1. Readiness & Gap Assessment for DORA Alignment<\/h3> \n- Governance review:<\/strong>\u00a0assessment of ICT governance, risk registers, and incident handling<\/li>\n
- Continuity and outsourcing checks:<\/strong> assessment of recovery plans and outsourcing agreements<\/li>\n
- Remediation roadmap:<\/strong> prioritised findings with ownership, milestones, and proportionality<\/li>\n
- Management baseline:<\/strong> overview suitable for supervisory discussions<\/li>\n<\/ul>\n<\/div><\/article>[\/vc_column][vc_column width=”1\/3″ rt_col_paddings=”true” rt_wrp_col_paddings=”false” rt_column_shadow=”” rt_border_top=”” rt_border_bottom=”” rt_border_left=”” rt_border_right=”true” rt_border_top_mobile=”” rt_border_bottom_mobile=”” rt_border_left_mobile=”” rt_border_right_mobile=”” rt_bg_image_repeat=”repeat” rt_bg_size=”auto auto” rt_bg_position=”right top” rt_bg_attachment=”scroll” rt_bg_color=”” rt_bg_overlay_color=””]
2. Implementation of Policies, Controls & Governance<\/h3> \n- Policy and register drafting:<\/strong>\u00a0full DORA documentation set tailored to your operations<\/li>\n
- Governance alignment:<\/strong>\u00a0clear roles, escalation chains, and accountability frameworks<\/li>\n
- Playbooks and controls:<\/strong> incident, continuity, and oversight procedures integrated into practice<\/li>\n
- Contractual addenda:<\/strong> ICT provider clauses covering audit rights, duties, and exit strategies<\/li>\n<\/ul>\n<\/div><\/article>[\/vc_column][vc_column width=”1\/3″ rt_col_paddings=”true” rt_wrp_col_paddings=”false” rt_column_shadow=”” rt_border_top=”” rt_border_bottom=”” rt_border_left=”” rt_border_right=”” rt_border_top_mobile=”” rt_border_bottom_mobile=”” rt_border_left_mobile=”” rt_border_right_mobile=”” rt_bg_image_repeat=”repeat” rt_bg_size=”auto auto” rt_bg_position=”right top” rt_bg_attachment=”scroll”]
3. Testing, Training & Ongoing Compliance<\/h3> \n- Resilience testing:<\/strong>\u00a0structured scenarios and TLPT scope (where applicable)<\/li>\n
- Remediation tracking:<\/strong>\u00a0evidence logs to confirm closure of identified gaps<\/li>\n
- Staff and management training<\/strong>: sessions with attendance records maintained<\/li>\n
- Ongoing monitoring:<\/strong>\u00a0review cycles and metrics to ensure continuous compliance<\/li>\n<\/ul>\n<\/div><\/article>[\/vc_column][\/vc_row][vc_row rt_row_background_width=”fullwidth” rt_row_content_width=”default” rt_row_style=”default-style” rt_row_height=”” rt_column_gaps=”” rt_row_shadows=”” rt_row_paddings=”true” rt_row_borders=”” rt_bg_effect=”classic” rt_transparent_bg=”false” rt_bg_image_repeat=”repeat” rt_bg_size=”cover” rt_bg_position=”right top” rt_bg_attachment=”scroll” rt_bg_layer=”” rt_bg_video_format=”self-hosted” rt_bg_image=”36245″][vc_column rt_col_paddings=”true” rt_wrp_col_paddings=”false” rt_column_shadow=”” rt_border_top=”” rt_border_bottom=”” rt_border_left=”” rt_border_right=”” rt_border_top_mobile=”” rt_border_bottom_mobile=”” rt_border_left_mobile=”” rt_border_right_mobile=”” rt_bg_image_repeat=”repeat” rt_bg_size=”auto auto” rt_bg_position=”right top” rt_bg_attachment=”scroll”]\n\t\t\t\t\t\t
<\/span>What it Takes to Achieve DORA Compliance<\/h2>\n\t\t\t\t\t<\/div>[\/vc_column][\/vc_row][vc_row rt_row_background_width=”fullwidth” rt_row_content_width=”default” rt_row_style=”default-style” rt_row_height=”” rt_column_gaps=”” rt_row_shadows=”” rt_row_paddings=”true” rt_row_borders=”bottom” rt_bg_effect=”classic” rt_transparent_bg=”false” rt_bg_image_repeat=”repeat” rt_bg_size=”cover” rt_bg_position=”right top” rt_bg_attachment=”scroll” rt_bg_layer=”” rt_bg_video_format=”self-hosted” rt_padding_bottom=”7″][vc_column rt_col_paddings=”true” rt_wrp_col_paddings=”false” rt_column_shadow=”” rt_border_top=”” rt_border_bottom=”” rt_border_left=”” rt_border_right=”” rt_border_top_mobile=”” rt_border_bottom_mobile=”” rt_border_left_mobile=”” rt_border_right_mobile=”” rt_bg_image_repeat=”repeat” rt_bg_size=”auto auto” rt_bg_position=”right top” rt_bg_attachment=”scroll”]\n\t\t\t\t\t\tKey Services for DORA Compliance and ICT Risk Management<\/h2>\n\t\t\t\t\t<\/div>[vc_column_text css=”.vc_custom_1759206473180{margin-bottom: 15px !important;}”]<\/p>\n
We can support at all stages of the DORA compliance journey while taking care of all cybersecurity measures and policies required.<\/strong> We provide companies with tools and documentation that withstand regulatory scrutiny while remaining workable in daily operations. Each area is supported by evidence, registers, and reporting mechanisms, ensuring compliance is demonstrable and sustainable.<\/p>\n[\/vc_column_text][vc_tta_tour][vc_tta_section i_icon_fontawesome=”fas fa-angle-right” add_icon=”true” title=”ICT Risk Frameworks & Governance” tab_id=”1759043207742-f7178f9a-9271″][vc_column_text]A core requirement of DORA is the establishment of a structured ICT risk management framework that demonstrates both accountability and proportionality. Regulators expect companies to maintain verifiable processes that show risks are identified, assessed, and governed in line with compliance obligations.<\/p>\n
We support with designing and documenting ICT risk frameworks that meet these expectations while remaining practical for daily operations. This includes the preparation of risk registers that categorise ICT threats, control mappings that connect risks to mitigation measures, and escalation procedures that ensure incidents are reported and addressed in a timely manner. Governance structures are aligned so ICT risks are integrated into overall management oversight and board reporting.<\/p>\n
The outcome is not only a documented risk framework but a defensible system that can be presented to regulators during inspections or supervisory dialogue. Our approach ensures companies can demonstrate that ICT risks are actively monitored, proportionately mitigated, and continuously reviewed, fulfilling the key obligations of DORA compliance in a regulator-ready manner.[\/vc_column_text][\/vc_tta_section][vc_tta_section i_icon_fontawesome=”fas fa-angle-right” add_icon=”true” title=”Incident Management & Continuity Planning” tab_id=”1759043207767-08936f7f-e250″][vc_column_text]Under DORA, companies must show they can detect, escalate, and recover from ICT-related disruptions within defined timeframes. Regulators expect clear escalation paths, crisis communication procedures, and documented recovery objectives. Two key metrics are the Recovery Time Objective (RTO), the maximum time a service may be unavailable, and the Recovery Point Objective (RPO), the maximum tolerable data loss measured in time.<\/p>\n
We design incident playbooks, escalation workflows, and Business Continuity and Disaster Recovery (BCP\/DR) arrangements that address both internal processes and third-party dependencies. Our work includes conducting business impact assessments, setting measurable recovery objectives, and organising test exercises that validate plans in practice.<\/p>\n
The outcome is a tested and regulator-ready framework that ensures disruptions can be managed effectively, recovery targets are realistic and evidenced, and continuity measures are integrated into daily operations in line with DORA compliance requirements.[\/vc_column_text][\/vc_tta_section][vc_tta_section i_icon_fontawesome=”fas fa-angle-right” add_icon=”true” title=”Third-Party Oversight & Testing” tab_id=”1759043335715-a519a521-5966″][vc_column_text]DORA places strong emphasis on risks arising from ICT service providers and outsourcing arrangements.<\/p>\n
Regulators expect companies to maintain registers of critical providers, perform due diligence and ongoing assessments, and ensure contracts include enforceable provisions such as audit rights, resilience obligations, and exit strategies. These requirements aim to reduce dependency risks and ensure operational continuity even if a provider fails.<\/p>\n
We establish oversight frameworks that classify vendors by risk level, assess their resilience, and document clear exit plans. Where required, we coordinate resilience testing, including Threat-Led Penetration Testing (TLPT) for entities in scope, and prepare verifiable evidence for regulators.<\/p>\n
The outcome is a structured and defensible system of third-party oversight. Companies gain visibility into their ICT supply chain, maintain regulator-ready documentation, and demonstrate that outsourcing risks are actively managed in line with DORA compliance requirements.[\/vc_column_text][\/vc_tta_section][vc_tta_section i_icon_fontawesome=”fas fa-angle-right” add_icon=”true” title=”Policy & Documentation Development” tab_id=”1759043354437-661455dc-42d6″][vc_column_text]An effective DORA compliance framework depends on a maintained and consistent set of policies, procedures, and evidence logs. Regulators require companies not only to adopt written rules but to demonstrate that they are actively implemented, regularly reviewed, and tailored to the business model. Policies must cover ICT risk management, incident response, third-party oversight, and testing obligations, all mapped directly to the regulation.<\/p>\n
We prepare and adapt full documentation sets, including policies, registers, playbooks, and logs, ensuring they are aligned with both regulatory obligations and operational practices. Each document is drafted in a regulator-ready format, clearly referencing the relevant articles of DORA and integrated into the company\u2019s governance structure.<\/p>\n
The result is a coherent compliance library that can withstand supervisory review, reduce ambiguity during audits, and provide management with clear guidance. Companies benefit from a system that is not theoretical but embedded into daily operations, with documentation that both supports staff and satisfies regulatory scrutiny.[\/vc_column_text][\/vc_tta_section][vc_tta_section i_icon_fontawesome=”fas fa-angle-right” add_icon=”true” title=”Incident Reporting & Registers” tab_id=”1759043374477-049ed727-4806″][vc_column_text]Timely incident reporting is a cornerstone of DORA compliance. Regulators require companies to detect ICT-related incidents, escalate them internally, notify authorities when thresholds are met, and maintain verifiable records of incidents and remediation. Failure to demonstrate structured reporting can lead to supervisory findings and sanctions.<\/p>\n
