The EU Digital Operational Resilience Act. ICT risk management, incident reporting, resilience testing, and ICT third-party oversight: applicable to in-scope financial entities since January 2025.
The senior view
DORA (Regulation (EU) 2022/2554) is a regulation, not a certification scheme: there is no certificate to hang on the wall. It sets directly-applicable obligations across five areas: ICT risk management, ICT-related incident reporting, digital operational resilience testing, ICT third-party risk, and information sharing. We treat it as a connected program, not an isolated checklist.
It commonly reaches firms that don’t think of themselves as “EU regulated”: many fall in scope through an EU entity, an EU client base, or an ICT third-party relationship with an in-scope financial entity. If a buyer, a regulator, or a contract has put DORA on your desk, we are ready to start the conversation today, regardless of where this page sits in the publishing queue.
Book a senior call →Adjacent practices we run today
ISO 27001 : 2022
The ISMS backbone most of DORA’s ICT risk controls map onto.
ISO 22301
Business continuity discipline behind operational resilience.
SOC 2
Evidence that carries over into ICT third-party assurance.
GLBA
The U.S. counterpart for non-bank financial firms.