DORA Compliance

The Regulation (EU) 2022/2554 on Digital Operational Resilience for the Financial Sector (aka Digital Operational Resilience Act - DORA) has been adopted by EU in November 2022. Targeting any financial entity within EU, as well as critical providers of ICT services to financial entities, it aims to create a harmonized regulatory framework on digital operational resilience. To achieve this, the practice of ICT risk management is brought to the foreground, along with requirements on operational resilience testing and indentification, handling, and notification of operational resilience incidents.

The National Competent Authorities of Member States will need to enforce the regulation and supervise compliance, with the power to impose administrative penalties on members of the management body of the non-conformant financial entity.


All EU-based financial entities and providers of critical ICT services to financial entities:

Financial Entities ICT Service Providers
BFSI sector entities Cloud Service Providers (CSPs)
Brokers Software Providers
Investment firms Critical ISVs
Credit Institutions Fraud Management Providers
Managed Security Service Provides (MSSPs)
Payment Solutions Providers

Therefore, in case your organization falls under one of the above categories, compliance with DORA will be required.

SpearIT can support and guide your organisation throughout the proactive steps towards compliance with DORA. Our experience in compliance projects with both types of entities, ensures cost-effective and practical compliance:

Gap Analysis

While it is true that financial entities do take measures to manage risks, not all entities follow an ICT-specialized approach to risk management. Thus, a gap analysis is performed as the initial step to determine the current state of your organization's readiness against DORA requirements.

The identified gaps provide the primary road map towards DORA compliance, taking into account the specific provisions required, according to your organization's type (financial entity or critical ICT provider).

ICT Risk Management Framework

SpearIT can assist in developing a comprehensive ICT Risk Management Framework (ICT-RMF), as required by DORA, incroporating KPIs and risk metrics. Furthermore, our cybersecurity and risk management experts can assist in:

  • ICT asset and dependency mapping
  • definition of Critical or Important Functions (CIFs) accross ICT systems
  • definition or refinement of Business Continuity (BC) and Disaster Recovery (DR) Plans, based on specific outage scenarios
  • deployment of technical measures to maintain the resilience of ICT systems

ICT Incident Classification & Reporting Framework

DORA raises the bar of incident classification, notification and reporting. SpearIT can assist in developing an appropriate incident management framework, capable of providing a process to:

  • record and classfy all important ICT incidents
  • evaluate the incident-related risks
  • notify affected clients or other entities
  • submit the required intermediate and final incident reports to national competent authorities, accoring to guidelines set by ESAs

Operational Resilience Testing

DORA establishes the concept of digital operational resilience testing (ORT). It foresees a comprehensive resilience teting programme with a range of assessments and methodologies to be performed on an annual basis.

SpearIT, with a team of hihgly qualified and certified offensive security professionals, can provide these types of assessments, such as vulnerability assessments, penetration testing and red team attacks (threat-led penetration testing).

Third-Party Risk Management

It should be restated that DORA considers risk management practices of high importance. Apart from the internal, ICT risk management framework, it also requires that financial entities effectively manage third-party risks. To achieve this, financial entites shall:

  • assess the risks resulting from concentation of CIFs to a number of outsourcing providers
  • ensure the completeness of third-party ICT contracts

  • Especially for critical ICT third-party providers, DORA requires the alignment with the Union Oversight Framework: a supervision and collaboration regime between the Lead Overseer and the critical ICT third-party service providers, offering services to financial entities which may affect the supply of financial services.

Intersection with NIS2 Directive

An overlap of NIS2 Directive with requirements set by other, sector-specific regulations, such as DORA, is observed. As a general rule, NIS2 shall not apply to entities regulated by sector-specific legislation, if the requirements set by the latter are at least equivalent in effect to those of NIS2 Directive.

However, at the current, early state of DORA enforcement, SpearIT recommends to plan for NIS2 & DORA compliance, jointly. Once both legislations become final and related guidelines are published, a subsequent gap analysis can be performed to ensure proper compliance and alignment.

Act ahead of time. Connect with a DORA compliance expert.


Latest News

Ukrainian NBU BankID System preparing for EU recognition

SpearIT is pleased to announce that has undertaken the preliminary conformity assessment of Ukraine's BankID national electronic identification scheme, ...

Read More

Cypriot National eID becomes notified

SpearIT is pleased to announce that the electronic identification (eID) scheme of Cyprus has now been notified as LoA High...

Read More

Cypriot National eID becomes pre-notified

SpearIT is pleased to announce that the first Cypriot electronic identification (eID) scheme has now been pre-notified in the eIDAS Cooperation Network...

Read More