If you're a financial institution you probably know about DORA, the Digital Operational Resilience Act, introduced in September 2020 by the European Commission.


Designed to modernise, incentivise and encourage innovation within the digital finance sector, it demands that financial entities comply with a set of controls to increase resilience to cyber-attacks and enable collaboration and integration for financial businesses across Europe.

The Act came into force in 2023 and the first set of technical standards have now been published.



24th September 2020, European Commission



The act was published on 27th December 2022 and has come into force on 16th January 2023

We are


Issuance of


By the European Supervisory Authorities.
Q3 2023 - Q3 2024

24 months


Applicability starts
17th January 2025


If you are in this sector and covered by this legislation, it's critical that you take steps to comply.

if you haven't already. Not simply because of the regulatory demands, but ultimately non-compliance could stop you from collaborating with other entities or hinder business progress.


Here at SECFORCE, we have the capability to help you comply with all areas of the existing regulations;

And go further to ensure you reach the cyber resilience and maturity level that serves your business as well as the regulations.

Would you like to get a better idea of your DORA readiness?

phone-iconBook a call

DORA's five pillars and what they mean to you.


The regulation enforces a top-down approach placing ICT risk responsibility within the management team and making them responsible for defining risk tolerance, business continuity, disaster recovery, budget allocation, understanding of incident's impact, setting roles and responsibilities, etc.

The framework enforces – from an operational level – a number of requirements to ensure effective risk management:


DORA enforces not only an agile and effective incident management, but also collaboration at the EU level.
This section of the regulation focuses on three main areas:


Incident management process

Comprehensive process to ensure that the organisation has consistent monitoring and detection capabilities, effectively handles incidents, understanding the root causes and contains the incident.


Standard classification of incidents

Classification criteria, enforced to every financial entity, to rate the incidents depending on number of users/systems affected, duration, geographical spread, data losses, criticality of systems affected, severity of the impact and economic loses.



DORA defines the types and timescales of reporting to competent authorities, from the initial notification within the same day of detection to the final report.


DORA requires organisations to have an effective, risk-centric and independent testing programme.
It defines two types or testing:


Standard Testing

This testing should be conducted to all critical ICT systems and application at least once a year, and some organisations (such as central securities depositories and central counterparties) are required to perform penetration testing before any deployment or redeployment of any services supporting critical functions. The testing programme should cover a full range of assessments, including but not limited to vulnerability scans, source code reviews, infrastructure and application penetration testing and physical security reviews.


Advanced Testing

Financial institutions should undergo threat-led penetration testing (eg. TIBER EU and CBEST) every three years. It should cover all the ICT processes, systems and technologies supporting the critical functions of the financial entity, but the scope will ultimately be validated by the competent authorities.


Interestingly, DORA covers the supply chain security and the impact that it may have on organisations.
This area of the regulation covers three main ideas:


risk management

Financial entities shall manage ICT third-party risk as an integral component of ICT risk within their ICT risk management framework, creating a risk register with all their key suppliers, and performing an assessment of ICT risk concentration. Contractual agreements with suppliers should also be reviewed.



Each entity is required to perform a yearly reporting on their third-party suppliers, stating the type of services that they provide and any new arrangements. This will allow the central authorities to gain a holistic understanding of the remit of suppliers and their coverage at an EU level.



Based on the annual reporting, there will be a designation of critical ICT providers, which should collaborate with the relevant authorities to provide evidence of their security posture.


The final area of the regulation requires voluntary exchange amongst financial entities of cyber threat information and intelligence in trusted communities, including indicators of compromise, tactics, techniques and procedures.

In partnership with threat intelligence market leaders SecAlliance, we provide customised solutions to help you maximise this opportunity and benefit from the collective intelligence of the community.


Do you have any specific enquiries about one of the five DORA pillars?

phone-iconBook a call

3 simple steps
for compliance

SECFORCE is a one-stop shop for DORA compliance.

We believe we are in a unique position to provide an end-to-end solution as we possess the necessary consulting capabilities, technical expertise and partnerships to cover all the DORA requirements.


Gap Analysis

Step 01

DORA is a wide law with requirements in a number of areas affecting processes, procedures, technology and people. The first step to align an organisation with these requirements is to identify the areas which are already in line with the articles in the law, and the ones which need improvement.

