify what needs to change, and guide you through a structured process that embeds DORA compliance into your operations.

Here is how we work:

Phase 1 — Scoping and Gap Analysis

We start by understanding your regulatory classification, the ICT services you depend on, and the current state of your risk management practices. We then run a detailed gap analysis across all five DORA pillars, mapping your existing controls, policies, and contractual arrangements against the regulation's requirements. This gives you a clear, prioritised picture of what meets the standard and what needs work.

What you get:
A DORA gap analysis reportA scope assessment with proportionality considerationsA prioritised remediation plan

Phase 2 — Remediation and Framework Development

With the gap analysis as our roadmap, we work with your teams to close the identified gaps. This typically involves developing or enhancing your ICT risk management framework, formalising incident classification and reporting procedures, reviewing and renegotiating contracts with ICT third-party providers, and establishing the governance structures DORA requires, including defined responsibilities for the management body.

What you get:
An ICT risk management framework aligned to DORAUpdated policies and proceduresA Register of Information for third-party arrangementsContract review recommendations

Phase 3 — Resilience Testing Programme

We help you design and implement a DORA-compliant testing programme, from the annual baseline testing requirements (vulnerability assessments, network security reviews, scenario-based testing) through to preparation for advanced Threat-Led Penetration Testing where applicable. We work with qualified external testers and help you integrate testing outcomes into your ongoing risk management cycle.

What you get:
A resilience testing strategyTesting schedule and methodology documentationSupport in coordinating TLPT exercises with competent authorities

Phase 4 — Continuous Improvement

DORA is not a one-off project. The regulation requires ongoing monitoring, regular framework reviews, and learning from incidents and testing outcomes. We help you establish the processes and governance structures needed to maintain compliance over time, including periodic reassessments as the regulatory technical standards continue to evolve.

What you get:
A continuous improvement frameworkPeriodic compliance health checksUpdates as new regulatory technical standards or supervisory guidance are published

Why Financial Entities Work With Us on DORA

Regulatory depth, not just compliance checklists. Our consultants work directly with the regulation text and the ESA technical standards. When we advise on a contractual provision or a reporting obligation, the guidance is traced to a specific article of DORA or a specific regulatory technical standard, not to a summary document or a secondary interpretation. This matters because DORA's requirements are detailed, and the penalties for getting them wrong are significant.
Cross-framework experience. DORA does not exist in isolation. Most of the financial entities we work with are simultaneously managing obligations under ISO 27001, GDPR, the NIS 2 Directive, or sector-specific regulations. We help you build an integrated compliance approach that avoids duplicating effort, mapping overlapping controls, aligning documentation, and ensuring your ICT risk framework serves multiple regulatory purposes.
Practical, proportionate implementation. We apply DORA's proportionality principle in practice, not just in theory. A 15-person fintech does not need the same governance structure as a systemically important bank. We tailor the depth and complexity of the framework to your actual size, risk profile, and operational model so you meet the requirements without burying your organisation in a process it cannot sustain.
500+ Organisations Certified
25+ Years of Experience
0 Failed Certification Projects

DORA Regulation FAQ

The Digital Operational Resilience Act (DORA) Regulation (EU) 2022/2554 is a binding EU regulation that establishes uniform requirements for the security and resilience of ICT systems across the financial sector. Its purpose is to ensure that financial entities and their critical technology partners can withstand, respond to, and recover from ICT-related disruptions, including cyberattacks and system failures. As a regulation (not a directive), it applies directly in all 27 EU member states without requiring transposition into national law.

DORA covers more than 20 categories of financial entities, including banks, investment firms, payment institutions, electronic money institutions, insurance and reinsurance undertakings, crypto-asset service providers, central securities depositories, central counterparties, trading venues, credit rating agencies, and crowdfunding service providers. It also applies to ICT third-party service providers that serve these entities. The regulation has extraterritorial reach: it applies based on where services are delivered to EU financial entities, regardless of where the provider is headquartered.

DORA entered into force on 16 January 2023 and became fully enforceable on 17 January 2025. All covered entities are required to comply now. The ESAs have published the regulatory technical standards (RTS) and implementing technical standards (ITS) that specify the detailed requirements for compliance.