We assist companies in implementing reporting procedures aligned with DORA\u2019s incident classification and notification standards. This includes designing escalation protocols, maintaining incident registers, and preparing external notification templates for regulatory submissions. We also ensure companies have logs of remediation actions and testing results, which provide evidence of continuous improvement.<\/p>\n
The outcome is a compliant incident reporting system that demonstrates accountability and preparedness. Companies can show regulators that incidents are recorded, assessed, and reported in line with legal obligations, while also using the process to strengthen internal resilience.[\/vc_column_text][\/vc_tta_section][vc_tta_section i_icon_fontawesome=”fas fa-angle-right” add_icon=”true” title=”Staff & Management Training” tab_id=”1759043411704-5e6720b0-4393″][vc_column_text]DORA requires companies to ensure that staff, management, and boards understand their roles in maintaining ICT risk management and operational stability. Regulators expect evidence of structured training programmes, attendance logs, and awareness initiatives that embed digital resilience into daily operations and decision-making.<\/p>\n
We provide targeted training sessions for senior management, compliance teams, and operational staff. Content covers ICT risk awareness, incident response protocols, third-party oversight duties, and regulatory reporting expectations. Programmes are customised to the company\u2019s business model, ensuring relevance and engagement. Attendance is tracked, and participants receive updated materials as regulations evolve.<\/p>\n
The result is a workforce that is informed, accountable, and capable of responding to ICT disruptions in line with regulatory expectations. By documenting training sessions and outcomes, companies can demonstrate to regulators that operational resilience is not limited to policies, but is actively supported and maintained across the organisation.[\/vc_column_text][\/vc_tta_section][vc_tta_section i_icon_fontawesome=”fas fa-angle-right” add_icon=”true” title=”Ongoing Monitoring & Advisory” tab_id=”1759043393151-b3b9f04a-8b8e”][vc_column_text]DORA is not a one-time exercise but a continuous compliance obligation. Regulators expect companies to demonstrate that ICT risk frameworks, continuity arrangements, and third-party oversight remain up to date as systems, providers, and threats evolve. Regular reviews and monitoring cycles are therefore a critical part of maintaining compliance and avoiding supervisory findings.<\/p>\n
We support companies by establishing monitoring routines and review schedules that fit their operational model. This includes scheduled policy reviews, periodic testing of continuity and recovery procedures, supplier re-assessments, and updates to risk registers. Evidence logs are maintained so that every review and remediation step can be demonstrated to regulators upon request.<\/p>\n
The outcome is a living compliance framework that evolves with the company and the threat landscape. By embedding monitoring and reviews into governance, organisations can show regulators that they are not only compliant at a single point in time but consistently sustaining digital operational resilience in line with DORA obligations.[\/vc_column_text][\/vc_tta_section][\/vc_tta_tour][\/vc_column][\/vc_row][vc_row rt_row_background_width=”fullwidth” rt_row_content_width=”default” rt_row_style=”default-style” rt_row_height=”” rt_column_gaps=”” rt_row_shadows=”” rt_row_paddings=”true” rt_row_borders=”” rt_bg_effect=”classic” rt_transparent_bg=”false” rt_bg_image_repeat=”repeat” rt_bg_size=”cover” rt_bg_position=”right top” rt_bg_attachment=”scroll” rt_bg_layer=”” rt_bg_video_format=”self-hosted” rt_bg_image=”36245″][vc_column rt_col_paddings=”true” rt_wrp_col_paddings=”false” rt_column_shadow=”” rt_border_top=”” rt_border_bottom=”” rt_border_left=”” rt_border_right=”” rt_border_top_mobile=”” rt_border_bottom_mobile=”” rt_border_left_mobile=”” rt_border_right_mobile=”” rt_bg_image_repeat=”repeat” rt_bg_size=”auto auto” rt_bg_position=”right top” rt_bg_attachment=”scroll”]
\n\t\t\t\t\t\t<\/span>Frequently Asked Questions<\/h2>\n\t\t\t\t\t<\/div>[\/vc_column][\/vc_row][vc_row rt_row_background_width=”fullwidth” rt_row_content_width=”default” rt_row_style=”default-style” rt_row_height=”” rt_column_gaps=”” rt_row_shadows=”” rt_row_paddings=”true” rt_row_borders=”” rt_bg_effect=”classic” rt_transparent_bg=”false” rt_bg_image_repeat=”repeat” rt_bg_size=”cover” rt_bg_position=”right top” rt_bg_attachment=”scroll” rt_bg_layer=”” rt_bg_video_format=”self-hosted” rt_margin_top=”0″][vc_column width=”1\/2″ rt_col_paddings=”true” rt_wrp_col_paddings=”false” rt_column_shadow=”” rt_border_top=”” rt_border_bottom=”” rt_border_left=”” rt_border_right=”true” rt_border_top_mobile=”” rt_border_bottom_mobile=”” rt_border_left_mobile=”” rt_border_right_mobile=”” rt_bg_image_repeat=”repeat” rt_bg_size=”auto auto” rt_bg_position=”right top” rt_bg_attachment=”scroll” rt_bg_color=”” rt_bg_overlay_color=””][vc_toggle title=”Which types of companies face the strictest obligations under the Digital Operational Resilience Act (DORA)?”]While DORA applies to all financial entities in scope, larger institutions and those providing critical services, such as major EMIs, PIs, and CASPs, will face heightened regulatory scrutiny. These companies may be designated for advanced requirements such as Threat-Led Penetration Testing (TLPT) and more frequent reporting.[\/vc_toggle][vc_toggle title=”What are the core obligations and requirements introduced by DORA?”]DORA sets mandatory rules for ICT risk management, incident detection and reporting, business continuity and disaster recovery (BCP\/DR), third-party oversight, resilience testing, and training. All obligations must be documented, tested, and demonstrable to regulators.[\/vc_toggle][vc_toggle title=”Under what conditions is Threat-Led Penetration Testing (TLPT) required?”]TLPT is required for entities considered critical based on size, systemic importance, and risk exposure. Supervisory authorities will identify which companies must undergo TLPT and specify the testing frequency.[\/vc_toggle][vc_toggle title=”How does the DORA incident classification and reporting process work in practice?”]Companies must classify ICT-related incidents by severity, notify regulators within strict timeframes, and provide follow-up reports. Each report must show the timeline, mitigation measures, and corrective actions taken, supported by evidence.[\/vc_toggle][\/vc_column][vc_column width=”1\/2″ rt_col_paddings=”true” rt_wrp_col_paddings=”false” rt_column_shadow=”” rt_border_top=”” rt_border_bottom=”” rt_border_left=”” rt_border_right=”” rt_border_top_mobile=”” rt_border_bottom_mobile=”” rt_border_left_mobile=”” rt_border_right_mobile=”” rt_bg_image_repeat=”repeat” rt_bg_size=”auto auto” rt_bg_position=”right top” rt_bg_attachment=”scroll”][vc_toggle title=”How does DORA interact with existing EU regulations such as GDPR and NIS2?”]DORA complements rather than replaces GDPR and NIS2. For example, a cyber incident may trigger reporting obligations under both GDPR (personal data breaches) and DORA (ICT operational disruption). Companies must align policies to avoid duplication and ensure consistency across frameworks.[\/vc_toggle][vc_toggle title=”What does DORA expect from companies when outsourcing ICT functions or using third-party providers?”]Companies must maintain vendor registers, conduct risk assessments, and ensure contracts contain audit rights, resilience clauses, and exit strategies. Continuous monitoring of ICT providers is expected, not just one-time due diligence.[\/vc_toggle][vc_toggle title=”What documentation and evidence will regulators typically request during inspections?”]Regulators will ask for ICT risk registers, incident logs, continuity and recovery test results, third-party oversight records, staff training logs, and management reporting packs. Evidence must show not only that policies exist, but that they are tested and effective in practice.[\/vc_toggle][vc_toggle title=”How long does DORA compliance implementation usually take, and what factors influence the timeline?”]Implementation typically takes several months, depending on the company\u2019s size, risk profile, and existing ICT maturity. Factors such as legacy systems, reliance on multiple third-party providers, and the need for advanced testing (like TLPT) can extend the timeline.[\/vc_toggle][\/vc_column][\/vc_row][vc_row disable_element=”yes” rt_row_background_width=”fullwidth” rt_row_content_width=”default” rt_row_style=”default-style” rt_row_height=”” rt_column_gaps=”” rt_row_shadows=”” rt_row_paddings=”true” rt_row_borders=”” rt_bg_effect=”classic” rt_transparent_bg=”false” rt_bg_image_repeat=”repeat” rt_bg_size=”cover” rt_bg_position=”right top” rt_bg_attachment=”scroll” rt_bg_layer=”” rt_bg_video_format=”self-hosted”][vc_column rt_col_paddings=”true” rt_wrp_col_paddings=”false” rt_column_shadow=”” rt_border_top=”” rt_border_bottom=”” rt_border_left=”” rt_border_right=”” rt_border_top_mobile=”” rt_border_bottom_mobile=”” rt_border_left_mobile=”” rt_border_right_mobile=”” rt_bg_image_repeat=”repeat” rt_bg_size=”auto auto” rt_bg_position=”right top” rt_bg_attachment=”scroll”][vc_column_text]<\/p>\n[\/vc_column_text][\/vc_column][\/vc_row][vc_row rt_row_background_width=”fullwidth” rt_row_content_width=”default” rt_row_style=”default-style” rt_row_height=”” rt_column_gaps=”” rt_row_shadows=”” id=”#contact” rt_row_paddings=”true” rt_row_borders=”” rt_bg_effect=”classic” rt_transparent_bg=”false” rt_bg_image_repeat=”repeat” rt_bg_size=”cover” rt_bg_position=”right top” rt_bg_attachment=”scroll” rt_bg_layer=”” rt_bg_video_format=”self-hosted” rt_bg_image=”36245″][vc_column rt_col_paddings=”true” rt_wrp_col_paddings=”false” rt_column_shadow=”” rt_border_top=”” rt_border_bottom=”” rt_border_left=”” rt_border_right=”” rt_border_top_mobile=”” rt_border_bottom_mobile=”” rt_border_left_mobile=”” rt_border_right_mobile=”” rt_bg_image_repeat=”repeat” rt_bg_size=”auto auto” rt_bg_position=”right top” rt_bg_attachment=”scroll”]
