NLEN
Home Knowledge Base ISO 27001 NIS2 DORA ISO 42001 ISO 27701 GDPR Web Pentest AI & LLM Security AI Governance GRC Platform About Careers Contact vCISO Netherlands DPO-as-a-service NIS2 Healthcare NEN 7510 Healthcare NIS2 Manufacturing NIS2 Accounting Case Studies ISO 27001 Pillar NIS2 Pillar DORA Pillar vs IRM360 vs Vanta vs Drata
Home DORA Compliance

DORA Compliance Consulting

DORA status (April 2026): DORA has been in force since 17 January 2025 and is enforced by DNB and AFM. Financial institutions without a complete ICT risk framework, third-party register and operational resilience testing face enforcement action.

From 17 January 2025, DORA is mandatory for banks, insurers, investment enterprises and their critical ICT service providers. The requirements focus on ICT risk management, incident reporting and resilience testing — successful implementation demands a structured approach. The Digital Operational Resilience Act requires demonstrable ICT risk management, structured incident reporting and periodic resilience testing (TLPT). We understand the requirements and guide financial institutions to full DORA compliance — without unnecessary overhead. We cover all NCA requirements for your DORA engagement, including supervisor reporting and TLPT preparation.

DORA compliance

We cover all NCA requirements for your DORA engagement, including supervisor reporting and TLPT preparation.

What is DORA?

DORA (Regulation (EU) 2022/2554) sets uniform requirements for the digital operational resilience of financial entities in the EU. The regulation is directly applicable — without national transposition — and applies to a broad spectrum of financial institutions and their critical ICT service providers. DORA is mandatory for banks, investment enterprises, credit institutions, payment institutions, insurers, pension funds and a range of other financial entities, as well as for their critical external ICT providers (CTPPs).

The 5 DORA Pillars

  • ICT risk management: A comprehensive ICT risk management framework with governance, detection, protection, recovery and lessons learned — including periodic risk assessments.
  • ICT incident management: Classification, reporting and notification of ICT-related incidents to supervisory authorities (DNB/AFM). Strict timelines for serious incidents.
  • Digital resilience tests: Periodic testing of ICT systems, including TLPT (Threat-Led Penetration Testing) for significant financial entities.
  • ICT third-party risk: Due diligence, contractual requirements and monitoring of critical ICT suppliers. Maintain a register of all ICT service providers.
  • Information sharing: Participation in information-sharing arrangements regarding cyber threats and vulnerabilities.

DORA & ISO 27001

An existing ISO 27001-certified ISMS provides a solid foundation for DORA, but does not cover everything. DORA sets additional requirements in the area of ICT third-party risk, digital resilience testing and detailed incident reporting that are specific to the financial sector. We fill the gap.

Our DORA Approach

  • Scoping & assessment: Determine which DORA requirements apply to your organisation
  • ICT risk framework: Establish or strengthen your ICT risk management framework in line with DORA
  • Incident procedures: Establish reporting and notification processes for supervisory authorities
  • Supplier register: Inventory ICT third parties and secure contractually
  • Resilience testing: Plan and manage mandatory penetration tests

DORA Timeline

  • Jan 2023: DORA entered into force
  • Jan 2025: Mandatory application
  • Now: Compliance required

DORA applies to

  • Banks & credit institutions
  • Investment enterprises
  • Insurers
  • Pension funds
  • Payment institutions
  • Critical ICT suppliers

Related Services

DORA Assessment?

We assess your DORA scope and carry out a gap analysis against all five DORA pillars.

Free Consultation

DORA-compliant in the financial sector?

Our experts guide your financial institution through the complete DORA engagement — from ICT risk framework to supplier register and mandatory resilience tests.

Free Consultation

The 5 Pillars of DORA

DORA (Digital Operational Resilience Act) rests on five pillars: ICT risk management (governance, policy and control), ICT incident reporting (classification and timely reporting to supervisory authorities), digital operational resilience testing including TLPT for large institutions, management of third-party risk with registration and exit strategy, and information sharing regarding cyber threats. All pillars must be demonstrable and measurable.

Who does DORA apply to?

DORA applies to virtually all financial entities in the EU: banks, insurers, pension funds, investment enterprises, payment institutions, fintechs, crypto-asset service providers (CASPs) and trading platforms. Critical ICT third parties (cloud providers, SaaS platforms) also fall under direct supervision by ESAs. Dutch institutions report to DNB and AFM.

Supervision and Liability

The board is ultimately responsible for digital resilience and must demonstrably have knowledge and control. If measures are insufficient, supervisory authorities can impose fines and operational restrictions. We support your risk framework, ICT third-party register, incident reporting procedures and TLPT coordination with external testing parties.

Frequently Asked Questions

Does my fintech or crypto platform fall under DORA?

Yes, if you are MiCAR-licensed or provide other financial services. Unlicensed fintechs that provide services to regulated parties are also affected through the third-party chain via contracts with the regulated party.

What is a TLPT test?

Threat-Led Penetration Testing is a mandatory triennial test for designated large institutions. Based on current threat information, certified red teams simulate realistic attacks. We facilitate the scoping, preparation and remediation.

What role does our ICT supplier play?

DORA requires you to register ICT suppliers, carry out risk analysis, define exit strategies and include specific contract clauses. For critical suppliers, direct EU supervision applies. We assess and revise your supplier contracts.

Knowledge Base: DORA