A gap analysis is a systematic assessment to identify the areas where there is room for improvement, by comparing the current controls with the ones required by the articles in the law.

Our Approach

This is the first phase in your DORA compliance journey, which sets the foundations for the rest of the actions afterwards.

The accuracy of the gap analysis is imperative for the organisation security posture and compliance.

For this reason, SECFORCE has built an online tool to streamline information gathering, support and evaluation of evidence.


Our DORA Compliance Tracker
brings tangible benefits to your organisation:

A central repository of information and evidence, with clear guidance of the requirements of the law, to start a well-defined journey to compliance.

The ability to delegate tasks to other members of the organisation who are better placed for it. It also allows inter-organisational collaboration (with SECFORCE and your own colleagues) and provides an interface where SECFORCE can guide you towards DORA compliance.

A way to assess not only the current status, but also periodic progress of required changes. This significantly reduces the effort after the initial input, as DORA compliance is required every year.

For each identified gap, it provides a way to assess the operational and cybersecurity risks associated, to prioritise them based on potential impact and relevance to DORA compliance, and to develop a mitigation plan with required actions, timelines and resources.

Choose the plan that suits your organisation best:


SECFORCE will provide you with all the necessary tools to start a self-assessment process, mapping the gaps in your organisation against the DORA regulation. You will have a centralised repository of requirements which will help you understand them in a holistic manner.


Guided assessment

"Just leave it to us". We will request the necessary information to comply with all the requirements, such as network diagrams, policies, etc. And we will complete the assessment for you, providing you a gap analysis and an action plan.


Implementation Process

Step 02

The previous phase will provide a clear and concise set of requirements which need to be fulfilled in order to achieve compliance. This is valuable input to start an implementation project, with defined outcomes and deadlines which – when executed – will bring the organisation gradually closer to compliance.

The mitigation strategy should be dynamic, adaptable to changing threats and regulatory requirements and involve collaboration across different departments and stakeholders within the organization.

Our Approach

SECFORCE will scope, plan, manage and deliver all the necessary activities required to close all the gaps identified during the first phase of the project, considering the organisation's business objectives, current controls, inhouse technologies and skillsets.

The nature of the gaps could vary, as they may be technical deficiencies, lack of processes, enforcement of policies, etc. SECFORCE's consulting team can provide the necessary support to improve the security controls to meet or exceed the standards of acceptability and resilience required.

This may involve the introduction of new technologies, refining existing processes, enhancing policy adherence, and implementing a cohesive approach to improve overall operational resilience and security.

We also recommend periodically reviewing the effectiveness of the gap mitigation measures and adjusting as necessary to further enhance operational resilience and compliance with DORA.

DORA Testing

Step 03

Penetration testing and Threat Intelligence-led testing are two requirements for DORA compliance. As such, these are activities that need to be included in a programme of works at some point before the compliance deadline.

In SECFORCE, you get a strategic partner with a proven track record of technical expertise and testing delivery excellence. Combined with the ability to understand your business goals and challenges, we can provide a unique hybrid approach to DORA testing far beyond mere compliance.


Our Approach

To ensure timely compliance with DORA deadlines, SECFORCE can address the organisation's regular penetration testing requirements in parallel with the rest of the DORA activities.

This should encompass DORA mandates in testing infrastructure, application and/or third-party providers, as applicable.

However, at SECFORCE we believe that the previous activities should also be part of testing, to assess the effectiveness of all the actions implemented during the previous phase. Therefore, we are keen to deliver the testing both during and at the end of the assessment, to benchmark the work performed.

Our DORA Testing Services:

Standard Testing


DORA's standard testing states that all critical ICT systems and applications should be tested at least once a year. The testing programme should cover a full range of assessments including but not limited to:

  • Infrastructure and application penetration testing
  • Red Team - Threat-Led Penetration Testing (TLPT)
  • Purple Team Assessment
  • Vulnerability scans
  • Source code reviews
  • Physical security reviews

Advanced Testing


Financial entities identified as significant by the authorities should undergo threat-led penetration testing – similar to TIBER assessments – once every three years.

It should cover all the ICT processes, systems and technologies supporting the critical functions of the financial entity, but the scope will ultimately be validated by the competent authorities.

Let us better understand how we can help you meet DORA's requirements

phone-iconBook a call