\n\t\t\t\t\t\t<\/span>Questions? Book an Introductory call with our Compliance Team!<\/h2>\n\t\t\t\t\t<\/div>[\/vc_column][\/vc_row][vc_row rt_row_background_width=”fullwidth” rt_row_content_width=”default” rt_row_style=”default-style” rt_row_height=”” rt_column_gaps=”” rt_row_shadows=”” rt_row_paddings=”true” rt_row_borders=”” rt_bg_effect=”classic” rt_transparent_bg=”false” rt_bg_image_repeat=”repeat” rt_bg_size=”cover” rt_bg_position=”right top” rt_bg_attachment=”scroll” rt_bg_layer=”” rt_bg_video_format=”self-hosted” rt_margin_top=”0″][vc_column width=”2\/3″ rt_col_paddings=”true” rt_wrp_col_paddings=”false” rt_column_shadow=”” rt_border_top=”” rt_border_bottom=”” rt_border_left=”” rt_border_right=”true” rt_border_top_mobile=”” rt_border_bottom_mobile=”” rt_border_left_mobile=”” rt_border_right_mobile=”” rt_bg_image_repeat=”repeat” rt_bg_size=”auto auto” rt_bg_position=”right top” rt_bg_attachment=”scroll” rt_bg_color=”” rt_bg_overlay_color=””]\n\t\t\t\t\t\tBook a meeting for DORA Compliance<\/h2>\n\t\t\t\t\t<\/div>[vc_column_text css=”.vc_custom_1702842033251{margin-bottom: 15px !important;}”]<\/p>\n
We provide a step-by-step plan and documentation checklist after a short discovery call. Our methodology follows a mapped control framework to ensure full coverage of DORA obligations and evidence requirements.<\/strong> Please contact our compliance team through the contact form below and we will revert shortly.<\/p>\n[\/vc_column_text]\n
\n<\/p>
<\/ul><\/div>\n
2. Implementation of Policies, Controls & Governance<\/h3> \n- Policy and register drafting:<\/strong>\u00a0full DORA documentation set tailored to your operations<\/li>\n
- Governance alignment:<\/strong>\u00a0clear roles, escalation chains, and accountability frameworks<\/li>\n
- Playbooks and controls:<\/strong> incident, continuity, and oversight procedures integrated into practice<\/li>\n
- Contractual addenda:<\/strong> ICT provider clauses covering audit rights, duties, and exit strategies<\/li>\n<\/ul>\n<\/div><\/article>[\/vc_column][vc_column width=”1\/3″ rt_col_paddings=”true” rt_wrp_col_paddings=”false” rt_column_shadow=”” rt_border_top=”” rt_border_bottom=”” rt_border_left=”” rt_border_right=”” rt_border_top_mobile=”” rt_border_bottom_mobile=”” rt_border_left_mobile=”” rt_border_right_mobile=”” rt_bg_image_repeat=”repeat” rt_bg_size=”auto auto” rt_bg_position=”right top” rt_bg_attachment=”scroll”]
3. Testing, Training & Ongoing Compliance<\/h3> \n- Resilience testing:<\/strong>\u00a0structured scenarios and TLPT scope (where applicable)<\/li>\n
- Remediation tracking:<\/strong>\u00a0evidence logs to confirm closure of identified gaps<\/li>\n
- Staff and management training<\/strong>: sessions with attendance records maintained<\/li>\n
- Ongoing monitoring:<\/strong>\u00a0review cycles and metrics to ensure continuous compliance<\/li>\n<\/ul>\n<\/div><\/article>[\/vc_column][\/vc_row][vc_row rt_row_background_width=”fullwidth” rt_row_content_width=”default” rt_row_style=”default-style” rt_row_height=”” rt_column_gaps=”” rt_row_shadows=”” rt_row_paddings=”true” rt_row_borders=”” rt_bg_effect=”classic” rt_transparent_bg=”false” rt_bg_image_repeat=”repeat” rt_bg_size=”cover” rt_bg_position=”right top” rt_bg_attachment=”scroll” rt_bg_layer=”” rt_bg_video_format=”self-hosted” rt_bg_image=”36245″][vc_column rt_col_paddings=”true” rt_wrp_col_paddings=”false” rt_column_shadow=”” rt_border_top=”” rt_border_bottom=”” rt_border_left=”” rt_border_right=”” rt_border_top_mobile=”” rt_border_bottom_mobile=”” rt_border_left_mobile=”” rt_border_right_mobile=”” rt_bg_image_repeat=”repeat” rt_bg_size=”auto auto” rt_bg_position=”right top” rt_bg_attachment=”scroll”]\n\t\t\t\t\t\t
<\/span>What it Takes to Achieve DORA Compliance<\/h2>\n\t\t\t\t\t<\/div>[\/vc_column][\/vc_row][vc_row rt_row_background_width=”fullwidth” rt_row_content_width=”default” rt_row_style=”default-style” rt_row_height=”” rt_column_gaps=”” rt_row_shadows=”” rt_row_paddings=”true” rt_row_borders=”bottom” rt_bg_effect=”classic” rt_transparent_bg=”false” rt_bg_image_repeat=”repeat” rt_bg_size=”cover” rt_bg_position=”right top” rt_bg_attachment=”scroll” rt_bg_layer=”” rt_bg_video_format=”self-hosted” rt_padding_bottom=”7″][vc_column rt_col_paddings=”true” rt_wrp_col_paddings=”false” rt_column_shadow=”” rt_border_top=”” rt_border_bottom=”” rt_border_left=”” rt_border_right=”” rt_border_top_mobile=”” rt_border_bottom_mobile=”” rt_border_left_mobile=”” rt_border_right_mobile=”” rt_bg_image_repeat=”repeat” rt_bg_size=”auto auto” rt_bg_position=”right top” rt_bg_attachment=”scroll”]\n\t\t\t\t\t\tKey Services for DORA Compliance and ICT Risk Management<\/h2>\n\t\t\t\t\t<\/div>[vc_column_text css=”.vc_custom_1759206473180{margin-bottom: 15px !important;}”]<\/p>\n
We can support at all stages of the DORA compliance journey while taking care of all cybersecurity measures and policies required.<\/strong> We provide companies with tools and documentation that withstand regulatory scrutiny while remaining workable in daily operations. Each area is supported by evidence, registers, and reporting mechanisms, ensuring compliance is demonstrable and sustainable.<\/p>\n[\/vc_column_text][vc_tta_tour][vc_tta_section i_icon_fontawesome=”fas fa-angle-right” add_icon=”true” title=”ICT Risk Frameworks & Governance” tab_id=”1759043207742-f7178f9a-9271″][vc_column_text]A core requirement of DORA is the establishment of a structured ICT risk management framework that demonstrates both accountability and proportionality. Regulators expect companies to maintain verifiable processes that show risks are identified, assessed, and governed in line with compliance obligations.<\/p>\n
We support with designing and documenting ICT risk frameworks that meet these expectations while remaining practical for daily operations. This includes the preparation of risk registers that categorise ICT threats, control mappings that connect risks to mitigation measures, and escalation procedures that ensure incidents are reported and addressed in a timely manner. Governance structures are aligned so ICT risks are integrated into overall management oversight and board reporting.<\/p>\n
The outcome is not only a documented risk framework but a defensible system that can be presented to regulators during inspections or supervisory dialogue. Our approach ensures companies can demonstrate that ICT risks are actively monitored, proportionately mitigated, and continuously reviewed, fulfilling the key obligations of DORA compliance in a regulator-ready manner.[\/vc_column_text][\/vc_tta_section][vc_tta_section i_icon_fontawesome=”fas fa-angle-right” add_icon=”true” title=”Incident Management & Continuity Planning” tab_id=”1759043207767-08936f7f-e250″][vc_column_text]Under DORA, companies must show they can detect, escalate, and recover from ICT-related disruptions within defined timeframes. Regulators expect clear escalation paths, crisis communication procedures, and documented recovery objectives. Two key metrics are the Recovery Time Objective (RTO), the maximum time a service may be unavailable, and the Recovery Point Objective (RPO), the maximum tolerable data loss measured in time.<\/p>\n
We design incident playbooks, escalation workflows, and Business Continuity and Disaster Recovery (BCP\/DR) arrangements that address both internal processes and third-party dependencies. Our work includes conducting business impact assessments, setting measurable recovery objectives, and organising test exercises that validate plans in practice.<\/p>\n
The outcome is a tested and regulator-ready framework that ensures disruptions can be managed effectively, recovery targets are realistic and evidenced, and continuity measures are integrated into daily operations in line with DORA compliance requirements.[\/vc_column_text][\/vc_tta_section][vc_tta_section i_icon_fontawesome=”fas fa-angle-right” add_icon=”true” title=”Third-Party Oversight & Testing” tab_id=”1759043335715-a519a521-5966″][vc_column_text]DORA places strong emphasis on risks arising from ICT service providers and outsourcing arrangements.<\/p>\n
Regulators expect companies to maintain registers of critical providers, perform due diligence and ongoing assessments, and ensure contracts include enforceable provisions such as audit rights, resilience obligations, and exit strategies. These requirements aim to reduce dependency risks and ensure operational continuity even if a provider fails.<\/p>\n
We establish oversight frameworks that classify vendors by risk level, assess their resilience, and document clear exit plans. Where required, we coordinate resilience testing, including Threat-Led Penetration Testing (TLPT) for entities in scope, and prepare verifiable evidence for regulators.<\/p>\n
The outcome is a structured and defensible system of third-party oversight. Companies gain visibility into their ICT supply chain, maintain regulator-ready documentation, and demonstrate that outsourcing risks are actively managed in line with DORA compliance requirements.[\/vc_column_text][\/vc_tta_section][vc_tta_section i_icon_fontawesome=”fas fa-angle-right” add_icon=”true” title=”Policy & Documentation Development” tab_id=”1759043354437-661455dc-42d6″][vc_column_text]An effective DORA compliance framework depends on a maintained and consistent set of policies, procedures, and evidence logs. Regulators require companies not only to adopt written rules but to demonstrate that they are actively implemented, regularly reviewed, and tailored to the business model. Policies must cover ICT risk management, incident response, third-party oversight, and testing obligations, all mapped directly to the regulation.<\/p>\n
