DORA Compliance
DORA compliance programs for B2B SaaS and ICT third-party service providers selling to EU financial entities.
Comprehensive DORA Compliance Consulting & End-to-End Resilience Program Build
Regulation (EU) 2022/2554, the Digital Operational Resilience Act (DORA), entered into application on 17 January 2025. It establishes a unified ICT risk framework across the European financial sector and explicitly extends to the ICT third-party service providers (TPSPs) that financial entities depend on. For B2B SaaS providers selling to banks, insurance firms, asset managers, payment institutions, or crypto-asset service providers, DORA flows down through Article 28 contractual obligations covering ICT risk management, incident reporting, sub-contracting, exit strategies, and audit rights. Where a TPSP supports a function classified as critical or important, the obligations escalate substantially, including potential designation as a Critical ICT Third-Party Service Provider (CTPP) under the ESAs Lead Overseer regime.
Security Consultants designs DORA programs for ICT TPSPs that need to keep selling into and renewing contracts with EU financial entities. We map your customer base against DORA scope, audit your contracts for Article 28 readiness, build the ICT risk management framework (Articles 5 through 15), operationalize the incident management workflow including the 24-hour, 72-hour, and 30-day reporting clocks, prepare you for Threat-Led Penetration Testing (TLPT) under Article 26 where in scope, and assemble a customer due diligence response package that holds up under enterprise procurement review. Our vCISO subscription operates Article 28 renewal cycles, incident response, and customer questionnaire response on an ongoing basis. Where DORA aligns with your existing ISO 27001 ISMS, we extend the ISMS rather than rebuild it.
.svg){kind=icon}
EU-Based DORA Regulatory Fluency
Security Consultants OU is registered and operating in the EU. We track DORA Regulatory Technical Standards (RTS), Implementing Technical Standards (ITS), and ESA guidance directly from the European Banking Authority, EIOPA, and ESMA, including the 2024 and 2025 final RTS on ICT risk management, incident reporting, sub-contracting, and the CTPP designation framework.
.svg){kind=icon}
Built for the Supply Chain, Not the Bank
Our DORA focus is the ICT third-party service provider side, not the financial entity side. We build and operate DORA programs for SaaS companies selling to retail banks, asset managers, payment institutions, and crypto-asset providers. We know which DORA clauses customers will negotiate, what evidence they will ask for at renewal, and what fails on first review.
Article 28 Contract and Audit Right Readiness
Article 28 contractual provisions are where DORA enters your day-to-day. We audit your customer contract template for the mandatory provisions on ICT risk management, sub-contracting, incident notification, audit rights, data location, and exit strategies. We draft the standard responses to financial-entity due diligence and the supplementary terms enterprise customers will negotiate.
Integration with ISO 27001 and SOC 2
DORA aligns substantially with ISO 27001 Annex A and SOC 2 Trust Services Criteria. Where you already operate an ISMS or SOC 2 program, we extend it with DORA-specific extensions (ICT risk register, incident classification thresholds, TLPT readiness, exit strategy testing) rather than running a parallel framework. One control library, three frameworks of evidence.
A proven, methodical
approach
Project Kick-Off & Scope Determination
We start with a project kick-off where the manager sets up your engagement in our project management platform. We confirm your TPSP role (essential vs supporting, critical or important function vs not), map your financial-entity customer base, define milestones, name a senior accountable owner, and agree the communication plan.
Article 28 Contract & Customer Base Gap Analysis
We audit your existing customer contracts against the Article 28 mandatory provisions including ICT risk management, sub-contracting authorization, incident reporting clocks, audit rights, data location, and exit strategy. We catalogue each customer's expected DORA position (financial entity in-scope, CTPP-tier expectations) and identify the contractual gaps that will block renewal.
ICT Risk Management Framework (Articles 5 to 15)
We build your ICT risk management framework against Articles 5 to 15: governance, ICT asset and configuration management, protection and prevention, ICT incident detection, response and recovery, learning and evolving, and ICT business continuity. Where you hold an ISO 27001 ISMS, we extend it; where you do not, we lay the ISMS foundations first.
