What is the DORA compliance deadline?

DORA applies from 17 January 2025. Financial entities and relevant ICT third-party providers must be able to demonstrate compliance (policies, controls, governance, testing, and evidence) to competent authorities.

What are RTS and ITS under DORA?

RTS (Regulatory Technical Standards) and ITS (Implementing Technical Standards) are technical rules developed by the European Supervisory Authorities (EBA, EIOPA and ESMA) that specify how to implement key DORA requirements.

DORA Regulation: Digital Operational Resilience for Financial Services

Build demonstrable operational resilience and meet Regulation (EU) 2022/2554. We translate regulatory requirements into a practical security and governance program with audit-ready evidence.

Request a DORA Gap Assessment Learn more

A practical, end-to-end approach for the new era of financial supervision

DORA (Digital Operational Resilience Act) is a major regulatory shift in the EU designed to ensure financial entities can withstand, respond to, and recover from ICT incidents. It’s no longer enough to “be secure” — regulators expect provable operational resilience.

At Hard2bit, we don’t stop at documentation. We combine governance and audit expertise with technical teams (Red Team, Cloud Architecture, SOC) to deliver controls, testing, and evidence across DORA’s core pillars.

Key date

DORA applies from 17 January 2025. Organizations should be able to demonstrate ICT risk governance, testing, third-party oversight, and incident reporting readiness with audit-ready evidence.

ICT Risk Governance & Management

Define the ICT risk management framework, resilience strategy, and continuity policies approved and overseen by the management body.

Incident Reporting Readiness

Set detection processes and materiality criteria to classify major incidents and meet regulatory reporting timelines with defensible evidence.

Digital Resilience Testing (incl. TLPT)

From annual vulnerability assessments to threat-led penetration testing (TLPT) for in-scope entities, aligned to DORA testing expectations.

ICT Third-Party Risk Management

Assess concentration risk, review contracts against DORA requirements, and audit critical ICT providers (including cloud) with actionable remediation.

DORA FAQ

Clear answers to the most common technical and compliance questions.

Which financial entities are in scope for DORA?

DORA covers a broad set of financial entities such as credit institutions, payment and e-money institutions, investment firms, crypto-asset service providers, fund managers and insurers, among others. DORA also strengthens requirements around ICT third-party providers used by these entities.

What happens if we are not compliant?

Competent authorities can impose supervisory measures and sanctions. DORA also requires governance accountability at management-body level, and repeated deficiencies can create significant regulatory and reputational impact.

Does DORA replace the EBA outsourcing guidelines?

DORA consolidates and elevates many existing expectations into a harmonised EU regulation and introduces a stricter, more uniform approach to ICT third-party risk, oversight, and evidence of operational resilience.

How can NormexAI help with DORA compliance?

NormexAI accelerates mapping between DORA requirements (including relevant RTS/ITS) and your existing processes and controls, helping you build traceable evidence and speed up the gap assessment and remediation planning.

Can an external CISO help us with DORA?

Yes. A virtual CISO (vCISO) service fits the DORA model when the entity needs to strengthen ICT risk governance, board-level reporting, third-party management, coordination of resilience testing (including TLPT where applicable) and solid interaction with supervisors and auditors. Particularly useful while an internal function is being consolidated.

How does DORA overlap with NIS2, ISO 27001 and ENS?

DORA is lex specialis for the financial sector, so where it applies it takes precedence over NIS2 on the digital operational resilience topics it covers. ISO 27001 provides a reusable ISMS baseline and ENS applies in the Spanish public-sector context. The four are compatible if the evidence line is designed once and reused. See the ENS vs ISO 27001 vs NIS2 vs DORA comparison for the detailed mapping and sequencing.

How does DORA interact with PCI DSS?

They address different layers and coexist. DORA governs ICT risk, resilience, incident reporting and third-party oversight for financial entities as a whole. PCI DSS v4.0.1 governs the specific controls required to protect cardholder data inside the CDE for any entity that stores, processes or transmits payment card data — including many banks, PSPs, acquirers and e-money institutions that are also in DORA scope. A single, unified evidence programme can satisfy both frameworks: DORA inherits the ICT risk management posture, PCI DSS adds the cardholder-data-specific control set audited through RoC or SAQ.

Don’t leave DORA to the last minute

DORA requires structural changes in how technology risk is governed, tested, and evidenced. We provide both the compliance roadmap and the technical execution to deliver operational resilience without friction.

Talk to a DORA consultant