Insights on DORA compliance, ICT risk management, and digital operational resilience
DORA entered into force on 17 January 2025. Here is how DORA GRC covers all four regulatory pillars — ICT risk, incident reporting, resilience testing, and third-party oversight — in a single purpose-built platform.
The ESAs' Spring 2026 joint risk assessment connects geopolitical instability, AI-driven disruption, and cyber threats to the financial sector's operational resilience. Here's what it signals for DORA compliance priorities.
Three major industry surveys paint a consistent picture: most financial entities entered 2026 with significant DORA compliance gaps. Here's what the data says — and what's actually happening on the enforcement side.
All four Nordic financial supervisors have published their 2026 priorities. ICT risk, cyber resilience, and operational continuity feature prominently in every single one. Here is what that convergence means for firms operating under DORA in the Nordics.
We built the feature we kept hearing about from compliance teams preparing for their first NCA inspections: a one-click audit documentation package. Here is what shipped in Q1 2026 and what is coming next.
Not every financial entity needs to perform threat-led penetration testing under DORA. But if your competent authority says you do, the process is substantial — 12 to 18 months from start to attestation. This guide walks through who gets identified, the specific thresholds, what the test involves, and how to document your conclusion.
Proportionality is one of the most misunderstood parts of DORA. It does not exempt anyone from compliance — but it does let you scale your implementation to fit your organisation. This guide explains what Article 4 requires, who qualifies for the simplified framework, and how to document your proportionality assessment so it holds up under supervisory review.
DORA applies to all MiFID II-licensed investment firms — from asset managers to algorithmic trading firms. This guide covers which obligations apply, how they interact with existing MiFID II requirements, and what to prioritise first.
DORA applies to all PSD2-licensed payment institutions and EMD2-licensed e-money issuers — no size exemption. This guide covers which obligations apply, where proportionality helps, and where it does not.
The ESAs published the first official list of Critical ICT Third-Party Providers in November 2025. Here is what financial entities need to do now if their cloud provider, data vendor, or core technology integrator made the list.
The EU's Digital Omnibus proposal promises a single entry point for cyber incident reporting across DORA, NIS2, and GDPR. Here is what it actually changes, what it does not touch, and why your current DORA obligations remain fully in force.
The first full submission cycle for the DORA Register of Information (RoI) has closed. Firms across the European Economic Area were required to submit their registers of ICT third-party arrangements — reflecting contractual positions as of 31 December 2025 — to their national competent authorities (NCAs) in time for the ESAs' consolidated deadline of 31 March 2026.
The 360° Intelligence Hub connects assets, providers, functions, risks, incidents, contracts, and controls in a single view. No more switching between modules to understand your DORA compliance posture.
A practical guide to the DORA Register of Information. Covers the 15 templates, the EBA validation rules that trip up 93% of submissions, NCA-specific deadlines and portals, and how to avoid the most common errors.
A country-by-country breakdown of what European financial supervisors are focusing on in their DORA audits for 2026. Covers Norway, Sweden, Denmark, Finland, Germany, Netherlands, France, Ireland, Luxembourg, Italy, and the UK.
Download our free DORA compliance checklist template with 95 items across all five pillars. Includes a professional Excel workbook with maturity scoring, auto-calculated dashboard, and a companion PDF guide.
A critical system goes down at 09:15. By 13:15 your regulator expects to know about it. That is the reality of DORA major incident reporting.
Financial services firms are adopting AI at a significant pace. Two major EU regulations now apply to AI systems used by financial entities: the EU AI Act and DORA.
Many compliance teams in the EU financial sector are now looking at two major regulations at the same time. DORA came into force in January 2025. NIS2 national transpositions are either live or arriving.
If you operate in the EU or serve EU customers, you have probably noticed a wave of new cybersecurity and resilience regulations coming into effect. DORA, NIS2, the EU Cyber Resilience Act (CRA), and the EU AI Act all landed within a short window of each other, and it is not always obvious which ones actually apply to your organisation. This post walks through each regulation, who it targets, and where they overlap. No legal jargon, just a practical guide to help you figure out your obligations.
A walkthrough of the Vendor Questionnaire module in DORA GRC — how to send structured security assessments to ICT providers, track responses, auto-score results, and document compliance with Art. 28(1)(d).
DORA has been enforceable since January 2025. This practical checklist covers all five pillars — ICT risk management, incident reporting, resilience testing, third-party risk, and governance — with direct article references so you can audit your programme against the actual regulation.
The Digital Operational Resilience Act (DORA) is the EU's landmark regulation requiring financial entities to withstand, respond to, and recover from ICT disruptions. This complete guide covers everything you need to know — from scope and requirements to deadlines and enforcement.
Purpose-built platform for EU financial entities. Start your free trial today.
Get Started →