DORA Compliance Assessment

Understand your gaps and prioritize key requirements for DORA compliance with guidance from Kroll experts.
Contact Us

DORA is a new EU regulation  designed to improve the cybersecurity and operational resilience of firms in the financial services sector, covering more than 22,000 financial entities and Information Communications and Technology (ICT)  service providers operating within the EU.

The DORA regulation comes into force on January 17, 2025, with state- level mechanisms expected to be in place and financial entities will be expected to be compliant with the regulation.

Businesses may underestimate the amount of work required to become DORA compliant, and those based outside the EU may not realize that they also need to pay attention to the changes. This could put organizations at risk of failing to meet the new DORA requirements.

To prevent this and ensure that they are ready for the impending changes, businesses should take strategic action now.

Key Focus Areas of DORA Regulation

ICT Risk Management

ICT Related Incident Reporting

Digital Operational Resiliency Testing

ICT Third-Party Risk
Information Sharing

Embed a comprehensive risk management framework for ICT systems.

Standardize reporting of ICT related incidents. Incident management processes and templates for reporting of incidents.

Testing and assurance of technology resiliency through a combination of techniques and harmonization of data collected by financial organizations.

Stricter controls and processes for third-party risk management and oversight.

Mechanisms for sharing information on threat actor activity.

What is the difference between DORA and NIS2 ?

Organizations may find similarities between NIS2  and DORA given its focus on Digital Resilience, however, it is important to understand that there are key differences in terms of scope and application:

NIS2
DORA
Type

Directive – EU Member States are responsible for implementing national laws

Regulation – directly applicable to financial services companies

Implementation Date

October 17, 2024

January 17, 2025

Applies To

Critical Sectors (energy, transportation, health, space, internet etc.), MSPs, MSSPs in EU Member States

Financial Entities (banks, insurance, crypto, etc.) and ICT service providers in EU member states

Overlap

Part of the broader cybersecurity regulatory framework

Takes precedence where sector-specific rules apply (‘Lex Specialis’ exemption)

 

Areas of Focus

Strengthening overall security and incident reporting requirements

Complements NIS2 by providing specific provisions around ICT frameworks, incident response and third-party ICT contracts

Testing Requirements

Variable depending on country

  • A range of assessments and tests every year
  • Threat-led penetration testing every three years
Incident Reporting
  • An early warning within 24 hours
  • An incident notification within 72 hours
  • A final report within 1 month

Classification of ‘major’ incidents and subject to the following:

  • An initial notification within 24 hours

  • An intermediate notification within 72 hours

  • A final report within 1 month

Navigating the Most Common Barriers to DORA Compliance

From our experience of helping organizations in the financial services industry in addressing cybersecurity, governance, risk and compliance challenges, we anticipate businesses may underestimate the amount of work required for DORA compliance. More specially, it’s important to consider some of the most common challenges that will need to be addressed:

Navigating the Most Common Barriers to DORA Compliance 

How Kroll Can Help You Achieve DORA Compliance

Kroll has a long track record of working with financial institutions to enabling them to achieve their security and regulatory goals. We leverage knowledge of Kroll experts who are our expertise consisting of former DORA consultation group members and former SEC, FCA and AMF regulators, along with our frontline intelligence from thousands of incident response cases a year, to provide in-depth support and help prepare your organization prepare for and to fully meet DORA requirements.

Key Outcomes:

Understand Key Gaps in Your DORA Compliance

Have a Clear Path to DORA Compliance While Reducing Longer Term Risk

Implement Solutions to Maintain Operational Resiliency

Quantitative measure of DORA compliance status highlighting key weaknesses by carrying out a gap assessment of operational resilience with DORA and RTS standards

Clear roadmap towards DORA compliance with priority tasks and timeframes. An action tracker is also provided with recommended owners to help stakeholders for effective project management

With our portfolio of advisory, transformation and managed services, we can assist you with the implementation of DORA-aligned policies and procedures, controls, testing and services across ICT risk management, incident management, business continuity, third-party risk management, and digital resiliency testing

How it works:

Our four-phased approach help organizations of all sizes address any stage of DORA compliance:

Planning

Our experts determine the ICT risk management framework that is applicable to your organization under DORA, for example, whether we need to apply the full scope, a simplified framework or a microenterprise regime.

