Cybersecurity GRC · DORA Compliance

DORA: the financial sector's
digital resilience, managed.

Applicable since January 2025, DORA imposes a complete digital operational resilience framework on financial entities, and by ripple effect on their ICT providers. I run your compliance, from the register of information to resilience testing.

The engagement

What the mission covers.

Register of information

Inventory of ICT contracts, provider criticality, supported functions, mandatory clauses: the regulation's most structuring pillar, and the best starting point.

ICT risk management

A documented risk management framework approved by the management body, critical asset mapping, risk analysis aligned with your essential functions.

Incidents and notification

Incident classification, regulator notification process within the deadlines, articulated with crisis management.

Resilience testing

A testing program proportionate to your profile, from regular reviews to preparation for threat-led penetration testing (TLPT) for the entities concerned.

Special case

ICT providers: affected without being subject.

If your customers are financial entities, DORA reaches you through the contract: audit clauses, security requirements, exit and reversibility, data location. Anticipating these requirements turns an imposed constraint into a commercial argument against your competitors. And in an M&A deal touching the financial sector, the DORA framework is part of the due diligence scope.

A well-built common foundation answers DORA, NIS2 and ISO 27001 at once: the engagement pools the requirements rather than tripling the effort. See the NIS2 practice
Frequently asked questions

What I get asked about DORA.

Who is covered by DORA?

Financial entities in the broad sense: banks, insurers, asset managers, payment institutions, investment firms, notably. And by contractual ripple effect, their ICT service providers, onto whom the requirements are passed through mandatory clauses.

What is the register of information?

The structured inventory of all contractual arrangements with ICT providers, with their criticality, the functions they support and the applicable clauses. It is the regulation's most structuring pillar in daily practice, producible on demand to the regulator.

Where should the effort start?

With the register of information and the provider map: that is the exercise that reveals the real gap. Then a gap analysis across the regulation's five pillars, leading to a prioritized action plan run as a program.

Free resource

Test your DORA maturity for free.

5 pillars, 32 questions, 7 minutes. Walk away with a snapshot of your exposure and your priorities.

Start the self-assessment

Your resilience deserves management that measures up.

One 30-minute call and you know where you stand against DORA and under what conditions to move forward.

Book a qualification call

First call free, no commitment. See also the Cybersecurity GRC page.