What the framework requires
ICT risk management
Financial entities must maintain a sound, comprehensive ICT risk-management framework with policies, procedures, ICT systems and tools, and a board-level governance arrangement. The framework must be documented, regularly reviewed, and explicitly tied to the entity's business strategy.
Incident management and reporting
Major ICT-related incidents must be classified and reported to the competent authority within strict deadlines. Significant cyber threats may also be voluntarily reported. Reporting is harmonised across the financial sector under DORA — one regime, not multiple.
Operational resilience testing
Entities must implement a comprehensive testing programme proportional to size and risk profile. Larger entities run threat-led penetration testing (TLPT) under the regulator's oversight at least every three years.
Third-party ICT service-provider governance
DORA imposes specific obligations on entities' relationships with ICT service providers — pre-contractual due diligence, contractual provisions, monitoring, and exit strategies. Critical third-party providers fall under direct ESA oversight.
How our services map to compliance
- Cyber penetration testing aligned to DORA TLPT. Through our specialist partner we deliver penetration testing engagements scoped to align with DORA's threat-led testing programme — with documentation suitable for regulator review.
- Incident-response planning and exercise. Programme-level support for incident-response design, tabletop exercises, and integration with the entity's reporting workflow.
- Third-party governance support. Pre-contractual due diligence on ICT service providers, contract review, and ongoing supplier monitoring — supporting the third-party governance pillar of DORA.