The starting point
The firm ran an almost entirely outsourced technology model: its core platform consumed as SaaS, infrastructure on public cloud and several fintechs plugged in for onboarding, reporting and distribution. Highly efficient for an organisation of 120 people — and precisely its biggest exposure under DORA. Nearly all of its ICT risk sat outside the building, governed by contracts signed years earlier with no resilience, audit or exit clauses to speak of.
Two things forced the issue. DORA had been applicable since January 2025 and the firm had barely moved, and the supervisor had begun requesting the Register of Information from comparable entities. After an initial working session, the board grasped that accountability for compliance sat with them — not with the IT department — and that realisation changed the pace of the project from day one.
How we approached it
- Gap analysis against DORA's five pillars — with senior management in the room, not just IT. The diagnosis was presented to the board in its own language: what the regulation demands, what is missing, the regulatory risk each gap carries and who owns it. The management body formally assumed the ICT risk oversight role DORA assigns to it.
- A proportionate ICT risk management framework — policy, roles, risk appetite and review cycle sized for a 120-person firm, not a systemic bank. We built on what already existed — the process map, the regulatory compliance function — rather than duplicating structures.
- Register of Information for ICT providers — a full inventory: 34 providers identified and classified against the technical-standard templates. Six turned out to support critical or important functions — the core platform, cloud, custody of position data — and for those six we renegotiated the contractual clauses DORA requires: service levels, audit rights, subcontracting, data location and exit strategy.
- ICT incident management and reporting — a process with classification thresholds aligned to the ESAs' criteria, a decision matrix for determining when an incident becomes reportable, and initial, intermediate and final notification templates ready to file with the regulator within the deadlines.
- A proportionate resilience testing programme — periodic vulnerability assessments, restore tests and scenario exercises covering the critical providers. No TLPT: applying the proportionality principle, the firm does not meet the criteria that would make it mandatory — and that decision was reasoned in writing so it can be defended in front of the supervisor.
Results
5 months
from gap analysis to filing the Register of Information on time
34 / 6
ICT providers classified; 6 critical ones with DORA clauses renegotiated
0
findings from the supervisor at the first review of the programme
Beyond compliance, the third-party exercise surfaced a pure security finding: while inventorying access, two providers turned up holding privileged access to the firm's systems that nobody could justify — leftovers from projects closed years before. Both were revoked within the week. The Register of Information, as well as being a regulatory deliverable, turned out to be the first complete picture of who could touch what.
What made it work
- DORA is a governance and third-party problem, not an IT one: once the board owned its accountability, the project stopped competing for resources.
- The Register of Information is the first thing the regulator looks at: starting there brings order to everything else — contracts, criticality, exit plans.
- Well-reasoned, documented proportionality prevents over-investment: skipping TLPT was a defensible decision, not an omission.
Frequently asked questions
Who does DORA apply to?
Virtually every regulated financial entity in the EU — banks, asset managers, investment firms, insurers, payment institutions — and, indirectly, their ICT providers: those supporting critical or important functions must accept specific contractual clauses covering service levels, audit rights, subcontracting, data location and exit.
How long does it take to become DORA compliant?
It depends on your starting point and how much of your technology estate is outsourced. As a reference, a firm of around 120 employees with no formal ICT risk framework completed the programme in five months: gap analysis, governance framework, Register of Information, incident process and testing programme. With some groundwork already in place, timelines shorten.
What is the DORA Register of Information?
The formal inventory of all contractual arrangements with ICT providers, classified against the technical-standard templates, which an entity must be able to hand to the supervisor on request. It is the first thing the regulator looks at, because it shows at a glance how well third-party risk is actually under control — and building it forces contracts, criticality and exit strategies into order.
Is threat-led penetration testing (TLPT) mandatory?
Not for every entity. DORA applies the proportionality principle: TLPT is only required of firms that meet certain size and systemic-impact criteria. For everyone else, a proportionate testing programme is sufficient — vulnerability assessments, restore tests, scenario exercises — with the decision reasoned in writing and defensible in front of the supervisor.
Related services
Running late with DORA?
If the supervisor asked for your Register of Information tomorrow, would you have it? We help you close the gap in order of regulatory risk: register, contracts, incidents and testing — proportionate to your size and defensible in front of the regulator.