Incident Management, Reporting & TLPT Readiness
We operationalize the DORA incident management workflow under Articles 17 to 23: classification thresholds, initial notification within 24 hours of classification, intermediate report at 72 hours, and final report at one month. For TPSPs supporting critical or important functions, we prepare you for Threat-Led Penetration Testing under Article 26 and coordinate with TIBER-aligned testers.
Customer Due Diligence Response & Article 30 Provisions
We assemble the due diligence response package: DORA self-assessment, control evidence index, sub-contracting register, exit strategy documentation, business impact analysis, and incident response playbook. We pre-draft responses to the Article 30 contractual provisions financial entities require so customer renewals and onboarding accelerate.
Ongoing vCISO & Article 28 Renewal Cycle
Our vCISO subscription operates the program: customer questionnaire response cadence, Article 28 contract renewal review, sub-processor change notifications under Article 30(3), incident response readiness, and annual TLPT and resilience testing. Where you also run ISO 27001 or SOC 2, the audit cycles are integrated under a single management review.
Services tailored to you
"Attila is a rock star when it comes to security consulting! He is experienced with enterprise-level security and he guided us through our SOC 2 Type 2 certification. He helped us revamp up our security system and posture and gave great advice. Thanks to Attila, we passed the audit without any exceptions. If you need a security pro who knows their stuff and will help you get results, Attila's your guy. Highly recommend!"
"Working with Attila has been an outstanding experience from start to finish. As a professional CISO, Security, and Compliance consultant, Attila's down-to-earth, no-nonsense, and well-organized approach was instrumental in guiding us through the process of getting ISO 27001 certified. His expertise in the field is undeniable, and his ability to navigate the complexities of certification with such ease made all the difference."
"Attila delivered outstanding work, guiding us through the entire process of achieving our ISO 27001 certification for two companies. His expertise, attention to detail, and commitment were evident at every step. He provided clear, actionable advice, ensuring we met all requirements with confidence. Highly recommended for anyone seeking top-notch support in cybersecurity and compliance. 10/10!"
"Attila is a true Information Security expert and we've worked with him to achieve ISO27001 certification. Highly recommended."
"Working with Attila has been an exceptional experience! They provided invaluable assistance in preparing our company for ISO 27001 security certification, guiding us through every step of the process with professionalism and expertise. Their knowledge of the certification requirements, combined with their ability to tailor solutions to our unique needs, was instrumental in ensuring our readiness. The team was thorough, efficient, and highly responsive, consistently delivering high-quality work and actionable insights. Thanks to their support, we feel confident in our security posture and are well-prepared for the certification audit."
"Attila and his team were everything that we were looking for in this specific task and more. We were completely new to the ISO accreditation & auditing process and he helped us understand the procedure even before he officially entered a contract of employment with us.
We first discussed a plan of how long it would take to complete the accreditation, and both were done within the agreed timeframe and boundaries. As a result, we achieved the ultimate goal of obtaining the prestigious ISO 27001:2022 certification.
Attila had great patience when it came to answering all of our questions, and he was very professional from the start till the end. We will keep him in mind if I we need an ISO accreditation and auditing consultation again, we sincerely recommend him to anyone who seek ISO accreditation."
“The Security Consultants team is infinitely capable and has years of experience navigating complex compliance programs. They were able to explain, in simple terms, what sort of scope we were looking at and how to put in place an execution plan and roadmap to achieve our objectives. Our business (Valid8 Financial) requires SOC 2, HIPAA, FedRAMP, and GDPR compliance as we deal with extremely sensitive financial data.”
"The Security Consultants team has been exceptional and a pleasure to work with. Their deep experience with HITRUST CSF was one of the main reasons we chose them, and I'm glad to say that the team has impressed us at every step, often going above and beyond. I would recommend Security Consultants for anyone looking for an expert in HITRUST CSF and other compliance frameworks and best practices."
