Skip to content
DORA Compliance

DORA is in force. Whether you are a financial entity or an ICT supplier to one, the obligations are real.

The Digital Operational Resilience Act (EU 2022/2554) applies since January 2025. Financial entities (banks, insurers, payment firms, investment companies) have direct ICT risk management obligations. ICT service providers to those entities face new contractual requirements, audit rights, and due diligence demands flowing down from their customers.

Who needs to care

DORA affects you if any of these are true.

You sell software or ICT services to financial institutions

Banks, insurers, payment firms, and investment companies must now assess and manage ICT third-party risk under DORA Articles 28-30. That means new contractual requirements, audit rights, and due diligence on your security posture.

A financial customer sent a DORA questionnaire

Your customer needs to demonstrate to their regulator that they have assessed your operational resilience. They are sending questionnaires, requesting evidence, and adding contractual clauses you have not seen before.

You overlap with NIS2 and need a coordinated response

Many ICT providers fall under both NIS2 and DORA. The requirements overlap but are not identical. A coordinated approach avoids duplicate work and conflicting documentation.

Key requirements

What DORA means for ICT service providers.

  • ICT risk management framework aligned with your customer's obligations (Art. 5-16)
  • Incident reporting procedures that meet the timelines your financial customers must follow (Art. 17-23)
  • Digital operational resilience testing appropriate to your role in the supply chain (Art. 24-27)
  • Third-party risk management: contractual provisions, exit strategies, and concentration risk documentation (Art. 28-30)
  • Information sharing arrangements where required by the financial entity (Art. 45)
How to start

Start with a DORA gap assessment.

A focused assessment covering your current posture against the DORA obligations that flow to ICT service providers. Identifies gaps, maps overlap with existing ISO 27001 or NIS2 work, and produces a prioritised roadmap. Fixed fee: 25-35K DKK. 5-10 business days.

Not ready for a call?

Email me what your financial customer is asking for and I will tell you where it fits in DORA.

Email your question

DORA questions usually start with a specific financial customer asking for something new.

Tell me what they asked. Thirty-minute scoping call, no commitment.

Book a scoping call

Typically responds within 24 hours