Expert DORA consultancy helping financial institutions across the UK and Europe navigate the EU Digital Operational Resilience Act with confidence.
DORA identifies five critical areas and helps organisations focus attention where the potential impact is high.
Overarching frameworks to standardise identification of critical assets and their dependencies, allocate priorities and quantify ICT risks using various scenarios and models.
Learn moreNavigate complex regulatory landscapes with expert guidance on DORA compliance, helping your organisation meet all requirements and evidence its compliance effectively.
Learn moreComprehensive audit services for ICT suppliers, from dedicated theme audits to end-to-end reviews and independent reports for third-party service providers.
Learn moreRecently published ESA guidelines, which various central banks have also echoed, create a tight timeline for showing evidence of compliance.
Most central banks expect to receive the information registers by early April 2025, which aligns with the next steps of register consolidation, evaluation, and use for Critical ICT third-party service providers (CTPPs), aiming to designate the CTPPs and start the oversight engagement this year.
Your organisation register must include the required details, which are typically unavailable; therefore, it takes time to compile and validate it. This includes mapping all ICT assets, documenting dependencies, and classifying services according to their criticality to your business operations.
DORA compliance is not a one-off exercise. It requires an ongoing programme of risk management, incident reporting, resilience testing, and third-party oversight that must be embedded into your organisation's governance structure.
In our workshops, we will help you evaluate your current level of ICT compliance and provide a relevant structure to manage it efficiently. We can also support your organisation by outsourcing various compliance processes to us.
It can be tedious since small to medium-sized financial entities use between 15 and 60 ICT suppliers. While not all of those suppliers are critical, and we assume that your organisation could identify those correctly, even for those that are critical, the audit will take, on average, 7 to 10 days to complete. The larger entities can expect a more significant number of critical suppliers with associated efforts.
The ESA regulatory technical standards on third-party risk set out specific requirements for the content of contracts with ICT service providers, sub-outsourcing arrangements, and the information register that financial entities must maintain. Understanding these requirements early allows you to plan your audit programme effectively.
We can help with our audit services, from dedicated theme audits to comprehensive end-to-end reviews. Let's have a chat about your DORA challenges.
In a world of constant change, you need to serve your customers and markets continuously in the best possible way. Your stability is essential — therefore, being well prepared is crucial.
The EU Digital Operational Resilience Act (DORA) is a complex regulation that requires significant attention across your entire organisation. From board-level governance to day-to-day ICT operations, every layer of your business must understand its role in maintaining digital operational resilience.
Our training programmes are designed to give your teams the knowledge they need, while our expert workshops provide hands-on guidance for building a compliant and resilient operation.
DORA doesn't apply to you directly, but it does apply to your client. The DORA addenda you're receiving are drafted by European lawyers who are over-indexing to protect their organisations. Simply signing what's put in front of you is commercially reckless, while refusing to engage is existentially reckless. From incident notification windows and subcontractor chain responsibility to audit rights, business continuity testing, and exit strategies — the new requirements demand a significant effort. Read more about IT suppliers' legal obligations under DORA and how to pragmatically address them.
Fifteen months into DORA, the Register of Information has been submitted by most firms — and forgotten by most of them. The dry-run produced a 6.5% data-quality pass rate among 1,039 voluntary early adopters. The analytical fields on substitutability, alternatives, and sub-outsourcing chain were systematically left blank, and the register that was meant to be an internal risk artefact has been treated as an annual filing. Meanwhile, the 19 designated Critical ICT Third-Party Providers represent 0.13% of the financial sector's ICT supply — and incidents like ION Group and ICBC FS keep originating in the other 99.87%. Read our two-part analysis: the DORA Register of Information trap and what the Critical 19 CCTP list actually tells us, including the subcontracting chain, the on-prem/co-location segment the cloud-native framing misses, and the sovereignty profile of EU financial-sector ICT.
Regulatory updates, ESA guidance and analysis from the DORA implementation frontline.
The final EU Regulation 2025/532 simplifies the draft but still requires detailed risk assessment, ongoing monitoring and audit across the full subcontractor chain. Liability stays with the financial entity.
Read moreRegisters of Information submitted by 30 April 2025; ESAs notify critical providers by July 2025; final designation follows a six-week objection window. The clock is already running.
Read moreCSSF added concrete sanctions to Bill 8291: personal fines up to €5m, corporate fines up to €5m or 10% of global revenue, and criminal referral for obstruction. Other Member States are expected to follow a similar pattern.
Read moreOur team of experienced consultants is here to help.
Get in Touch