Does DORA replace or complement NIS2 for financial institutions?

NIS2 and DORA are separate regulations with overlapping scope for some financial institutions. DORA is lex specialis for the financial sector: where DORA and NIS2 both apply, DORA's requirements generally take precedence for ICT risk management and testing obligations. Financial entities still need to satisfy NIS2 requirements that DORA does not specifically address. We map our testing scope to both frameworks simultaneously.

What is the difference between DORA ICT testing and standard pentesting?

DORA ICT testing (Articles 24-27) goes beyond standard penetration testing. It requires testing against a documented threat intelligence basis, with defined scope, methodology, and evidence that maps to your ICT risk management framework. For significant institutions, TLPT requires an approved threat intelligence provider. Standard pentests do not satisfy these requirements without the DORA-specific framing and documentation.

Which financial institutions fall under DORA?

DORA applies to credit institutions, payment institutions, e-money institutions, investment firms, insurance and reinsurance undertakings, crypto-asset service providers, and their critical ICT third-party providers, among others. The full list is defined in DORA Article 2. Significant institutions within these categories face additional requirements including TLPT every three years.

How do you approach third-party ICT risk assessment?

We perform technical security assessments of critical ICT vendor environments and integration points, reviewing API security, authentication mechanisms, data handling practices, and access controls. This produces a structured risk report you can use to satisfy DORA Article 28 oversight requirements for critical third-party providers.

By Sector

Financial Services Security

Banks, insurers, and financial institutions operate under strict regulations including DORA and PCI-DSS, and are a prime target for sophisticated fraud and supply chain attacks. Security and compliance for the financial sector, aligned with what regulators expect today.

Request Assessment Compliance Testing

Compliance Frameworks

DORA (Digital Operational Resilience Act)

PCI-DSS

NIS2 Directive

DNB guidelines

EBA/ESMA requirements

Financial Sector Challenges

DORA compliance requirements (in force from 17 January 2025)

PCI-DSS for payment processing

Sophisticated financial fraud threats

Third-party and supply chain risks

Real-time transaction security

Regulatory reporting requirements

DORA: in force since January 2025

DORA applies to all financial entities operating in the EU from 17 January 2025. It is current law, not a future obligation. The four pillars below map directly to Sectricity services.

ICT risk management (Articles 5-16)

DORA Articles 5 to 16 require financial entities to implement a comprehensive ICT risk management framework with documented policies, regular security testing, and vulnerability management. Our penetration testing directly validates whether your ICT risk controls work in practice.

ICT incident reporting (Articles 17-23)

DORA Articles 17 to 23 require classification and reporting of significant ICT-related incidents to competent authorities within defined timeframes. A tested environment with proper monitoring significantly reduces both the likelihood and the detection time of significant incidents.

Digital resilience testing (Articles 24-27)

DORA Article 24 requires regular ICT security testing for all in-scope financial entities. Article 26 requires Threat-Led Penetration Testing (TLPT) at least every three years for significant institutions. We deliver DORA-aligned test reports that satisfy these obligations.

Third-party ICT risk (Articles 28-44)

DORA Articles 28 to 44 require financial entities to maintain documented oversight of all critical ICT third-party providers. We assess the security posture of your critical vendors and test the integration points between their systems and yours.

Financial Security Services

Financial Pentesting

Security testing for banking applications, trading platforms, and payment systems. We test authentication, authorization, transaction logic, and API security under conditions that reflect real adversary behavior.

Red Team Operations

Adversary simulation testing your fraud detection and security operations. Red Team exercises test whether your controls detect and stop a realistic attack across the full kill chain.

DORA Compliance Testing

Digital operational resilience assessment and compliance testing aligned with DORA requirements. Delivers a structured evidence package for your regulator and internal audit function.

Third-Party Risk Assessment

ICT third-party risk assessment and vendor security evaluation. We assess the attack surface and security posture of your critical ICT providers under DORA Article 28 requirements.

Frequently Asked Questions

Secure your financial operations

Get a security assessment aligned with DORA and financial sector requirements.