DORA Compliance
Compliance with the Digital Operational Resilience Act (DORA) is mandatory from January 2025. LRQA ensures you meet all regulatory requirements
LRQA is uniquely placed as a full-service provider for achieving DORA compliance
The Digital Operational Resilience Act (DORA) is a landmark EU regulation that means financial organisations must ensure they can prevent and mitigate cyber threats and withstand, respond to, and recover from all types of information communication technology (ICT) disruptions.
The DORA Regulation marks a shift in emphasis from solely ensuring an organisation’s financial stability to guaranteeing its ability to maintain resilient operations. Organisations may now need to develop new operational resilience capabilities that must be tested and fully commit to an ongoing mandate to enhance their cybersecurity maturity
Award-winning expertise
Our cyber security team continues to achieve multiple vendor certifications, highly respected industry accreditations and international accolades, demonstrating the breadth, depth and impact of their services.
Benefits of our DORA Compliance Services
LRQA is uniquely placed as a full-service provider for achieving DORA compliance. When you partner with LRQA, you gain access to a team of highly skilled and experienced cyber threat intelligence (CTI) analysts, governance risk and compliance consultants, and cyber incident response experts.
This combination empowers us to provide you with advanced insights and actionable intelligence, enabling proactive identification, mitigation of cyber threats, and measures to meet compliance objectives.
Our experts cover every part of the testing process for DORA.
We are your full-service provider for achieving DORA compliance.
Advisory and compliance consulting
We provide consultancy-led expert guidance on aligning cybersecurity practices with DORA requirements. We work with you to create, develop, and implement policies and procedures.
Managed detection and response
We partner with you to achieve 24/7 monitoring and response services using leading industry technology capabilities to swiftly identify and mitigate cyber threats.
Resilience testing
We provide penetration testing to identify vulnerabilities in financial systems and applications. You receive detailed reports with actionable recommendations for remediation.
Incident response
We deliver an expert service as an assured NCSC level 2 cyber incident response provider. We offer cyber incident response services designed to aid your organisation’s preparedness in the event of a serious cyber incident.
Everything you need to know about DORA
The five pillars of DORA
Risk management
Identify, assess, mitigate and maintain resilient operations in the face of severe disruptions.
Incident management, classification and reporting
Implement early-warning systems to detect and manage cyber incidents and report them promptly. This requires a dedicated SOC security operations centre.
Digital operational resilience testing
Maintain risk-centric and independent testing programmes such as red teaming, purple teaming and advanced penetration testing against regulatory frameworks such as TIBER EU.
Third-party risk management
Include and manage ICT risks from third parties within ICT management frameworks.
Information sharing
Participate in the exchange of valuable cyber security threat and intelligence information among critical entities.
Why work with us?
Specialist expertise
Our cyber security experts hold multiple vendor certifications and accreditations as well as highly respected industry accreditations from CREST, the PCI SSC, ISC2, BCI, Chartered Institute of IT, and NCSC CHECK.
Industry leadership
We lead and shape industry on advisory boards and councils including the PCI SSC Global Executive Assessor Roundtable and CREST councils in the Americas, Asia, EMEA and the UK. We are certified by a range of governing bodies including the payment card industry and are approved as a Qualified Security Assessor.
Everywhere you are
Operating in over 55 countries, with more than 250 dedicated cyber security specialists and over 300 highly qualified information security auditors across the world, we can provide a local service with a globally consistent dedication to excellence.
Award winners
We have been recognised for the breadth and depth of our services – including the TEISS Award for Best Penetration Testing Service in 2024, Enterprise Threat Detection and Cloud Security awards at the Security Excellence Awards 2024 and the Stratus Award for Best Managed Cloud Security Service.
How is DORA regulated?
Specific authorities (known as competent authorities) in each member nation are responsible along with the European Banking Authority (EBA).
Organisations must prepare for the increased regulatory engagement powers that DORA will give to both national and EU-level supervisors. Instead of merely viewing this as a compliance task, organisations may need to develop new operational resilience capabilities, that must be tested and proven to work, and fully commit to an ongoing mandate to enhance their cyber security maturity.
What organisations does DORA apply to?
DORA encompasses over 22,000 financial entities and ICT service providers operating within the EU, along with the ICT infrastructure supporting them from outside the EU. The regulation establishes detailed and stringent requirements applicable to all participants in the financial market.
Financial entities covered by DORA include:
- Credit institutions
- Payment institutions
- Account information service providers
- Electronic money institutions
- Investment firms
- Crypto-asset service providers and issuers of asset-referenced tokens
- Central securities depositories
- Central counterparties
- Trading venues
- Trade repositories
- Managers of alternative investment funds
- Management companies
- Data reporting service providers
- Insurance and reinsurance undertakings
- Insurance intermediaries, reinsurance intermediaries and
- ancillary insurance intermediaries
- Institutions for occupational retirement provision
- Credit rating agencies
- Administrators of critical benchmarks
- Crowdfunding service providers
- Securitisation repositories