We prepare and adapt full documentation sets, including policies, registers, playbooks, and logs, ensuring they are aligned with both regulatory obligations and operational practices. Each document is drafted in a regulator-ready format, clearly referencing the relevant articles of DORA and integrated into the company\u2019s governance structure.<\/p>\n
The result is a coherent compliance library that can withstand supervisory review, reduce ambiguity during audits, and provide management with clear guidance. Companies benefit from a system that is not theoretical but embedded into daily operations, with documentation that both supports staff and satisfies regulatory scrutiny.[\/vc_column_text][\/vc_tta_section][vc_tta_section i_icon_fontawesome=”fas fa-angle-right” add_icon=”true” title=”Incident Reporting & Registers” tab_id=”1759043374477-049ed727-4806″][vc_column_text]Timely incident reporting is a cornerstone of DORA compliance. Regulators require companies to detect ICT-related incidents, escalate them internally, notify authorities when thresholds are met, and maintain verifiable records of incidents and remediation. Failure to demonstrate structured reporting can lead to supervisory findings and sanctions.<\/p>\n
We assist companies in implementing reporting procedures aligned with DORA\u2019s incident classification and notification standards. This includes designing escalation protocols, maintaining incident registers, and preparing external notification templates for regulatory submissions. We also ensure companies have logs of remediation actions and testing results, which provide evidence of continuous improvement.<\/p>\n
The outcome is a compliant incident reporting system that demonstrates accountability and preparedness. Companies can show regulators that incidents are recorded, assessed, and reported in line with legal obligations, while also using the process to strengthen internal resilience.[\/vc_column_text][\/vc_tta_section][vc_tta_section i_icon_fontawesome=”fas fa-angle-right” add_icon=”true” title=”Staff & Management Training” tab_id=”1759043411704-5e6720b0-4393″][vc_column_text]DORA requires companies to ensure that staff, management, and boards understand their roles in maintaining ICT risk management and operational stability. Regulators expect evidence of structured training programmes, attendance logs, and awareness initiatives that embed digital resilience into daily operations and decision-making.<\/p>\n
We provide targeted training sessions for senior management, compliance teams, and operational staff. Content covers ICT risk awareness, incident response protocols, third-party oversight duties, and regulatory reporting expectations. Programmes are customised to the company\u2019s business model, ensuring relevance and engagement. Attendance is tracked, and participants receive updated materials as regulations evolve.<\/p>\n
The result is a workforce that is informed, accountable, and capable of responding to ICT disruptions in line with regulatory expectations. By documenting training sessions and outcomes, companies can demonstrate to regulators that operational resilience is not limited to policies, but is actively supported and maintained across the organisation.[\/vc_column_text][\/vc_tta_section][vc_tta_section i_icon_fontawesome=”fas fa-angle-right” add_icon=”true” title=”Ongoing Monitoring & Advisory” tab_id=”1759043393151-b3b9f04a-8b8e”][vc_column_text]DORA is not a one-time exercise but a continuous compliance obligation. Regulators expect companies to demonstrate that ICT risk frameworks, continuity arrangements, and third-party oversight remain up to date as systems, providers, and threats evolve. Regular reviews and monitoring cycles are therefore a critical part of maintaining compliance and avoiding supervisory findings.<\/p>\n
We support companies by establishing monitoring routines and review schedules that fit their operational model. This includes scheduled policy reviews, periodic testing of continuity and recovery procedures, supplier re-assessments, and updates to risk registers. Evidence logs are maintained so that every review and remediation step can be demonstrated to regulators upon request.<\/p>\n
The outcome is a living compliance framework that evolves with the company and the threat landscape. By embedding monitoring and reviews into governance, organisations can show regulators that they are not only compliant at a single point in time but consistently sustaining digital operational resilience in line with DORA obligations.[\/vc_column_text][\/vc_tta_section][\/vc_tta_tour][\/vc_column][\/vc_row][vc_row rt_row_background_width=”fullwidth” rt_row_content_width=”default” rt_row_style=”default-style” rt_row_height=”” rt_column_gaps=”” rt_row_shadows=”” rt_row_paddings=”true” rt_row_borders=”” rt_bg_effect=”classic” rt_transparent_bg=”false” rt_bg_image_repeat=”repeat” rt_bg_size=”cover” rt_bg_position=”right top” rt_bg_attachment=”scroll” rt_bg_layer=”” rt_bg_video_format=”self-hosted” rt_bg_image=”36245″][vc_column rt_col_paddings=”true” rt_wrp_col_paddings=”false” rt_column_shadow=”” rt_border_top=”” rt_border_bottom=”” rt_border_left=”” rt_border_right=”” rt_border_top_mobile=”” rt_border_bottom_mobile=”” rt_border_left_mobile=”” rt_border_right_mobile=”” rt_bg_image_repeat=”repeat” rt_bg_size=”auto auto” rt_bg_position=”right top” rt_bg_attachment=”scroll”]
\n\t\t\t\t\t\t<\/span>Frequently Asked Questions<\/h2>\n\t\t\t\t\t<\/div>[\/vc_column][\/vc_row][vc_row rt_row_background_width=”fullwidth” rt_row_content_width=”default” rt_row_style=”default-style” rt_row_height=”” rt_column_gaps=”” rt_row_shadows=”” rt_row_paddings=”true” rt_row_borders=”” rt_bg_effect=”classic” rt_transparent_bg=”false” rt_bg_image_repeat=”repeat” rt_bg_size=”cover” rt_bg_position=”right top” rt_bg_attachment=”scroll” rt_bg_layer=”” rt_bg_video_format=”self-hosted” rt_margin_top=”0″][vc_column width=”1\/2″ rt_col_paddings=”true” rt_wrp_col_paddings=”false” rt_column_shadow=”” rt_border_top=”” rt_border_bottom=”” rt_border_left=”” rt_border_right=”true” rt_border_top_mobile=”” rt_border_bottom_mobile=”” rt_border_left_mobile=”” rt_border_right_mobile=”” rt_bg_image_repeat=”repeat” rt_bg_size=”auto auto” rt_bg_position=”right top” rt_bg_attachment=”scroll” rt_bg_color=”” rt_bg_overlay_color=””][vc_toggle title=”Which types of companies face the strictest obligations under the Digital Operational Resilience Act (DORA)?”]While DORA applies to all financial entities in scope, larger institutions and those providing critical services, such as major EMIs, PIs, and CASPs, will face heightened regulatory scrutiny. These companies may be designated for advanced requirements such as Threat-Led Penetration Testing (TLPT) and more frequent reporting.[\/vc_toggle][vc_toggle title=”What are the core obligations and requirements introduced by DORA?”]DORA sets mandatory rules for ICT risk management, incident detection and reporting, business continuity and disaster recovery (BCP\/DR), third-party oversight, resilience testing, and training. All obligations must be documented, tested, and demonstrable to regulators.[\/vc_toggle][vc_toggle title=”Under what conditions is Threat-Led Penetration Testing (TLPT) required?”]TLPT is required for entities considered critical based on size, systemic importance, and risk exposure. Supervisory authorities will identify which companies must undergo TLPT and specify the testing frequency.[\/vc_toggle][vc_toggle title=”How does the DORA incident classification and reporting process work in practice?”]Companies must classify ICT-related incidents by severity, notify regulators within strict timeframes, and provide follow-up reports. Each report must show the timeline, mitigation measures, and corrective actions taken, supported by evidence.[\/vc_toggle][\/vc_column][vc_column width=”1\/2″ rt_col_paddings=”true” rt_wrp_col_paddings=”false” rt_column_shadow=”” rt_border_top=”” rt_border_bottom=”” rt_border_left=”” rt_border_right=”” rt_border_top_mobile=”” rt_border_bottom_mobile=”” rt_border_left_mobile=”” rt_border_right_mobile=”” rt_bg_image_repeat=”repeat” rt_bg_size=”auto auto” rt_bg_position=”right top” rt_bg_attachment=”scroll”][vc_toggle title=”How does DORA interact with existing EU regulations such as GDPR and NIS2?”]DORA complements rather than replaces GDPR and NIS2. For example, a cyber incident may trigger reporting obligations under both GDPR (personal data breaches) and DORA (ICT operational disruption). Companies must align policies to avoid duplication and ensure consistency across frameworks.[\/vc_toggle][vc_toggle title=”What does DORA expect from companies when outsourcing ICT functions or using third-party providers?”]Companies must maintain vendor registers, conduct risk assessments, and ensure contracts contain audit rights, resilience clauses, and exit strategies. Continuous monitoring of ICT providers is expected, not just one-time due diligence.[\/vc_toggle][vc_toggle title=”What documentation and evidence will regulators typically request during inspections?”]Regulators will ask for ICT risk registers, incident logs, continuity and recovery test results, third-party oversight records, staff training logs, and management reporting packs. Evidence must show not only that policies exist, but that they are tested and effective in practice.[\/vc_toggle][vc_toggle title=”How long does DORA compliance implementation usually take, and what factors influence the timeline?”]Implementation typically takes several months, depending on the company\u2019s size, risk profile, and existing ICT maturity. Factors such as legacy systems, reliance on multiple third-party providers, and the need for advanced testing (like TLPT) can extend the timeline.