// COMPLIANCE & AUDIT

DORA Compliance

Digital Operational Resilience Act gap assessment and compliance advisory for EU financial entities.

DORAJan 2025
TLPTResilience Testing
CRESTCertified
ICTThird-Party Risk
Overview

EU Digital Operational Resilience Act (DORA) Compliance

The EU Digital Operational Resilience Act (Regulation (EU) 2022/2554) became applicable on 17 January 2025, imposing binding ICT risk management, incident reporting, resilience testing, and third-party risk management obligations on financial entities operating in or serving the EU. Covered entities include banks, investment firms, payment institutions, insurance undertakings, crypto-asset service providers (CASPs), and their ICT third-party service providers (TTPSPs). DORA introduces the most prescriptive ICT risk framework ever applied to the EU financial sector, with EBA, ESMA, and EIOPA issuing detailed Regulatory Technical Standards (RTS) on every major obligation.

Intelliroot's DORA compliance programme provides a structured gap assessment, compliance roadmap, and implementation advisory for financial entities and ICT TTPSPs subject to DORA. Our CREST-certified team brings hands-on experience with TIBER-EU (the threat-led penetration testing framework underpinning DORA's TLPT requirement) and deep expertise in ICT third-party risk management — the two most technically demanding components of the DORA compliance programme.

DORA (EU) 2022/2554 EBA Guidelines ENISA TIBER-EU
Why This Matters

Why DORA Demands Immediate Action

DORA Is Already Applicable

DORA became applicable on 17 January 2025. Financial entities that have not completed their DORA gap assessment and commenced remediation are already in a state of non-compliance. Supervisors in key EU jurisdictions are actively reviewing DORA readiness across the financial sector.

Prescriptive Incident Reporting Timelines

DORA imposes specific incident classification criteria and a three-stage reporting timeline — initial notification within 4 hours, intermediate report within 24 hours, and final report within 1 month. Entities without automated incident classification and reporting pipelines will struggle to meet these obligations.

ICT Third-Party Risk Is Extensive

DORA requires financial entities to maintain a complete register of all ICT third-party service providers, classify critical and important TTPSPs, include mandatory contractual provisions in TTPSP agreements, and support oversight of critical TTPSPs by EU supervisors. This is a multi-year compliance programme, not a one-time exercise.

TLPT for Significant Entities

Significant financial entities must conduct Threat-Led Penetration Testing (TLPT) at least every three years, involving red team operations based on threat intelligence from approved providers. TIBER-EU provides the methodology. As a CREST-certified firm, Intelliroot is qualified to conduct TLPT engagements under the TIBER-EU framework.

Scope

DORA Compliance Programme Scope

ICT Risk Management Framework

  • ICT risk management framework gap assessment
  • ICT asset inventory and classification
  • Risk tolerance setting and ICT risk appetite
  • Business continuity and ICT continuity planning

Incident Classification & Reporting

  • ICT incident classification criteria implementation
  • 4-hour / 24-hour / 1-month reporting pipeline design
  • Major incident determination and escalation process
  • Competent authority notification templates and procedures

Digital Operational Resilience Testing

  • Basic DORA testing programme (VAPT, scenario testing)
  • TLPT scope definition for significant entities
  • TIBER-EU methodology alignment and engagement support
  • Testing results remediation and tracking

ICT Third-Party Risk Management

  • Complete ICT TTPSP register construction
  • Critical/important TTPSP classification process
  • Contractual provision gap analysis against DORA RTS
  • Concentration risk and exit strategy assessment
Methodology

Our DORA Compliance Approach

01

Applicability & Proportionality Assessment

Confirm the entity's DORA applicability category (financial entity or ICT TTPSP), apply the proportionality principle to define the applicable obligations, and map all relevant EBA/ESMA/EIOPA RTS requirements to the entity's specific profile and operations.

02

Gap Assessment

Conduct a structured gap assessment across all five DORA pillars — ICT risk management, incident management, resilience testing, third-party risk management, and information sharing. Produce a scored gap register covering every applicable RTS requirement.

03

ICT Third-Party Register & Contract Review

Build or validate the complete ICT TTPSP register, classify providers by criticality, and review existing contracts against DORA's mandatory contractual provisions. Identify contracts requiring amendment and prioritise by risk.