Assessment

Having determined the appropriate framework, our consultants conduct a gap assessment covering the core DORA requirements and draft RTS. By leveraging our own risk analysis tooling and experience of supporting financial services firms with operational resilience programs, we provide a clear risk rating against DORA requirements, whilst giving a quantitative measure of compliance status.

Roadmap

Off the back of the assessment, we provide you with a roadmap report along with an action tracker for effective project management including:

  • Target levels of compliance and maturity in each assessment area
  • Actionable tasks with effort ratings
  • Reasonable timeframes for completion of individual tasks
  • Recommend task owners

Implementation

Having identified DORA compliance key gaps, Kroll can assist with the implementation of repeatable and evergreen programs and software with our comprehensive portfolio of industry-leading services to support you in going beyond just DORA compliance and towards achieving sustainable operational resiliency as new regulations and threats evolve. Our offerings include:

  • Program Design and Assessments
  • Business Continuity/Disaster Recovery
  • Security Risk Assessments (Software Supply Chain, Cloud, SDLC, Compliance etc.)
  • Third-party Risk Management (Due Diligence Assessments, Third Party Monitoring, Contractual Risk Review etc.)
  • Managed Detection and Response
  • Threat-Led Penetration Testing/Red Teaming
  • Threat Intelligence Assessment
  • Vulnerability and Penetration Testing
  • Implementation of Governance, Risk and Compliance software

DORA Compliance Assessment in Your Cyber Risk Retainer

Our DORA Compliance Assessment, along with many other cybersecurity and compliance services, can be delivered as part of Kroll’s ultra-flexible Cyber Risk Retainer. In addition to prioritized access to Kroll’s elite digital forensics and incident response team ahead of and in the event of an incident, the Retainer can also be used for services like penetration testing, risk assessments and tabletop exercises to name just a few.

Why Kroll?

  • Ex-DORA and Financial Services Regulatory Experts

Our team consists of experts involved in the preparatory consultation work that led to DORA as well as former-FCA, SEC and AMF regulators with a deep understanding of relevant legislation and standards in your industry to provide real insight and value.

  • Experienced, Accredited Cybersecurity Professionals

700+ skilled and certified cybersecurity experts across the globe, experienced in not only helping clients comply with multiple regulations but staying resilient ahead of the changing landscape.

  • Solutions Across the DORA Maturity Lifecycle

Our solutions can address all aspects of DORA compliance and maturity; from assessing all possible gaps/weaknesses and advising on remediation with our consultancy expertise to implementing the right controls and providing remote- managed services.

  • Unrivalled Frontline Intelligence

With unrivalled exposure to thousands of incident response cases each year, we know what’s needed to stay resilient to cyber threats.

  • Fast Implementation, Built on Previous Engagements

We leverage our 50+ DORA-tailored policies and procedures templates to provide immediate value as we roll out your tailored program.

Talk to a Kroll Expert

Kroll is ready to help, 24x7. Use the links on this page to explore our services further or speak to a Kroll expert today via our 24x7 cyber hotlines or our contact page. 

Cyber and Data Resilience

Incident response, digital forensics, breach notification, security strategy, managed security services, discovery solutions, security transformation.

Compliance and Regulation

End-to-end governance, advisory and monitorship solutions to detect, mitigate and remediate security, legal, compliance and regulatory risk.

Financial Services Compliance and Regulation

End-to-end governance, advisory and monitorship solutions to detect, mitigate, drive efficiencies and remediate operational, legal, compliance and regulatory risk.


Cyber Governance and Strategy

Manage cyber risk and information security governance issues with Kroll’s defensible cyber security strategy framework.

Threat Exposure and Validation

Proactively identify your highest-risk exposures and address key gaps in your security posture. As the No. 1 Incident Response provider, Kroll leverages frontline intelligence from 3000+ IR cases a year with adversary intel from deep and dark web sources to discover unknown exposures and validate defenses.

Incident Response and Litigation Support

Kroll’s elite security leaders deliver rapid responses for over 3,000 incidents per year and have the resources and expertise to support the entire incident lifecycle, including litigation demands. Gain peace of mind in a crisis.


Cyber Risk Retainer

Kroll delivers more than a typical incident response retainer—secure a true cyber risk retainer with elite digital forensics and incident response capabilities and maximum flexibility for proactive and notification services.