[\/vc_toggle][\/vc_column][\/vc_row][vc_row disable_element=”yes” rt_row_background_width=”fullwidth” rt_row_content_width=”default” rt_row_style=”default-style” rt_row_height=”” rt_column_gaps=”” rt_row_shadows=”” rt_row_paddings=”true” rt_row_borders=”” rt_bg_effect=”classic” rt_transparent_bg=”false” rt_bg_image_repeat=”repeat” rt_bg_size=”cover” rt_bg_position=”right top” rt_bg_attachment=”scroll” rt_bg_layer=”” rt_bg_video_format=”self-hosted”][vc_column rt_col_paddings=”true” rt_wrp_col_paddings=”false” rt_column_shadow=”” rt_border_top=”” rt_border_bottom=”” rt_border_left=”” rt_border_right=”” rt_border_top_mobile=”” rt_border_bottom_mobile=”” rt_border_left_mobile=”” rt_border_right_mobile=”” rt_bg_image_repeat=”repeat” rt_bg_size=”auto auto” rt_bg_position=”right top” rt_bg_attachment=”scroll”][vc_column_text]<\/p>\n[\/vc_column_text][\/vc_column][\/vc_row][vc_row rt_row_background_width=”fullwidth” rt_row_content_width=”default” rt_row_style=”default-style” rt_row_height=”” rt_column_gaps=”” rt_row_shadows=”” id=”#contact” rt_row_paddings=”true” rt_row_borders=”” rt_bg_effect=”classic” rt_transparent_bg=”false” rt_bg_image_repeat=”repeat” rt_bg_size=”cover” rt_bg_position=”right top” rt_bg_attachment=”scroll” rt_bg_layer=”” rt_bg_video_format=”self-hosted” rt_bg_image=”36245″][vc_column rt_col_paddings=”true” rt_wrp_col_paddings=”false” rt_column_shadow=”” rt_border_top=”” rt_border_bottom=”” rt_border_left=”” rt_border_right=”” rt_border_top_mobile=”” rt_border_bottom_mobile=”” rt_border_left_mobile=”” rt_border_right_mobile=”” rt_bg_image_repeat=”repeat” rt_bg_size=”auto auto” rt_bg_position=”right top” rt_bg_attachment=”scroll”]
\n\t\t\t\t\t\t<\/span>Questions? Book an Introductory call with our Compliance Team!<\/h2>\n\t\t\t\t\t<\/div>[\/vc_column][\/vc_row][vc_row rt_row_background_width=”fullwidth” rt_row_content_width=”default” rt_row_style=”default-style” rt_row_height=”” rt_column_gaps=”” rt_row_shadows=”” rt_row_paddings=”true” rt_row_borders=”” rt_bg_effect=”classic” rt_transparent_bg=”false” rt_bg_image_repeat=”repeat” rt_bg_size=”cover” rt_bg_position=”right top” rt_bg_attachment=”scroll” rt_bg_layer=”” rt_bg_video_format=”self-hosted” rt_margin_top=”0″][vc_column width=”2\/3″ rt_col_paddings=”true” rt_wrp_col_paddings=”false” rt_column_shadow=”” rt_border_top=”” rt_border_bottom=”” rt_border_left=”” rt_border_right=”true” rt_border_top_mobile=”” rt_border_bottom_mobile=”” rt_border_left_mobile=”” rt_border_right_mobile=”” rt_bg_image_repeat=”repeat” rt_bg_size=”auto auto” rt_bg_position=”right top” rt_bg_attachment=”scroll” rt_bg_color=”” rt_bg_overlay_color=””]\n\t\t\t\t\t\tBook a meeting for DORA Compliance<\/h2>\n\t\t\t\t\t<\/div>[vc_column_text css=”.vc_custom_1702842033251{margin-bottom: 15px !important;}”]<\/p>\n
We provide a step-by-step plan and documentation checklist after a short discovery call. Our methodology follows a mapped control framework to ensure full coverage of DORA obligations and evidence requirements.<\/strong> Please contact our compliance team through the contact form below and we will revert shortly.<\/p>\n[\/vc_column_text]\n
\n<\/p>
<\/ul><\/div>\n
3. Testing, Training & Ongoing Compliance<\/h3> \n- Resilience testing:<\/strong>\u00a0structured scenarios and TLPT scope (where applicable)<\/li>\n
- Remediation tracking:<\/strong>\u00a0evidence logs to confirm closure of identified gaps<\/li>\n
- Staff and management training<\/strong>: sessions with attendance records maintained<\/li>\n
- Ongoing monitoring:<\/strong>\u00a0review cycles and metrics to ensure continuous compliance<\/li>\n<\/ul>\n<\/div><\/article>[\/vc_column][\/vc_row][vc_row rt_row_background_width=”fullwidth” rt_row_content_width=”default” rt_row_style=”default-style” rt_row_height=”” rt_column_gaps=”” rt_row_shadows=”” rt_row_paddings=”true” rt_row_borders=”” rt_bg_effect=”classic” rt_transparent_bg=”false” rt_bg_image_repeat=”repeat” rt_bg_size=”cover” rt_bg_position=”right top” rt_bg_attachment=”scroll” rt_bg_layer=”” rt_bg_video_format=”self-hosted” rt_bg_image=”36245″][vc_column rt_col_paddings=”true” rt_wrp_col_paddings=”false” rt_column_shadow=”” rt_border_top=”” rt_border_bottom=”” rt_border_left=”” rt_border_right=”” rt_border_top_mobile=”” rt_border_bottom_mobile=”” rt_border_left_mobile=”” rt_border_right_mobile=”” rt_bg_image_repeat=”repeat” rt_bg_size=”auto auto” rt_bg_position=”right top” rt_bg_attachment=”scroll”]\n\t\t\t\t\t\t
<\/span>What it Takes to Achieve DORA Compliance<\/h2>\n\t\t\t\t\t<\/div>[\/vc_column][\/vc_row][vc_row rt_row_background_width=”fullwidth” rt_row_content_width=”default” rt_row_style=”default-style” rt_row_height=”” rt_column_gaps=”” rt_row_shadows=”” rt_row_paddings=”true” rt_row_borders=”bottom” rt_bg_effect=”classic” rt_transparent_bg=”false” rt_bg_image_repeat=”repeat” rt_bg_size=”cover” rt_bg_position=”right top” rt_bg_attachment=”scroll” rt_bg_layer=”” rt_bg_video_format=”self-hosted” rt_padding_bottom=”7″][vc_column rt_col_paddings=”true” rt_wrp_col_paddings=”false” rt_column_shadow=”” rt_border_top=”” rt_border_bottom=”” rt_border_left=”” rt_border_right=”” rt_border_top_mobile=”” rt_border_bottom_mobile=”” rt_border_left_mobile=”” rt_border_right_mobile=”” rt_bg_image_repeat=”repeat” rt_bg_size=”auto auto” rt_bg_position=”right top” rt_bg_attachment=”scroll”]\n\t\t\t\t\t\tKey Services for DORA Compliance and ICT Risk Management<\/h2>\n\t\t\t\t\t<\/div>[vc_column_text css=”.vc_custom_1759206473180{margin-bottom: 15px !important;}”]<\/p>\n
We can support at all stages of the DORA compliance journey while taking care of all cybersecurity measures and policies required.<\/strong> We provide companies with tools and documentation that withstand regulatory scrutiny while remaining workable in daily operations. Each area is supported by evidence, registers, and reporting mechanisms, ensuring compliance is demonstrable and sustainable.<\/p>\n[\/vc_column_text][vc_tta_tour][vc_tta_section i_icon_fontawesome=”fas fa-angle-right” add_icon=”true” title=”ICT Risk Frameworks & Governance” tab_id=”1759043207742-f7178f9a-9271″][vc_column_text]A core requirement of DORA is the establishment of a structured ICT risk management framework that demonstrates both accountability and proportionality. Regulators expect companies to maintain verifiable processes that show risks are identified, assessed, and governed in line with compliance obligations.<\/p>\n
We support with designing and documenting ICT risk frameworks that meet these expectations while remaining practical for daily operations. This includes the preparation of risk registers that categorise ICT threats, control mappings that connect risks to mitigation measures, and escalation procedures that ensure incidents are reported and addressed in a timely manner. Governance structures are aligned so ICT risks are integrated into overall management oversight and board reporting.<\/p>\n
The outcome is not only a documented risk framework but a defensible system that can be presented to regulators during inspections or supervisory dialogue. Our approach ensures companies can demonstrate that ICT risks are actively monitored, proportionately mitigated, and continuously reviewed, fulfilling the key obligations of DORA compliance in a regulator-ready manner.[\/vc_column_text][\/vc_tta_section][vc_tta_section i_icon_fontawesome=”fas fa-angle-right” add_icon=”true” title=”Incident Management & Continuity Planning” tab_id=”1759043207767-08936f7f-e250″][vc_column_text]Under DORA, companies must show they can detect, escalate, and recover from ICT-related disruptions within defined timeframes. Regulators expect clear escalation paths, crisis communication procedures, and documented recovery objectives. Two key metrics are the Recovery Time Objective (RTO), the maximum time a service may be unavailable, and the Recovery Point Objective (RPO), the maximum tolerable data loss measured in time.<\/p>\n
We design incident playbooks, escalation workflows, and Business Continuity and Disaster Recovery (BCP\/DR) arrangements that address both internal processes and third-party dependencies. Our work includes conducting business impact assessments, setting measurable recovery objectives, and organising test exercises that validate plans in practice.<\/p>\n
The outcome is a tested and regulator-ready framework that ensures disruptions can be managed effectively, recovery targets are realistic and evidenced, and continuity measures are integrated into daily operations in line with DORA compliance requirements.[\/vc_column_text][\/vc_tta_section][vc_tta_section i_icon_fontawesome=”fas fa-angle-right” add_icon=”true” title=”Third-Party Oversight & Testing” tab_id=”1759043335715-a519a521-5966″][vc_column_text]DORA places strong emphasis on risks arising from ICT service providers and outsourcing arrangements.<\/p>\n
Regulators expect companies to maintain registers of critical providers, perform due diligence and ongoing assessments, and ensure contracts include enforceable provisions such as audit rights, resilience obligations, and exit strategies. These requirements aim to reduce dependency risks and ensure operational continuity even if a provider fails.<\/p>\n
We establish oversight frameworks that classify vendors by risk level, assess their resilience, and document clear exit plans. Where required, we coordinate resilience testing, including Threat-Led Penetration Testing (TLPT) for entities in scope, and prepare verifiable evidence for regulators.<\/p>\n
The outcome is a structured and defensible system of third-party oversight. Companies gain visibility into their ICT supply chain, maintain regulator-ready documentation, and demonstrate that outsourcing risks are actively managed in line with DORA compliance requirements.[\/vc_column_text][\/vc_tta_section][vc_tta_section i_icon_fontawesome=”fas fa-angle-right” add_icon=”true” title=”Policy & Documentation Development” tab_id=”1759043354437-661455dc-42d6″][vc_column_text]An effective DORA compliance framework depends on a maintained and consistent set of policies, procedures, and evidence logs. Regulators require companies not only to adopt written rules but to demonstrate that they are actively implemented, regularly reviewed, and tailored to the business model. Policies must cover ICT risk management, incident response, third-party oversight, and testing obligations, all mapped directly to the regulation.<\/p>\n
