DORA
Legal and business support for DORA implementation in your financial institution
fintech brands we have worked with
what is DORA?
Comprehensive protection for the financial sector
DORA (Digital Operational Resilience Act) is a key European Union regulation aimed at strengthening the digital operational resilience of the financial sector. It introduces a comprehensive regulatory framework that ensures financial institutions can withstand, adapt to, and recover from cyberattacks and other technological disruptions.
A response to growing threats
DORA is a response to growing cyber threats and the increasing digitalisation of financial services. The regulation sets unified requirements for the security of networks and information systems, IT risk management, incident reporting, and digital resilience testing.
What does this mean for your institution?
As a financial institution, implementing DORA means you need to review and adjust your processes around cybersecurity, business continuity, and IT risk management. Our experience in compliance and financial-sector regulation lets us support you effectively throughout this process.
who does DORA apply to?
DORA has a broad scope and covers practically all entities in the European Union financial sector, including:
Payment institutions
both MIP and KIP
Credit institutions
banks
Investment firms
Crypto-asset service providers
Electronic money institutions
Insurance and reinsurance undertakings
Administrators of critical benchmarks
Trade and securitisation repositories
Pension funds
Credit rating agencies
ICT service providers for the financial sector
Particular relevance for payment institutions
DORA is of key importance for payment institutions, which process enormous volumes of transactions and sensitive data every day. Payment institutions — both Small Payment Institutions (MIP) and National Payment Institutions (KIP) — face the challenge of adapting their systems and processes to the new requirements.
The regulation reflects the principle of proportionality, which means smaller entities such as MIPs can use simplified procedures; however, the core requirements on security and operational resilience remain mandatory for all market participants.
how we can help with DORA
Our end-to-end support for implementing and maintaining DORA compliance
Defining the scope of DORA and NIS2 application
We will verify the extent to which DORA applies to your organisation and determine whether you need full implementation or can use a simplified procedure. As part of the DORA rollout, we will also prepare you for NIS2 if you fall within the scope of that directive.
Identifying processes and assets
We will help you identify all processes and key assets related to information processing and your organisation's digital resilience. We will also focus on processes involving third-party providers (outsourcers).
Risk analysis
We will run a risk analysis covering your digital resilience and information processing, including personal data. This analysis will be a key component of your Risk Management System and Digital Resilience Strategy.
Selecting digital resilience solutions
We will help you choose the right digital resilience and information protection solutions to minimise related risks.
Implementing appropriate information management standards
We will support your company in developing and implementing appropriate information management standards, including internal communications. We prefer an ISO-based approach, tailored to the scale of your operations and the capabilities of your organisation.
Defining a clear division of responsibilities
We will help you align your organisational structure with DORA requirements, as well as the Corporate Governance Rules for Supervised Institutions and KNF expectations. In addition to DORA implementation support, we can provide your company with ongoing assistance from people responsible for coordinating supervisory obligations.
Creating backup management rules
Together we will determine which of the information you process must be backed up under DORA or other rules. We will develop appropriate rules for creating, storing, testing, and restoring backups. We can also supervise their enforcement.
Deploying redundant IT environments
We will help you identify processes that require redundant or backup IT environments. We will develop the relevant procedures and analyses, and at the same time support you in selecting external providers.
Developing and implementing Business Continuity Plans
We will develop Business Continuity Plans for you that cover not only ICT environments but the organisation's entire operations. Together we will choose the best solutions so your organisation is ready for any scenario.
Establishing digital resilience testing plans and procedures
We will prepare appropriate digital resilience testing procedures and plans for you, tailored to your company's size and capabilities and to the risks it faces. We can also support you in supervising the relevant tests.
Building incident response plans
We will build incident response plans for you, including for incidents classified as major. This way your organisation will know exactly how to act when an adverse event occurs.
Defining rules for cooperation with external providers
We will develop procedures for working with outsourcers and prepare standard contract clauses aligned with DORA and other requirements. We can also support you with the ongoing monitoring of third-party providers required by DORA.
Training the Board, employees, and contractors
We will prepare and deliver the required training on information security (including GDPR), digital resilience, and risk analysis. We will also run a dedicated Board training session as required by DORA. On top of that, we will develop a short e-learning course you can use to onboard new employees and contractors.
ITSec guidelines for DORA and NIS2
We're sharing practical guidelines for implementing digital resilience. The material will help you organise tasks across compliance, IT, security, and external providers.
- 1250+ guidelines covering the full cycle: governance, incidents, continuity, providers.
- 26 categories that can be mapped to NIS2/KSC and DORA obligations.
- A practical format for security, compliance, and board teams.
- Material designed for joint work with ICT providers across the supply chain.
our DORA experts
Meet our FinTech team, which has been effectively supporting financial institutions for years in implementing regulations and compliance requirements — including DORA — to ensure digital resilience and operational security.
Why trust our experts?
- Comprehensive understanding of DORA and the challenges it brings
- Extensive experience implementing similar regulations
- A practical approach to solving compliance challenges
- Solutions tailored to your organisation's needs
Tomasz Klecor
Managing Partner
FinTech navigator. Lawyer.
Paweł Geremek
Attorney-at-law
ISO 27001 Auditor