Services DORA Compliance & Certification
+44 20 3996 1505

DORA Compliance & Certification

The Digital Operational Resilience Act (DORA) came into force across the EU on 17 January 2025 and is now actively supervised. It applies to financial entities operating in the EU and to the ICT third-party providers that serve them. Even UK and global firms are in scope where they operate into the EU, supply EU-regulated financial entities, or sit in a group that includes EU financial entities.

RedSecLabs delivers full-spectrum DORA compliance: ICT risk management framework, Article 30 third-party risk programme, operational resilience testing (including TLPT for significant entities under Article 26), incident reporting playbooks, and the supervisory-ready evidence pack that competent authorities expect.

We work with EU financial entities, UK firms with EU exposure, and ICT third-party providers serving the European financial sector.

CREST Certified Pen Test Provider ISO Certified OSCP Certified Industry Certification

Free Security Quote

Just a few questions to scope your project. We respond the same business day.

UK-based CREST member · QSA-aligned methodology · Same-day scoping response · Executive + technical reports · Retest included
Who this is for

This service is a fit if you’re..

1
Significant entities
EU-regulated financial institutions in scope for DORA Article 26 TLPT requirements.
2
Non-significant entities
DORA-in-scope firms below TLPT threshold needing proportionate Articles 24-25 testing programmes.
3
ICT third-party providers
Critical ICT providers serving DORA-regulated entities who must demonstrate DORA-aligned controls.

DORA Compliance, Quick Facts

Last reviewed: 2026-05-21
In force
17 January 2025 (full enforcement)
Scope
Financial entities and critical ICT third-party providers serving EU financial sector
Article 26 TLPT
Threat-Led Penetration Testing required at least every 3 years for significant entities
Articles 24-25
Proportionate testing programme for non-TLPT-threshold entities
Article 30
ICT third-party risk management framework required
Competent authorities
FCA, PRA (UK proxy compliance); EBA, ESMA, EIOPA (EU); national authorities
DORA
In force Jan 2025
Article 30
Third-party ready
TLPT
Methodology aligned
CREST
Member company

What DORA actually requires

DORA is the EU regulation that creates a single rulebook for ICT operational resilience across financial services. It replaces a patchwork of overlapping national and sectoral requirements with one comprehensive regime covering ICT risk management, third-party risk, incident reporting, operational resilience testing, and information sharing.

The regulation applies to financial entities (banks, payment institutions, asset managers, insurers, investment firms, crypto-asset providers, and others) AND to the critical ICT third-party providers that serve them. The latter is the genuinely novel part of DORA, cloud providers, MSPs, and major software vendors are now directly in scope of EU financial supervision for the first time.

What our DORA engagements deliver:

DORA ICT risk management framework aligned to Article 6 RTS

Article 30 third-party register and contractual remediation

Operational resilience testing programme (proportionate or TLPT)

Incident classification, reporting playbooks, and templates

Information sharing arrangements established

Supervisory-ready evidence pack and audit trail

From firms just starting DORA preparation to mature programmes needing refresh and TLPT delivery, our methodology scales to your starting position and supervisory profile.

Why DORA matters across the EU

DORA came into force on 17 January 2025 and supervisory authorities across the EU are now actively assessing financial entities against it. The European Supervisory Authorities (EBA, ESMA, EIOPA) coordinate the regime, with national competent authorities running supervision in each member state. The regulation has direct effect, supervisors have real powers, and fines of up to 2% of total annual worldwide turnover (or up to 1% daily for ICT third-party providers) are now on the table.

Beyond the regulatory consequences, DORA codifies what good ICT operational resilience looks like in financial services. Firms that engage properly with DORA emerge with stronger third-party risk management, clearer incident response, better testing programmes, and a coherent ICT risk story for boards and supervisors.

Common pressures DORA creates:

Article 30 contractual remediation across the supplier base

TLPT delivery for entities above the significance threshold

Incident reporting deadlines (4 hours initial, 72 hours follow-up)

Third-party concentration risk for critical service providers

Supervisory onsite inspections under Article 50

Group-wide application across EU and non-EU entities

DORA is not optional and not negotiable with the supervisor. It is workable with the right partner and methodology.

Who needs DORA compliance

DORA applies to two broad categories of organisation:

Banks and credit institutions

Asset managers and fund admins

Payment institutions and EMIs

Investment firms and trading venues

Insurance and reinsurance

Crypto-asset service providers

Critical ICT third-party providers

FinTech and RegTech serving the above

Critical-designated ICT third-party providers face the most onerous direct supervision, but every financial entity using ICT third-party services has flow-down obligations to manage. The proportionality regime means smaller entities have a lighter touch, but every entity has some obligations.