We prepare and adapt full documentation sets, including policies, registers, playbooks, and logs, ensuring they are aligned with both regulatory obligations and operational practices. Each document is drafted in a regulator-ready format, clearly referencing the relevant articles of DORA and integrated into the company\u2019s governance structure.<\/p>\n
The result is a coherent compliance library that can withstand supervisory review, reduce ambiguity during audits, and provide management with clear guidance. Companies benefit from a system that is not theoretical but embedded into daily operations, with documentation that both supports staff and satisfies regulatory scrutiny.[\/vc_column_text][\/vc_tta_section][vc_tta_section i_icon_fontawesome=”fas fa-angle-right” add_icon=”true” title=”Incident Reporting & Registers” tab_id=”1759043374477-049ed727-4806″][vc_column_text]Timely incident reporting is a cornerstone of DORA compliance. Regulators require companies to detect ICT-related incidents, escalate them internally, notify authorities when thresholds are met, and maintain verifiable records of incidents and remediation. Failure to demonstrate structured reporting can lead to supervisory findings and sanctions.<\/p>\n
We assist companies in implementing reporting procedures aligned with DORA\u2019s incident classification and notification standards. This includes designing escalation protocols, maintaining incident registers, and preparing external notification templates for regulatory submissions. We also ensure companies have logs of remediation actions and testing results, which provide evidence of continuous improvement.<\/p>\n
The outcome is a compliant incident reporting system that demonstrates accountability and preparedness. Companies can show regulators that incidents are recorded, assessed, and reported in line with legal obligations, while also using the process to strengthen internal resilience.[\/vc_column_text][\/vc_tta_section][vc_tta_section i_icon_fontawesome=”fas fa-angle-right” add_icon=”true” title=”Staff & Management Training” tab_id=”1759043411704-5e6720b0-4393″][vc_column_text]DORA requires companies to ensure that staff, management, and boards understand their roles in maintaining ICT risk management and operational stability. Regulators expect evidence of structured training programmes, attendance logs, and awareness initiatives that embed digital resilience into daily operations and decision-making.<\/p>\n
We provide targeted training sessions for senior management, compliance teams, and operational staff. Content covers ICT risk awareness, incident response protocols, third-party oversight duties, and regulatory reporting expectations. Programmes are customised to the company\u2019s business model, ensuring relevance and engagement. Attendance is tracked, and participants receive updated materials as regulations evolve.<\/p>\n
The result is a workforce that is informed, accountable, and capable of responding to ICT disruptions in line with regulatory expectations. By documenting training sessions and outcomes, companies can demonstrate to regulators that operational resilience is not limited to policies, but is actively supported and maintained across the organisation.[\/vc_column_text][\/vc_tta_section][vc_tta_section i_icon_fontawesome=”fas fa-angle-right” add_icon=”true” title=”Ongoing Monitoring & Advisory” tab_id=”1759043393151-b3b9f04a-8b8e”][vc_column_text]DORA is not a one-time exercise but a continuous compliance obligation. Regulators expect companies to demonstrate that ICT risk frameworks, continuity arrangements, and third-party oversight remain up to date as systems, providers, and threats evolve. Regular reviews and monitoring cycles are therefore a critical part of maintaining compliance and avoiding supervisory findings.<\/p>\n
We support companies by establishing monitoring routines and review schedules that fit their operational model. This includes scheduled policy reviews, periodic testing of continuity and recovery procedures, supplier re-assessments, and updates to risk registers. Evidence logs are maintained so that every review and remediation step can be demonstrated to regulators upon request.<\/p>\n
The outcome is a living compliance framework that evolves with the company and the threat landscape. By embedding monitoring and reviews into governance, organisations can show regulators that they are not only compliant at a single point in time but consistently sustaining digital operational resilience in line with DORA obligations.[\/vc_column_text][\/vc_tta_section][\/vc_tta_tour][\/vc_column][\/vc_row][vc_row rt_row_background_width=”fullwidth” rt_row_content_width=”default” rt_row_style=”default-style” rt_row_height=”” rt_column_gaps=”” rt_row_shadows=”” rt_row_paddings=”true” rt_row_borders=”” rt_bg_effect=”classic” rt_transparent_bg=”false” rt_bg_image_repeat=”repeat” rt_bg_size=”cover” rt_bg_position=”right top” rt_bg_attachment=”scroll” rt_bg_layer=”” rt_bg_video_format=”self-hosted” rt_bg_image=”36245″][vc_column rt_col_paddings=”true” rt_wrp_col_paddings=”false” rt_column_shadow=”” rt_border_top=”” rt_border_bottom=”” rt_border_left=”” rt_border_right=”” rt_border_top_mobile=”” rt_border_bottom_mobile=”” rt_border_left_mobile=”” rt_border_right_mobile=”” rt_bg_image_repeat=”repeat” rt_bg_size=”auto auto” rt_bg_position=”right top” rt_bg_attachment=”scroll”]
\n\t\t\t\t\t\t<\/span>Frequently Asked Questions<\/h2>\n\t\t\t\t\t<\/div>[\/vc_column][\/vc_row][vc_row rt_row_background_width=”fullwidth” rt_row_content_width=”default” rt_row_style=”default-style” rt_row_height=”” rt_column_gaps=”” rt_row_shadows=”” rt_row_paddings=”true” rt_row_borders=”” rt_bg_effect=”classic” rt_transparent_bg=”false” rt_bg_image_repeat=”repeat” rt_bg_size=”cover” rt_bg_position=”right top” rt_bg_attachment=”scroll” rt_bg_layer=”” rt_bg_video_format=”self-hosted” rt_margin_top=”0″][vc_column width=”1\/2″ rt_col_paddings=”true” rt_wrp_col_paddings=”false” rt_column_shadow=”” rt_border_top=”” rt_border_bottom=”” rt_border_left=”” rt_border_right=”true” rt_border_top_mobile=”” rt_border_bottom_mobile=”” rt_border_left_mobile=”” rt_border_right_mobile=”” rt_bg_image_repeat=”repeat” rt_bg_size=”auto auto” rt_bg_position=”right top” rt_bg_attachment=”scroll” rt_bg_color=”” rt_bg_overlay_color=””][vc_toggle title=”Which types of companies face the strictest obligations under the Digital Operational Resilience Act (DORA)?”]While DORA applies to all financial entities in scope, larger institutions and those providing critical services, such as major EMIs, PIs, and CASPs, will face heightened regulatory scrutiny. These companies may be designated for advanced requirements such as Threat-Led Penetration Testing (TLPT) and more frequent reporting.[\/vc_toggle][vc_toggle title=”What are the core obligations and requirements introduced by DORA?”]DORA sets mandatory rules for ICT risk management, incident detection and reporting, business continuity and disaster recovery (BCP\/DR), third-party oversight, resilience testing, and training. All obligations must be documented, tested, and demonstrable to regulators.[\/vc_toggle][vc_toggle title=”Under what conditions is Threat-Led Penetration Testing (TLPT) required?”]TLPT is required for entities considered critical based on size, systemic importance, and risk exposure. Supervisory authorities will identify which companies must undergo TLPT and specify the testing frequency.[\/vc_toggle][vc_toggle title=”How does the DORA incident classification and reporting process work in practice?”]Companies must classify ICT-related incidents by severity, notify regulators within strict timeframes, and provide follow-up reports. Each report must show the timeline, mitigation measures, and corrective actions taken, supported by evidence.[\/vc_toggle][\/vc_column][vc_column width=”1\/2″ rt_col_paddings=”true” rt_wrp_col_paddings=”false” rt_column_shadow=”” rt_border_top=”” rt_border_bottom=”” rt_border_left=”” rt_border_right=”” rt_border_top_mobile=”” rt_border_bottom_mobile=”” rt_border_left_mobile=”” rt_border_right_mobile=”” rt_bg_image_repeat=”repeat” rt_bg_size=”auto auto” rt_bg_position=”right top” rt_bg_attachment=”scroll”][vc_toggle title=”How does DORA interact with existing EU regulations such as GDPR and NIS2?”]DORA complements rather than replaces GDPR and NIS2. For example, a cyber incident may trigger reporting obligations under both GDPR (personal data breaches) and DORA (ICT operational disruption). Companies must align policies to avoid duplication and ensure consistency across frameworks.[\/vc_toggle][vc_toggle title=”What does DORA expect from companies when outsourcing ICT functions or using third-party providers?”]Companies must maintain vendor registers, conduct risk assessments, and ensure contracts contain audit rights, resilience clauses, and exit strategies. Continuous monitoring of ICT providers is expected, not just one-time due diligence.[\/vc_toggle][vc_toggle title=”What documentation and evidence will regulators typically request during inspections?”]Regulators will ask for ICT risk registers, incident logs, continuity and recovery test results, third-party oversight records, staff training logs, and management reporting packs. Evidence must show not only that policies exist, but that they are tested and effective in practice.[\/vc_toggle][vc_toggle title=”How long does DORA compliance implementation usually take, and what factors influence the timeline?”]Implementation typically takes several months, depending on the company\u2019s size, risk profile, and existing ICT maturity. Factors such as legacy systems, reliance on multiple third-party providers, and the need for advanced testing (like TLPT) can extend the timeline.