Although DORA (the EU Digital Operational Resilience Act) has been in effect since January 2025, organisations that supply the EU’s financial services sector are under growing pressure to demonstrate compliance with its requirements.

For most, this isn’t about starting from scratch but about mapping what’s already in place, identifying where DORA goes further and then expanding on current practices.

After all, DORA builds on – not replaces – established frameworks, standards and other compliance regimes such as ISO 27001, NIS2 (the Network and Information Security Directive 2) and the GDPR (General Data Protection Regulation). It formalises ICT risk governance for the financial sector and its technology suppliers, introducing more prescriptive requirements for resilience testing, third-party oversight and incident reporting.

So, where does it align and where does it add something new?

ISO 27001: the foundation for ICT risk and incident management

ISO 27001 remains the backbone of information security management. It requires organisations to identify risks to information assets, apply proportionate controls and maintain a continual improvement process.

Much of DORA’s structure aligns directly with ISO 27001. Articles on risk management, incident response and governance echo familiar clauses from the Standard – particularly Clauses 6 (planning), 8 (operation), 9 (performance evaluation) and 10 (improvement).

Where DORA and ISO 27001 overlap

• Risk management
  Both require systematic assessment of threats to confidentiality, integrity and availability.
• Incident response
  DORA Article 17 mirrors ISO 27001 Clause 6.1.3 and Control A.5, calling for defined processes to detect, classify and respond to ICT incidents.
• Governance and accountability
  Each expects a clear management structure for information security, supported by senior leadership oversight.

Where DORA goes further

• Operational resilience testing
  ISO 27001 requires regular testing of controls but leaves method and frequency to the organisation. DORA mandates specific, risk-based testing programmes – including threat-led penetration testing for critical functions – to prove that systems can withstand disruption.
• Third-party ICT risk governance
  ISO 27001 Control A.5.19 covers supplier relationships at a high level. DORA formalises this through detailed obligations on outsourcing, due diligence, monitoring and exit planning. Financial entities must maintain an up-to-date register of all ICT service providers and assess concentration risk across their supply chain.
• Sector-specific oversight
  DORA applies only to financial entities and designated ICT providers, introducing direct regulatory scrutiny of both. ISO 27001 certification remains voluntary; DORA compliance does not.

For most ISO 27001-certified organisations, these additions can be integrated into the existing ISMS (information security management system). The key task is to map DORA’s Articles to existing policies and identify any gaps in testing and supplier management.

NIS2: shared ground, but different scope

The NIS2 Directive and DORA share a common goal: strengthening Europe’s digital resilience. Both require effective risk management, incident handling and continuity planning, but their scopes differ.

Where they overlap

• Cyber resilience and continuity
  Both demand robust ICT security measures, business continuity and recovery planning.
• Incident handling
  Article 23 of NIS2 aligns closely with DORA’s incident reporting obligations, including mandating prompt notification of significant incidents to national authorities.
• Governance
  Each emphasises management-level accountability for cyber risk and resilience.

Where DORA goes deeper

• Sector-specific focus
  NIS2 applies broadly across essential and important sectors – from energy to healthcare. DORA applies specifically to financial entities and the ICT service providers that support them.
• Detailed ICT risk classification
  DORA prescribes a more structured approach to ICT risk identification and classification, designed to link incidents to potential impact on financial stability.
• Structured incident reporting
  DORA introduces three-stage reporting (initial, intermediate and final), with harmonised content requirements across EU financial authorities.

For organisations subject to both regimes, DORA effectively acts as a sector-specific implementation of NIS2 principles. Aligning the two means standardising terminology, reporting flows and documentation – so that a single process can satisfy both obligations.

GDPR: complementary but distinct

The GDPR governs the protection of personal data. DORA governs the resilience of the ICT systems that hold and process that data. The two intersect when ICT incidents lead to data breaches – but their focus differs.

Where they overlap

• Incident response and reporting
  Both require procedures to detect and report security incidents. Under Articles 33 and 34 of the GDPR, breaches involving personal data must be reported to supervisory authorities within 72 hours. Under DORA, all significant ICT-related incidents – whether or not they involve personal data – must be reported to financial regulators.
• Data protection by design
  DORA’s expectation of robust ICT risk management complements the GDPR’s requirement for technical and organisational measures to protect data.
• Accountability
  Both assign clear responsibility to senior management for compliance and oversight.

Where DORA goes further

• Wider scope
  The GDPR focuses on personal data. DORA covers any ICT risk that could threaten the continuity, availability or reliability of financial services.
• Service continuity
  The GDPR requires personal data to be secured. DORA extends that to the systems and operations that depend on it, requiring measures to maintain functionality during disruption.
• Testing and resilience evidence
  DORA mandates operational resilience testing. The GDPR leaves security testing methods to data controllers’ discretion.

In practice, the two are complementary: the GDPR ensures the lawful and secure processing of personal data and DORA ensures the systems processing that data remain functional, secure and recoverable.

At-a-glance comparisons

Why it matters

Financial entities and their ICT suppliers are already being asked by regulators, auditors and clients to show how they’re aligning their practices with DORA and other regulatory requirements.

In practical terms, the risk for most organisations isn’t non-compliance but inefficiency – duplicating effort across DORA, ISO 27001, NIS2 and GDPR compliance rather than taking an integrated approach that saves time, reduces confusion and demonstrates maturity to supervisors.

Key reasons to act now:

• Regulatory readiness
  Supervisory authorities expect evidence of preparation, not last-minute implementation.
• Contractual pressure
  Financial institutions are beginning to require their suppliers to demonstrate DORA alignment as part of due diligence.
• Audit efficiency
  Mapping frameworks creates a single control library that satisfies multiple obligations – cutting audit time and resource drain.
• Strategic value
  Integrated resilience strengthens trust with clients, regulators and partners, showing that compliance is embedded rather than bolted on.

Building this mapping early also helps organisations plan budgets, assign responsibilities and avoid the scramble that typically follows new regulatory deadlines.

Next steps

DORA doesn’t exist in isolation. It builds on principles you may already follow under ISO 27001, NIS2 or the GDPR. The challenge is understanding where it extends those principles and how to demonstrate compliance.

Our Certified DORA Foundation Training Course explains exactly how to map DORA’s Articles and regulatory expectations to your existing controls. It covers:

• The five pillars of DORA: ICT risk management, incident reporting, resilience testing, third-party risk and information sharing.
• How to integrate DORA with your ISMS or existing risk framework.
• Practical templates and examples to document your approach.

The course is accredited by IBITGQ, an ISO 17024-certified body, and available in both self-paced and live online formats. Learners gain the C-DORA F qualification on passing the included exam.

And for those managing both ISO 27001 and DORA, our ISO 27001:2022 and DORA Integrated Toolkit provides the documentation you need to demonstrate control alignment, risk mapping and incident management procedures – saving weeks of internal effort.