Skip to content
Security incident? Call: +48 732 059 711
Cydefen
pl en
DORA compliance

DORA for financial entities, implemented

ICT risk framework, third-party register, incident classification, resilience testing and (where required) Threat-Led Penetration Testing. We cover all 5 pillars.

Who is it for?

  • Banks and credit institutions
  • Payment and e-money institutions
  • Insurance and reinsurance
  • Investment firms and asset managers
  • Crypto-asset service providers
  • Critical ICT third-party service providers
What you get

Outcomes across all 5 DORA pillars

ICT risk management framework

Pillar 1: documented framework with governance, risk identification, protection, detection, response and recovery.

Incident classification & reporting

Pillar 2: classification matrix, reporting templates and playbooks aligned with the RTS deadlines.

Digital operational resilience testing

Pillar 3: annual testing program — vulnerability assessments, scenario-based tests and (for significant entities) TLPT every 3 years.

ICT third-party risk management

Pillar 4: register of contractual arrangements, concentration risk assessment, exit strategies, mandatory contract clauses.

Information sharing

Pillar 5: participation in sectoral information-sharing arrangements, documented and governed.

Board briefing

Management body must have final responsibility for ICT risk management. We brief your board and document their oversight.

How we work

DORA implementation in 4 phases

  1. 01

    Scoping & gap analysis

    Proportionality assessment (not all pillars apply equally), gap analysis against all 5 pillars and relevant RTS / ITS.

  2. 02

    Framework & policies

    ICT risk framework, governance structure, policies, register of contractual arrangements, incident classification.

  3. 03

    Testing program

    Annual resilience testing plan, scenarios, internal team upskilling. TLPT preparation if you are in scope.

  4. 04

    Maintenance & reporting

    Quarterly reviews, contract updates, incident reporting support, annual framework update.

FAQ

Frequently asked questions

When does DORA apply?
DORA has been in force since 17 January 2025. Enforcement and supervisory action are ramping up.
Are we in scope?
20 categories of financial entity are in scope — banks, insurers, investment firms, crypto-asset providers, and critical ICT third parties. We determine scope in the first 30 minutes.
What is TLPT and do we need it?
Threat-Led Penetration Testing is a red-team test under TIBER-EU methodology, required every 3 years for significant financial entities. We deliver TLPT-compatible tests.
How does DORA relate to NIS2?
For financial entities, DORA is lex specialis — it replaces NIS2 obligations in the ICT risk area. We help you navigate both.
What about our critical ICT suppliers?
You need a register, concentration risk analysis, exit strategies and mandatory contract clauses. We help you update contracts and assess suppliers.

Scope your DORA program

30-minute call — we confirm scope, proportionality and propose a concrete plan.

Book a consultation Back to compliance