[\/vc_toggle][\/vc_column][\/vc_row][vc_row disable_element=”yes” rt_row_background_width=”fullwidth” rt_row_content_width=”default” rt_row_style=”default-style” rt_row_height=”” rt_column_gaps=”” rt_row_shadows=”” rt_row_paddings=”true” rt_row_borders=”” rt_bg_effect=”classic” rt_transparent_bg=”false” rt_bg_image_repeat=”repeat” rt_bg_size=”cover” rt_bg_position=”right top” rt_bg_attachment=”scroll” rt_bg_layer=”” rt_bg_video_format=”self-hosted”][vc_column rt_col_paddings=”true” rt_wrp_col_paddings=”false” rt_column_shadow=”” rt_border_top=”” rt_border_bottom=”” rt_border_left=”” rt_border_right=”” rt_border_top_mobile=”” rt_border_bottom_mobile=”” rt_border_left_mobile=”” rt_border_right_mobile=”” rt_bg_image_repeat=”repeat” rt_bg_size=”auto auto” rt_bg_position=”right top” rt_bg_attachment=”scroll”][vc_column_text]<\/p>\n[\/vc_column_text][\/vc_column][\/vc_row][vc_row rt_row_background_width=”fullwidth” rt_row_content_width=”default” rt_row_style=”default-style” rt_row_height=”” rt_column_gaps=”” rt_row_shadows=”” id=”#contact” rt_row_paddings=”true” rt_row_borders=”” rt_bg_effect=”classic” rt_transparent_bg=”false” rt_bg_image_repeat=”repeat” rt_bg_size=”cover” rt_bg_position=”right top” rt_bg_attachment=”scroll” rt_bg_layer=”” rt_bg_video_format=”self-hosted” rt_bg_image=”36245″][vc_column rt_col_paddings=”true” rt_wrp_col_paddings=”false” rt_column_shadow=”” rt_border_top=”” rt_border_bottom=”” rt_border_left=”” rt_border_right=”” rt_border_top_mobile=”” rt_border_bottom_mobile=”” rt_border_left_mobile=”” rt_border_right_mobile=”” rt_bg_image_repeat=”repeat” rt_bg_size=”auto auto” rt_bg_position=”right top” rt_bg_attachment=”scroll”]
\n\t\t\t\t\t\t<\/span>Questions? Book an Introductory call with our Compliance Team!<\/h2>\n\t\t\t\t\t<\/div>[\/vc_column][\/vc_row][vc_row rt_row_background_width=”fullwidth” rt_row_content_width=”default” rt_row_style=”default-style” rt_row_height=”” rt_column_gaps=”” rt_row_shadows=”” rt_row_paddings=”true” rt_row_borders=”” rt_bg_effect=”classic” rt_transparent_bg=”false” rt_bg_image_repeat=”repeat” rt_bg_size=”cover” rt_bg_position=”right top” rt_bg_attachment=”scroll” rt_bg_layer=”” rt_bg_video_format=”self-hosted” rt_margin_top=”0″][vc_column width=”2\/3″ rt_col_paddings=”true” rt_wrp_col_paddings=”false” rt_column_shadow=”” rt_border_top=”” rt_border_bottom=”” rt_border_left=”” rt_border_right=”true” rt_border_top_mobile=”” rt_border_bottom_mobile=”” rt_border_left_mobile=”” rt_border_right_mobile=”” rt_bg_image_repeat=”repeat” rt_bg_size=”auto auto” rt_bg_position=”right top” rt_bg_attachment=”scroll” rt_bg_color=”” rt_bg_overlay_color=””]\n\t\t\t\t\t\tBook a meeting for DORA Compliance<\/h2>\n\t\t\t\t\t<\/div>[vc_column_text css=”.vc_custom_1702842033251{margin-bottom: 15px !important;}”]<\/p>\n
We provide a step-by-step plan and documentation checklist after a short discovery call. Our methodology follows a mapped control framework to ensure full coverage of DORA obligations and evidence requirements.<\/strong> Please contact our compliance team through the contact form below and we will revert shortly.<\/p>\n[\/vc_column_text]\n
\n<\/p>
<\/ul><\/div>\n
<\/span>What it Takes to Achieve DORA Compliance<\/h2>\n\t\t\t\t\t<\/div>[\/vc_column][\/vc_row][vc_row rt_row_background_width=”fullwidth” rt_row_content_width=”default” rt_row_style=”default-style” rt_row_height=”” rt_column_gaps=”” rt_row_shadows=”” rt_row_paddings=”true” rt_row_borders=”bottom” rt_bg_effect=”classic” rt_transparent_bg=”false” rt_bg_image_repeat=”repeat” rt_bg_size=”cover” rt_bg_position=”right top” rt_bg_attachment=”scroll” rt_bg_layer=”” rt_bg_video_format=”self-hosted” rt_padding_bottom=”7″][vc_column rt_col_paddings=”true” rt_wrp_col_paddings=”false” rt_column_shadow=”” rt_border_top=”” rt_border_bottom=”” rt_border_left=”” rt_border_right=”” rt_border_top_mobile=”” rt_border_bottom_mobile=”” rt_border_left_mobile=”” rt_border_right_mobile=”” rt_bg_image_repeat=”repeat” rt_bg_size=”auto auto” rt_bg_position=”right top” rt_bg_attachment=”scroll”]\n\t\t\t\t\t\tKey Services for DORA Compliance and ICT Risk Management<\/h2>\n\t\t\t\t\t<\/div>[vc_column_text css=”.vc_custom_1759206473180{margin-bottom: 15px !important;}”]<\/p>\n
We can support at all stages of the DORA compliance journey while taking care of all cybersecurity measures and policies required.<\/strong> We provide companies with tools and documentation that withstand regulatory scrutiny while remaining workable in daily operations. Each area is supported by evidence, registers, and reporting mechanisms, ensuring compliance is demonstrable and sustainable.<\/p>\n[\/vc_column_text][vc_tta_tour][vc_tta_section i_icon_fontawesome=”fas fa-angle-right” add_icon=”true” title=”ICT Risk Frameworks & Governance” tab_id=”1759043207742-f7178f9a-9271″][vc_column_text]A core requirement of DORA is the establishment of a structured ICT risk management framework that demonstrates both accountability and proportionality. Regulators expect companies to maintain verifiable processes that show risks are identified, assessed, and governed in line with compliance obligations.<\/p>\n
We support with designing and documenting ICT risk frameworks that meet these expectations while remaining practical for daily operations. This includes the preparation of risk registers that categorise ICT threats, control mappings that connect risks to mitigation measures, and escalation procedures that ensure incidents are reported and addressed in a timely manner. Governance structures are aligned so ICT risks are integrated into overall management oversight and board reporting.<\/p>\n
The outcome is not only a documented risk framework but a defensible system that can be presented to regulators during inspections or supervisory dialogue. Our approach ensures companies can demonstrate that ICT risks are actively monitored, proportionately mitigated, and continuously reviewed, fulfilling the key obligations of DORA compliance in a regulator-ready manner.[\/vc_column_text][\/vc_tta_section][vc_tta_section i_icon_fontawesome=”fas fa-angle-right” add_icon=”true” title=”Incident Management & Continuity Planning” tab_id=”1759043207767-08936f7f-e250″][vc_column_text]Under DORA, companies must show they can detect, escalate, and recover from ICT-related disruptions within defined timeframes. Regulators expect clear escalation paths, crisis communication procedures, and documented recovery objectives. Two key metrics are the Recovery Time Objective (RTO), the maximum time a service may be unavailable, and the Recovery Point Objective (RPO), the maximum tolerable data loss measured in time.<\/p>\n
We design incident playbooks, escalation workflows, and Business Continuity and Disaster Recovery (BCP\/DR) arrangements that address both internal processes and third-party dependencies. Our work includes conducting business impact assessments, setting measurable recovery objectives, and organising test exercises that validate plans in practice.<\/p>\n
The outcome is a tested and regulator-ready framework that ensures disruptions can be managed effectively, recovery targets are realistic and evidenced, and continuity measures are integrated into daily operations in line with DORA compliance requirements.[\/vc_column_text][\/vc_tta_section][vc_tta_section i_icon_fontawesome=”fas fa-angle-right” add_icon=”true” title=”Third-Party Oversight & Testing” tab_id=”1759043335715-a519a521-5966″][vc_column_text]DORA places strong emphasis on risks arising from ICT service providers and outsourcing arrangements.<\/p>\n
Regulators expect companies to maintain registers of critical providers, perform due diligence and ongoing assessments, and ensure contracts include enforceable provisions such as audit rights, resilience obligations, and exit strategies. These requirements aim to reduce dependency risks and ensure operational continuity even if a provider fails.<\/p>\n
We establish oversight frameworks that classify vendors by risk level, assess their resilience, and document clear exit plans. Where required, we coordinate resilience testing, including Threat-Led Penetration Testing (TLPT) for entities in scope, and prepare verifiable evidence for regulators.<\/p>\n
The outcome is a structured and defensible system of third-party oversight. Companies gain visibility into their ICT supply chain, maintain regulator-ready documentation, and demonstrate that outsourcing risks are actively managed in line with DORA compliance requirements.[\/vc_column_text][\/vc_tta_section][vc_tta_section i_icon_fontawesome=”fas fa-angle-right” add_icon=”true” title=”Policy & Documentation Development” tab_id=”1759043354437-661455dc-42d6″][vc_column_text]An effective DORA compliance framework depends on a maintained and consistent set of policies, procedures, and evidence logs. Regulators require companies not only to adopt written rules but to demonstrate that they are actively implemented, regularly reviewed, and tailored to the business model. Policies must cover ICT risk management, incident response, third-party oversight, and testing obligations, all mapped directly to the regulation.<\/p>\n
We prepare and adapt full documentation sets, including policies, registers, playbooks, and logs, ensuring they are aligned with both regulatory obligations and operational practices. Each document is drafted in a regulator-ready format, clearly referencing the relevant articles of DORA and integrated into the company\u2019s governance structure.<\/p>\n