04

Incident Reporting Framework Design

Design the ICT incident classification framework, establish the 4-hour / 24-hour / 1-month reporting pipeline, create notification templates aligned to competent authority formats, and test the process through a simulated incident scenario.

05

Remediation Roadmap & TLPT Planning

Deliver a phased DORA compliance roadmap with effort estimates and implementation sequencing. For significant entities, define the TLPT scope and timeline in accordance with TIBER-EU methodology requirements.

Regulatory Coverage
DORA 2022/2554 ICT Risk Management Incident Reporting TLPT TIBER-EU ICT Third-Party Risk TTPSP Register EBA RTS CREST Certified EU Financial Entities
FAQ

Frequently Asked Questions

DORA applies to a broad range of EU financial entities — credit institutions, investment firms, payment institutions, e-money institutions, insurance and reinsurance undertakings, crypto-asset service providers (CASPs), central counterparties, central securities depositories, trade repositories, and ICT third-party service providers that are designated as critical by EU supervisors. Non-EU entities serving EU financial institutions may also be caught as ICT TTPSPs.
DORA requires a three-stage major incident reporting process: an initial notification to the competent authority within 4 hours of classifying an incident as major (and no later than 24 hours of becoming aware); an intermediate report within 24 hours of the initial notification; and a final report within 1 month of the intermediate report. The classification criteria for a major incident are defined in the EBA RTS on ICT incident classification.
Threat-Led Penetration Testing (TLPT) is a red team assessment based on threat intelligence from approved Threat Intelligence Providers (TIPs), conducted against production systems. TLPT is mandatory for significant financial entities at least every three years. The methodology is defined by TIBER-EU. Intelliroot is CREST-certified and experienced in TIBER-EU engagements — we can scope, conduct, and support the supervisory review of TLPT engagements.
Indian financial entities are directly subject to DORA if they hold EU financial services licences or operate EU branches/subsidiaries. Indian technology firms and ICT service providers are caught as ICT TTPSPs if they provide services to EU financial entities that rely on those services to deliver regulated activities. EU-designated critical TTPSPs face direct supervision by EU authorities regardless of where they are domiciled.

Deliverables

DORA Readiness Gap Assessment Report

Scored gap assessment across all five DORA pillars, mapped to applicable EBA/ESMA/EIOPA RTS requirements, with compliance status ratings and remediation priorities.

ICT Third-Party Risk Register

Complete ICT TTPSP register with provider classification (critical/important/standard), contractual provision gap analysis, and concentration risk assessment.

Incident Classification Framework

ICT incident classification framework implementing DORA criteria, with the 4-hour / 24-hour / 1-month reporting pipeline, notification templates, and process documentation.

TLPT Scope Definition

For significant entities: TLPT scope definition document aligned to TIBER-EU methodology requirements, covering target systems, Threat Intelligence Provider selection criteria, and testing timeline.

DORA Compliance Roadmap

Phased remediation roadmap with effort estimates, implementation sequencing, and milestone alignment to the DORA compliance cycle and supervisory examination calendar.

Related Services in Compliance & Audit

ISO 27001 Gap Assessment ISO 27001 Internal Audit SOC 2 Readiness PCI DSS Compliance
GET STARTED
Accepting New Engagements · 24h Response

Request a Security Assessment

Tell us about your environment and security objectives. We'll design a bespoke assessment and deliver a detailed proposal within 48 hours.

Scoping Call with a Certified Consultant 45-minute deep-dive with a senior practitioner — no sales pitch.
Proposal Delivered in 48 Hours Fully scoped engagement plan with pricing and timeline.
Free Attack Surface Analysis Preliminary external exposure report at no cost.
Fully Confidential. NDA Available. No obligation. Your data is never shared.
200+ Engagements
40+ Services
98% Satisfaction
CERT-In Empanelled ISO 27001 OSCP · CEH · CISSP
1
You
2
Service
3
Details

About You

We'll use this to route you to the right expert.

What Do You Need?

Select all that apply — you can pick multiple.

Select at least one area to continue.

Final Details

Optional context to help us scope your engagement.

By submitting, you agree to our Privacy Policy. We'll never share your data.