Fib.Code
The DORA regulation (Digital Operational Resilience Act) requires financial institutions to manage ICT risk, test digital resilience, and oversee technology providers. We guide organizations through the entire process — from identifying gaps to full operational compliance.
Banks, credit institutions and credit unions
Insurance and reinsurance companies, pension funds
Investment firms, fund managers and alternative investment funds
Payment institutions, e-money institutions, crypto-asset service providers
Third-party ICT service providers for financial entities
Five DORA pillars — we implement each from scratch or improve existing solutions
Gap analysis — identifying gaps against DORA requirements and published RTS/ITS. Mapping current ICT frameworks to regulation requirements.
ICT risk management framework design — building or updating the framework per DORA Articles 6–16, covering strategy, policies, and procedures.
Incident procedures — incident classification, reporting procedures (4h/72h/1 month), communication channels with national supervisors and ESAs.
ICT third-party management — contract register, vendor risk assessment, exit strategies, DORA-compliant contractual clauses.
Resilience testing — designing and coordinating testing program, including TLPT scenarios for entities subject to advanced testing requirements.
Validation and maintenance — completeness review, staff training, preparation for supervisory oversight.
DORA has been in effect since January 17, 2025. Financial institutions should already be meeting the regulation's requirements. RTS and ITS published by ESAs detail specific obligations.
DORA is a sector-specific regulation for finance (lex specialis to NIS-2). It's more detailed: covers resilience testing (TLPT), ICT provider register, specific reporting timelines, and oversight of critical ICT providers. NIS-2 is general-purpose.
Yes — DORA covers 21 categories of financial entities, including micro and small enterprises. A simplified regime (proportionality) is available for smaller entities, but core obligations remain.
Penalties are imposed by the national supervisor. They can include administrative fines, cease-and-desist orders, and for critical ICT providers — fines up to 1% of average daily worldwide turnover.
ISO 27001 is a solid foundation, but DORA goes beyond its scope — requiring TLPT testing, ICT provider register, specific reporting procedures, and exit strategies. ISO certification facilitates implementation but doesn't replace DORA compliance.