How we deliver DORA programmes

Eight-stage delivery programme, scaled to your size and proportionality regime. Fixed-fee scope, single point of contact, evidence reuse against ISO 27001 and other compliance regimes.

01

Scope Determination & Applicability

We confirm whether DORA applies to your organisation (financial entity, ICT third-party provider, both, or critical-designated), and which proportionality regime governs your obligations.

02

ICT Risk Management Framework

DORA Article 6 requires a documented ICT risk management framework. We build or refresh yours against the framework requirements, mapping existing controls and identifying gaps against the regulatory technical standards (RTS).

03

ICT Third-Party Risk Programme

DORA materially raises the bar on third-party ICT risk. We deliver supplier register completeness, contractual remediation against DORA Article 30 mandatory clauses, and the concentration risk analysis required for critical providers.

04

Operational Resilience Testing

DORA Article 24-26 requires periodic testing, with threat-led penetration testing (TLPT) for significant entities. We deliver the testing programme aligned to methodology where TLPT applies, and proportionate testing for entities below the TLPT threshold.

05

Incident Classification & Reporting

DORA Article 17-23 imposes specific incident classification, reporting timelines, and communication requirements. We build the playbooks, reporting templates, and competent authority engagement processes you will need on the worst day.

06

Information Sharing Arrangements

DORA Article 45 encourages cyber threat information sharing between financial entities. We help structure your participation in sector information-sharing arrangements and integrate them into your wider threat intelligence programme.

07

Evidence & Audit Trail

DORA brings supervisory powers that include onsite inspection, requests for information, and the ability to impose fines. We build the audit trail and evidence pack that survives supervisory scrutiny.

08

Annual Refresh & Supervisory Engagement

DORA is not one-and-done. We run continuous compliance programmes including annual ICT risk assessment refresh, RTS updates, and direct support for any competent authority engagement.

Most first-year programmes complete in 14 to 26 weeks depending on starting position. Annual refresh and ongoing supervisory engagement run as a continuous service.

What you receive

Every DORA engagement delivers:

  • DORA gap assessment against current RTS
  • ICT risk management framework (Article 6 RTS aligned)
  • Third-party register and Article 30 contractual remediation pack
  • Operational resilience testing programme
  • Incident reporting playbook and templates
  • Supervisory-ready evidence and audit trail
  • Board-level reporting suitable for risk committee
  • Annual refresh and supervisory engagement support

Industries We Serve

We deliver this service across these industries:

Retail Banking
Asset Management
Payments
Capital Markets
Insurance
Crypto & Digital Assets
Cloud / ICT Providers
FinTech & RegTech

Why RedSecLabs for DORA

DORA touches the most demanding parts of the financial services compliance perimeter, ICT third-party risk, threat-led testing, incident reporting, and supervisory engagement. We have spent over a decade building depth in financial services security and operational resilience, and our DORA practice draws directly on that foundation. UK-based, senior consultants, evidence-led methodology, and the regulatory engagement experience the supervisor expects.

DORA RTS-aligned methodology
Operational resilience testing experience
CREST member company for TLPT delivery
Article 30 contractual remediation depth
Senior financial services consultants
Continuous supervisory engagement support

Speak to a DORA specialist

Book a 30-minute scoping call. We will confirm your DORA applicability, identify your priority workstreams, and quote a fixed-fee programme within 48 hours.

Book a Scoping Call Contact Us

Where to next

Related services and industry packages worth exploring.

DORA Compliance for UK Firms

DORA Compliance in Ireland

DORA Compliance in Luxembourg

Financial Services package
Related reading

From the RedSecLabs research blog

From the blog

A Guide to Meeting DORA Penetration Testing Requirements

DORA Article 26 TLPT, Article 24-25 proportionate testing, and what supervisors expect.

Read on the RedSecLabs blog

Frequently Asked Questions

DORA applies if you are an EU financial entity (banks, payment institutions, asset managers, insurers, investment firms, crypto-asset providers, market infrastructure, and others) or an ICT third-party provider serving them. Critical-designated providers face the heaviest direct supervision; non-critical providers have flow-down obligations through their financial entity customers. across the EU adds locally-specific applicability nuances which we cover during scoping.