DORA's penalty framework operates at two levels. For financial entities, Article 50 requires each member state to establish its own administrative penalties for DORA breaches. These vary significantly across the EU. A DLA Piper analysis from October 2025 found that turnover-based penalty ceilings range from 5% of annual turnover (Spain) to 10% (Sweden), while absolute ceilings range from €2 million (Czech Republic) to €20 million (Italy). Penalties can also be imposed on individual members of the management body, with ceilings ranging from €100,000 (Finland) to €5 million (Germany). For Critical Third-Party Providers, the penalties are set directly by DORA itself: Article 35 empowers the Lead Overseer (one of the three ESAs) to impose periodic penalty payments of up to 1% of the provider's average daily worldwide turnover, applied daily for up to six months until compliance is achieved. Beyond financial penalties, regulators can issue binding recommendations, require remedial actions, mandate audits at the entity's expense, and, in severe cases, require financial entities to suspend or terminate arrangements with non-compliant ICT providers.

ICT providers are affected in two ways. Indirectly, all providers serving the financial sector face increased contractual scrutiny, as their financial entity clients are required under DORA to include specific mandatory provisions in their contracts, conduct thorough due diligence, and exercise audit rights. Directly, providers designated as "critical" by the ESAs are subject to the DORA Oversight Framework, which gives the Lead Overseer powers to request information, conduct investigations and on-site inspections, issue recommendations, and impose penalty payments. In November 2025, the ESAs published the first list of 19 designated Critical Third-Party Providers. Non-EU providers designated as critical must establish an EU subsidiary within 12 months of designation.

DORA is lex specialis (more specific law) in relation to the NIS 2 Directive for the financial sector. This means that while financial entities technically fall within the scope of NIS2, they must comply with DORA's more specific and more stringent requirements. In areas where NIS2 provisions are more specific than DORA, NIS2 applies supplementarily.

DORA and ISO 27001 serve different purposes but are highly complementary. ISO 27001 provides a framework for establishing an Information Security Management System (ISMS), while DORA sets legally binding requirements specifically for digital operational resilience in the financial sector. An organisation that already holds ISO 27001 certification will find that many of the foundational risk management, incident management, and governance controls overlap with DORA's requirements, which can significantly reduce the effort needed to achieve compliance. However, DORA introduces requirements that go beyond ISO 27001, particularly around TLPT, third-party oversight with mandatory contractual provisions, specific incident reporting timelines, and management body accountability.

Threat-Led Penetration Testing (TLPT) is an advanced form of security testing required by DORA for financial entities identified as significant by their competent authorities. Unlike standard penetration testing, TLPT simulates the tactics, techniques, and procedures of real threat actors against live production systems. It must be conducted at least every three years by qualified external testers, following the TIBER-EU framework. The scope and conduct of each TLPT exercise must be coordinated with the relevant competent authority.

Yes. DORA incorporates a proportionality principle, meaning requirements must be applied in proportion to the entity's size, risk profile, and the complexity of its operations. Microenterprises (fewer than 10 employees, turnover or balance sheet below €2 million) are subject to a simplified framework. Certain entities are fully exempt, including managers of alternative investment funds below specific asset thresholds and small insurance undertakings. However, even exempt or simplified-framework entities should assess their position carefully, as their contractual relationships with larger financial entities may still be affected by DORA's third-party risk requirements.

Start with a scope assessment to confirm whether and how DORA applies to your organisation, taking proportionality into account. Then secure formal board-level support and budget. DORA explicitly requires management body involvement, so this is not optional. Conduct a detailed gap analysis comparing your existing ICT risk management framework, incident reporting procedures, testing programme, and third-party contracts against all five DORA pillars. Develop a prioritised remediation plan with clear responsibilities and timelines. Review and renegotiate third-party contracts to include DORA's mandatory provisions. Finally, formalise governance structures for ongoing ICT risk oversight, and plan for the continuous improvement that DORA requires.

Ready to Align Your Organisation With DORA?

Talk to one of our experts about your situation. We'll give you an honest assessment of where you stand and what it will take to achieve compliance.

Speak to an Expert

Speak to an Expert

We'll get back to you within one business day.

We respect your privacy. No spam, ever.