Get ready for the DORA regulation

DORA (Digital Operational Resilience Act) is a regulation of the European Union aimed at strengthening the digital operational resilience of the financial sector.

Contact us Learn more
12

Sectors Affected

+40k

Estimated Companies Involved

16.01.23

Entered into force on

17.01.25

Effective since

DORA Obligations and Technical Requirements

Start preparing your compliance plan now: align with regulatory obligations and standards to avoid heavy penalties and seize all opportunities for your business.

  • Key Obligations

    To manage ICT risk, financial institutions must adopt a clear framework with defined roles and responsibilities.

    • - ICT Risk Management: Identification, assessment, and mitigation of risks related to information and communication technologies (ICT).
      - Resilience Testing: Execution of advanced tests, such as Threat-Led Penetration Tests (TLPT), to assess resistance to cyberattacks.
      - ICT Incident Management: Implementation of processes to respond to security incidents promptly and effectively.
      - Operational Continuity: Definition of business continuity plans to ensure uninterrupted ICT services.
      - Third-Party Risk Management: Managing risks associated with third-party ICT service providers.
      - Incident Reporting: Notification of significant security incidents to the relevant authorities.

  • DORA RTS and ITS

    The European Supervisory Authorities (ESAs) develop Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS) to provide detailed guidance on the DORA Regulation and operational references for financial entities. These technical standards cover:

    • - The ICT risk management framework.
      - Criteria for classifying significant ICT incidents.
      - Management of risks arising from third-party ICT service providers.
      - Procedures for reporting significant ICT incidents.
      - Standard models and procedures for notifying ICT incidents to supervisory authorities.
      - Advanced operational resilience testing (TLPT - Threat-Led Penetration Testing).

Which financial entities are involved?

The DORA regulation applies to financial entities and ICT service providers, taking into account the differences between financial organizations in terms of size, business profiles, and exposure to digital risks. Compliance measures may vary depending on the complexity and significance of the financial entity involved.

Financial Sector

  • Banks
  • Payment and electronic money service providers
  • Credit rating agencies
  • Crowdfunding service providers
  • Third-party ICT service providers
  • Trading platforms and data repositories
  • Insurance and reinsurance companies
  • Alternative investment fund managers and management companies
  • Central securities depositories
  • Cryptocurrency service providers
  • Central counterparties
  • Investment firms
what can you do today

Is your company
subject to the regulation?

Contact us to verify if you fall within the scope of DORA.
We will support you on the path to compliance through a strategic and operational approach tailored to your business.

Request a free consultation Discover the pathway

How can we help you?

Get ready for DORA with our cybersecurity services.

01

Scope of application

We offer an advisory service in collaboration with partners such as international law firms, cybersecurity experts, and data privacy specialists.
Our consultancy determines the applicability of the regulation to your company, whether you are a financial entity or an ICT provider.

02

DORA Gap Analysis

We evaluate compliance with the regulation’s requirements. This service helps identify non-compliant areas and develop an action plan to address the gaps. It includes:

  • Cyber Risk Assessment, to identify and mitigate operational risks related to non-compliance.
  • Requirements Mapping and Gap Analysis, through the assessment of reporting and incident notification capabilities to pinpoint discrepancies.
  • Sustainable and Proportional Roadmap, with clearly defined roles, responsibilities, and priorities for a structured compliance plan.
03

Digital Operational Resilience Testing

We provide a certified ethical hacking team to implement a robust and comprehensive testing plan. This includes advanced cybersecurity tests, such as Threat-Led Penetration Testing (TLPT), which must be conducted at least every three years for critical financial entities.

04

Cybersecurity Training

We promote a cybersecurity training plan to ensure that all staff, including executives, are equipped to handle cyber risks and threats. It includes,

  • Security Awareness, to enhance ICT security awareness among employees and management.
  • Specific Modules related to practices for crisis management, operational continuity, and incident response.

Take a step toward a safer future

Contact us for a free consultation and discover how to achieve and maintain compliance with DORA.

    * required fields