Threat-Led Penetration Testing (TLPT) is required for significant financial entities under Article 26. It is a structured, threat-intelligence-driven red team exercise modelled on the methodology. Significance is determined by the supervisor based on entity size, complexity, and systemic importance. Not every DORA-in-scope entity needs TLPT, but those that do face a substantial undertaking.

Heavily. Most ISO 27001 controls map directly to DORA Article 6 ICT risk management framework expectations. Existing operational resilience work (under PRA SS2/21 for UK firms, or local equivalents elsewhere) covers a meaningful portion of DORA requirements. We design DORA programmes to maximise reuse from existing frameworks rather than rebuilding from scratch.

Article 30 specifies mandatory contractual clauses for every ICT service contract supporting critical or important functions. For most financial entities, this means contractual remediation across dozens to hundreds of supplier contracts. We deliver the remediation programme: prioritisation by criticality, model clause drafting, vendor negotiation support, and audit trail of remediated contracts.

Yes. DORA incident reporting (Article 17 onwards) imposes 4-hour initial notification, 72-hour intermediate report, and 1-month final report timelines for major ICT-related incidents. We build the classification logic, draft the reporting templates aligned to the ITS, and run tabletop exercises so your team is ready before they need to use the playbook.

Scoping is based on your DORA applicability (financial entity vs. third-party provider), proportionality regime, current maturity, and the work you need (gap assessment only, full programme delivery, or specific workstreams like TLPT or Article 30 remediation). We confirm fixed-fee scope within 48 hours of a scoping call.
What you receive

Every engagement includes

  • Scoping call. A 30-minute call to define scope, timeline, and authorisation boundaries.
  • Test plan. Written test plan covering targets, methodology, and rules of engagement.
  • Technical report. Detailed findings with reproduction steps, evidence, and remediation guidance.
  • Executive summary. Board-ready 1-2 page summary with risk ratings and business impact.
  • Audit-ready evidence. Findings letter formatted for auditors, customers, and supervisory authorities.
  • Retest letter. Free retest of remediated findings within an agreed window. Confirmation letter included.
  • Remediation call. A call with our lead tester to walk through findings and remediation strategy.
How we deliver

Our process, end to end

  1. 1
    Scoping call & fixed-scope quote
    A 30-minute call. We define scope, targets, timeline. You get a fixed-scope quote within one working day. No surprise invoices.
  2. 2
    Test plan & authorisation
    Written test plan covering methodology, targets, and rules of engagement. Authorisation letter signed before any testing begins.
  3. 3
    CREST-aligned execution
    Senior tester runs the engagement. Critical findings flagged immediately during testing. Daily updates if you want them.
  4. 4
    Technical + executive report
    Detailed technical findings with reproduction steps. Board-ready executive summary. Delivered within agreed working days.
  5. 5
    Remediation call & retest
    Walkthrough with our lead tester. Retest of remediated findings within the agreed window. Confirmation letter for your auditors.
Engagement scope

What shapes the quote

Small scope
Single app, focused scope, smaller surface. 5-7 working days.
Medium scope
Multi-role platform, several user types, integrations. 8-12 working days.
Enterprise scope
Complex environment, multiple targets, compliance evidence. 12-25 working days.
Fixed-scope quote within 1 working day
No surprise invoices, no scope-creep. We commit to a number before you commit to us.
Sample report
See exactly what we deliver
Download a redacted RedSecLabs penetration test report. Same format, same depth, same clarity as the report your team will receive.
Download sample report
Why RedSecLabs

Grounded reasons clients choose us

UK-based team
Testers based in the UK. Data stays within UK/EU jurisdiction for sensitive engagements.
CREST member company
CREST-aligned methodology. Senior testers hold CREST CRT or CCT certifications.
Manual testing, not scanner-only
Automated scanners catch the obvious. Our human testers find the issues that matter.
Clear executive reporting
Reports your board can read and your developers can act on. No jargon padding.
Compliance-aware delivery
PCI, SOC 2, ISO 27001, DORA, GDPR. We map findings to your compliance framework.
Retest support included
Free retest of remediated findings within agreed window. Confirmation letter for auditors.
Related services

Often paired with this engagement

DORA TLPT
Threat-led penetration testing for significant entities.
DORA UK
UK firms with EU exposure.
DORA Ireland
Ireland-specific guidance.
CREST Penetration Testing
CREST methodology for DORA testing.
Red Team Assessment
Threat-intelligence-led adversary simulation.
📞 Call us Book a call