DORA Compliance

EU Digital Operational Resilience Act

DORA became a legal requirement for financial entities operating in the EU, and their critical ICT providers, from January 17, 2025, with 2026 marking the start of genuine supervisory enforcement. It requires a documented Register of Information for ICT third parties and an initial incident report within just 4 hours of a major incident being classified, stricter than NIS2's 24-hour window.

Who needs DORA

  • Banks, insurers, investment firms, and other EU financial entities
  • Critical ICT third-party providers supporting EU financial services
  • Organizations needing a Register of Information for ICT vendors

Our approach

  • ICT risk management framework gap assessment against DORA requirements
  • Register of Information documentation for critical ICT third parties
  • 4-hour incident classification and reporting process design
  • Digital operational resilience testing program setup

Frequently asked questions

How is DORA different from NIS2 for financial services firms?

DORA is sector-specific to financial entities and their ICT providers, with a stricter 4-hour initial incident reporting window compared to NIS2's 24 hours, plus a mandatory Register of Information for ICT third parties. Some financial entities are in scope for both DORA and NIS2 depending on services offered.

What is the Register of Information under DORA?

It's a structured, mandatory inventory of all ICT third-party service providers a financial entity relies on, including criticality assessments. Regulators are actively reviewing these registers as part of 2026 supervisory enforcement, not treating them as a paperwork formality.

Ready to start your DORA journey?

Tell us where you are today and we'll scope a gap assessment to get you audit-ready.