DORA Compliance Consultancy for Financial Institutions

The Digital Operational Resilience Act (DORA) has been in force since 17 January 2025, applying to over 21,000 financial entities across the EU. Razorthorn provides specialist DORA compliance consultancy to help financial institutions meet their obligations under Regulation (EU) 2022/2554, from initial gap analysis through to ongoing resilience testing and third party risk management.

Whether you need to assess where you stand, close specific compliance gaps or build a complete DORA programme from scratch, our consultants work with your team to deliver practical, proportionate solutions that satisfy regulators without disrupting your operations.

What does DORA compliance consultancy help you achieve?

Regulatory confidence: Demonstrate to competent authorities that your ICT risk management, incident reporting and third party oversight meet DORA’s requirements under Chapters II–V of the regulation.

Operational resilience: Build the capability to withstand, respond to and recover from ICT disruptions and cyber threats, with tested processes and documented frameworks.

Penalty avoidance: Reduce the risk of enforcement action. Member states can impose administrative penalties with turnover-based ceilings of 5-10% of annual turnover under Article 50. Critical ICT providers face fines of up to 1% of average daily worldwide turnover, accumulating daily for up to six months.

Talk To Us About DORA Compliance

Please leave a few contact details and one of our team will get back to you.

Who does DORA apply to?

DORA applies to 20 types of financial entity under Article 2 of the regulation, covering over 21,000 organisations across the EU:

Credit institutions
Payment institutions, including payment institutions exempted pursuant to Directive (EU) 2015/2366
Account information service providers
Electronic money institutions, including electronic money institutions exempted pursuant to Directive 2009/110/EC
Investment firms
Crypto-asset service providers and issuers of asset-referenced tokens
Central securities depositories
Central counterparties
Trading venues
Trade repositories
Managers of alternative investment funds

Management companies
Data reporting service providers
Insurance and reinsurance undertakings
Insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries
Institutions for occupational retirement provision
Credit rating agencies
Administrators of critical benchmarks
Crowdfunding service providers
Securitisation repositories
ICT third-party service providers.

How can Razorthorn help with DORA compliance?

Gap Analysis

We will check your readiness for compliance with DORA

Threat-Led Penetration Testing

Comprehensive red team assessments tailored for financial institutions

Security Awareness Training

Human error is a significant vulnerability – regular training reduces your risk

Third Party Security Tool Implementation

Objective recommendations for tools specifically suited to your organisation

Continuous Testing

Meet key testing requirements outlined in Chapter IV (Articles 24 – 27) of DORA
See Razor’s Edge for more.

Continuity Plans

Continuity plan & business impact analysis or creation

Penetration Testing

Identify vulnerabilities that could be exploited in your infrastructure, applications or network.

Consultancy Services

Take advantage of our experienced team of cyber professionals

How does DORA compliance consultancy work with Razorthorn?

We start with where you are

Every engagement begins with understanding your current position. We assess your existing frameworks, policies and controls against DORA’s requirements and identify the gaps that need closing. If you’ve already done some work towards compliance, we build on what’s there rather than starting from scratch.

We focus on what matters most

Not every DORA requirement carries the same risk for every organisation. We help you prioritise based on your size, complexity, risk profile and the proportionality provisions built into the regulation. Certain entity types, including small and non-interconnected investment firms and exempted payment and electronic money institutions, benefit from a simplified ICT risk management framework under Article 16. Microenterprises benefit from separate proportionality provisions throughout DORA, including exemption from TLPT and less frequent framework reviews. Larger entities need more comprehensive programmes, particularly around threat-led penetration testing and third party oversight.

We work alongside your team

DORA compliance isn’t something that can be fully outsourced. Your organisation retains accountability for operational resilience regardless of who helps you build the frameworks. Our consultants work alongside your risk, compliance, legal and IT teams to transfer knowledge and build internal capability, so you’re not dependent on external support for ongoing compliance.

Let’s go!

Ready to strengthen your organisation’s DORA compliance? Contact us today for a consultation. We’ll assess where you stand, identify any gaps and build a practical plan to meet your regulatory obligations.

For more on DORA requirements, including guides on third party compliance, ICT risk management and resilience testing, visit our DORA Compliance Resource Hub.

Frequently Asked Questions about DORA Compliance Consultancy

How long does it take to achieve DORA compliance?

The timeline depends on your starting point and the complexity of your organisation. A gap analysis typically takes 2-4 weeks. Building and implementing a full DORA compliance programme can take 3-12 months depending on the scope of changes needed, particularly around third party contract renegotiations which often take the longest. Razorthorn works with you to create a realistic roadmap with clear milestones.

Does DORA apply to UK financial institutions?

DORA is an EU regulation, so it applies directly to financial entities regulated within the EU. UK financial institutions are not directly subject to DORA. However, UK-based ICT service providers that support critical or important functions for EU-regulated clients are affected, as their EU clients must ensure DORA-compliant contractual arrangements and oversight. UK firms with EU subsidiaries or branches will also need to comply for those operations.

What is included in a DORA gap analysis?

A DORA gap analysis assesses your organisation against all five pillars of the regulation: ICT risk management (Chapter II, Articles 5-16), incident reporting (Chapter III, Articles 17-23), digital operational resilience testing (Chapter IV, Articles 24-27), third party ICT risk management (Chapter V, Articles 28-44) and information sharing (Article 45). The output is a detailed report showing your current compliance position, identified gaps and a prioritised remediation plan.

Do we need threat-led penetration testing under DORA?

Not all financial entities are required to conduct threat-led penetration testing (TLPT). DORA requires TLPT for larger, systemically important institutions under Articles 26-27, typically following the TIBER-EU framework. Competent authorities determine which entities must perform TLPT based on their size, systemic importance and risk profile. All financial entities must conduct some form of digital operational resilience testing, but smaller organisations may use simpler testing methods proportionate to their size.

Can Razorthorn help with DORA third party contract reviews?

Yes. Third party risk management is one of the most complex areas of DORA compliance. We help financial institutions review existing ICT contracts against Articles 28-44 requirements, identify gaps in audit rights, incident reporting obligations, exit strategies and subcontractor provisions and support renegotiations with providers. We also help build the Register of Information required under Article 28(3).

How much does DORA compliance consultancy cost?

Costs depend on the scope of work, your organisation’s size and how far along you are with compliance. A standalone gap analysis is a fixed-fee engagement. Larger programmes covering multiple areas of DORA are typically scoped and priced based on an initial assessment. Contact us for a conversation about your specific requirements and we’ll provide a clear proposal.