The result is a coherent compliance library that can withstand supervisory review, reduce ambiguity during audits, and provide management with clear guidance. Companies benefit from a system that is not theoretical but embedded into daily operations, with documentation that both supports staff and satisfies regulatory scrutiny.[\/vc_column_text][\/vc_tta_section][vc_tta_section i_icon_fontawesome=”fas fa-angle-right” add_icon=”true” title=”Incident Reporting & Registers” tab_id=”1759043374477-049ed727-4806″][vc_column_text]Timely incident reporting is a cornerstone of DORA compliance. Regulators require companies to detect ICT-related incidents, escalate them internally, notify authorities when thresholds are met, and maintain verifiable records of incidents and remediation. Failure to demonstrate structured reporting can lead to supervisory findings and sanctions.<\/p>\n
We assist companies in implementing reporting procedures aligned with DORA\u2019s incident classification and notification standards. This includes designing escalation protocols, maintaining incident registers, and preparing external notification templates for regulatory submissions. We also ensure companies have logs of remediation actions and testing results, which provide evidence of continuous improvement.<\/p>\n
The outcome is a compliant incident reporting system that demonstrates accountability and preparedness. Companies can show regulators that incidents are recorded, assessed, and reported in line with legal obligations, while also using the process to strengthen internal resilience.[\/vc_column_text][\/vc_tta_section][vc_tta_section i_icon_fontawesome=”fas fa-angle-right” add_icon=”true” title=”Staff & Management Training” tab_id=”1759043411704-5e6720b0-4393″][vc_column_text]DORA requires companies to ensure that staff, management, and boards understand their roles in maintaining ICT risk management and operational stability. Regulators expect evidence of structured training programmes, attendance logs, and awareness initiatives that embed digital resilience into daily operations and decision-making.<\/p>\n
We provide targeted training sessions for senior management, compliance teams, and operational staff. Content covers ICT risk awareness, incident response protocols, third-party oversight duties, and regulatory reporting expectations. Programmes are customised to the company\u2019s business model, ensuring relevance and engagement. Attendance is tracked, and participants receive updated materials as regulations evolve.<\/p>\n
The result is a workforce that is informed, accountable, and capable of responding to ICT disruptions in line with regulatory expectations. By documenting training sessions and outcomes, companies can demonstrate to regulators that operational resilience is not limited to policies, but is actively supported and maintained across the organisation.[\/vc_column_text][\/vc_tta_section][vc_tta_section i_icon_fontawesome=”fas fa-angle-right” add_icon=”true” title=”Ongoing Monitoring & Advisory” tab_id=”1759043393151-b3b9f04a-8b8e”][vc_column_text]DORA is not a one-time exercise but a continuous compliance obligation. Regulators expect companies to demonstrate that ICT risk frameworks, continuity arrangements, and third-party oversight remain up to date as systems, providers, and threats evolve. Regular reviews and monitoring cycles are therefore a critical part of maintaining compliance and avoiding supervisory findings.<\/p>\n
We support companies by establishing monitoring routines and review schedules that fit their operational model. This includes scheduled policy reviews, periodic testing of continuity and recovery procedures, supplier re-assessments, and updates to risk registers. Evidence logs are maintained so that every review and remediation step can be demonstrated to regulators upon request.<\/p>\n
The outcome is a living compliance framework that evolves with the company and the threat landscape. By embedding monitoring and reviews into governance, organisations can show regulators that they are not only compliant at a single point in time but consistently sustaining digital operational resilience in line with DORA obligations.[\/vc_column_text][\/vc_tta_section][\/vc_tta_tour][\/vc_column][\/vc_row][vc_row rt_row_background_width=”fullwidth” rt_row_content_width=”default” rt_row_style=”default-style” rt_row_height=”” rt_column_gaps=”” rt_row_shadows=”” rt_row_paddings=”true” rt_row_borders=”” rt_bg_effect=”classic” rt_transparent_bg=”false” rt_bg_image_repeat=”repeat” rt_bg_size=”cover” rt_bg_position=”right top” rt_bg_attachment=”scroll” rt_bg_layer=”” rt_bg_video_format=”self-hosted” rt_bg_image=”36245″][vc_column rt_col_paddings=”true” rt_wrp_col_paddings=”false” rt_column_shadow=”” rt_border_top=”” rt_border_bottom=”” rt_border_left=”” rt_border_right=”” rt_border_top_mobile=”” rt_border_bottom_mobile=”” rt_border_left_mobile=”” rt_border_right_mobile=”” rt_bg_image_repeat=”repeat” rt_bg_size=”auto auto” rt_bg_position=”right top” rt_bg_attachment=”scroll”]
\n\t\t\t\t\t\t<\/span>Frequently Asked Questions<\/h2>\n\t\t\t\t\t<\/div>[\/vc_column][\/vc_row][vc_row rt_row_background_width=”fullwidth” rt_row_content_width=”default” rt_row_style=”default-style” rt_row_height=”” rt_column_gaps=”” rt_row_shadows=”” rt_row_paddings=”true” rt_row_borders=”” rt_bg_effect=”classic” rt_transparent_bg=”false” rt_bg_image_repeat=”repeat” rt_bg_size=”cover” rt_bg_position=”right top” rt_bg_attachment=”scroll” rt_bg_layer=”” rt_bg_video_format=”self-hosted” rt_margin_top=”0″][vc_column width=”1\/2″ rt_col_paddings=”true” rt_wrp_col_paddings=”false” rt_column_shadow=”” rt_border_top=”” rt_border_bottom=”” rt_border_left=”” rt_border_right=”true” rt_border_top_mobile=”” rt_border_bottom_mobile=”” rt_border_left_mobile=”” rt_border_right_mobile=”” rt_bg_image_repeat=”repeat” rt_bg_size=”auto auto” rt_bg_position=”right top” rt_bg_attachment=”scroll” rt_bg_color=”” rt_bg_overlay_color=””][vc_toggle title=”Which types of companies face the strictest obligations under the Digital Operational Resilience Act (DORA)?”]While DORA applies to all financial entities in scope, larger institutions and those providing critical services, such as major EMIs, PIs, and CASPs, will face heightened regulatory scrutiny. These companies may be designated for advanced requirements such as Threat-Led Penetration Testing (TLPT) and more frequent reporting.[\/vc_toggle][vc_toggle title=”What are the core obligations and requirements introduced by DORA?”]DORA sets mandatory rules for ICT risk management, incident detection and reporting, business continuity and disaster recovery (BCP\/DR), third-party oversight, resilience testing, and training. All obligations must be documented, tested, and demonstrable to regulators.[\/vc_toggle][vc_toggle title=”Under what conditions is Threat-Led Penetration Testing (TLPT) required?”]TLPT is required for entities considered critical based on size, systemic importance, and risk exposure. Supervisory authorities will identify which companies must undergo TLPT and specify the testing frequency.[\/vc_toggle][vc_toggle title=”How does the DORA incident classification and reporting process work in practice?”]Companies must classify ICT-related incidents by severity, notify regulators within strict timeframes, and provide follow-up reports. Each report must show the timeline, mitigation measures, and corrective actions taken, supported by evidence.[\/vc_toggle][\/vc_column][vc_column width=”1\/2″ rt_col_paddings=”true” rt_wrp_col_paddings=”false” rt_column_shadow=”” rt_border_top=”” rt_border_bottom=”” rt_border_left=”” rt_border_right=”” rt_border_top_mobile=”” rt_border_bottom_mobile=”” rt_border_left_mobile=”” rt_border_right_mobile=”” rt_bg_image_repeat=”repeat” rt_bg_size=”auto auto” rt_bg_position=”right top” rt_bg_attachment=”scroll”][vc_toggle title=”How does DORA interact with existing EU regulations such as GDPR and NIS2?”]DORA complements rather than replaces GDPR and NIS2. For example, a cyber incident may trigger reporting obligations under both GDPR (personal data breaches) and DORA (ICT operational disruption). Companies must align policies to avoid duplication and ensure consistency across frameworks.[\/vc_toggle][vc_toggle title=”What does DORA expect from companies when outsourcing ICT functions or using third-party providers?”]Companies must maintain vendor registers, conduct risk assessments, and ensure contracts contain audit rights, resilience clauses, and exit strategies. Continuous monitoring of ICT providers is expected, not just one-time due diligence.[\/vc_toggle][vc_toggle title=”What documentation and evidence will regulators typically request during inspections?”]Regulators will ask for ICT risk registers, incident logs, continuity and recovery test results, third-party oversight records, staff training logs, and management reporting packs. Evidence must show not only that policies exist, but that they are tested and effective in practice.[\/vc_toggle][vc_toggle title=”How long does DORA compliance implementation usually take, and what factors influence the timeline?”]Implementation typically takes several months, depending on the company\u2019s size, risk profile, and existing ICT maturity. Factors such as legacy systems, reliance on multiple third-party providers, and the need for advanced testing (like TLPT) can extend the timeline.[\/vc_toggle][\/vc_column][\/vc_row][vc_row disable_element=”yes” rt_row_background_width=”fullwidth” rt_row_content_width=”default” rt_row_style=”default-style” rt_row_height=”” rt_column_gaps=”” rt_row_shadows=”” rt_row_paddings=”true” rt_row_borders=”” rt_bg_effect=”classic” rt_transparent_bg=”false” rt_bg_image_repeat=”repeat” rt_bg_size=”cover” rt_bg_position=”right top” rt_bg_attachment=”scroll” rt_bg_layer=”” rt_bg_video_format=”self-hosted”][vc_column rt_col_paddings=”true” rt_wrp_col_paddings=”false” rt_column_shadow=”” rt_border_top=”” rt_border_bottom=”” rt_border_left=”” rt_border_right=”” rt_border_top_mobile=”” rt_border_bottom_mobile=”” rt_border_left_mobile=”” rt_border_right_mobile=”” rt_bg_image_repeat=”repeat” rt_bg_size=”auto auto” rt_bg_position=”right top” rt_bg_attachment=”scroll”][vc_column_text]<\/p>\n[\/vc_column_text][\/vc_column][\/vc_row][vc_row rt_row_background_width=”fullwidth” rt_row_content_width=”default” rt_row_style=”default-style” rt_row_height=”” rt_column_gaps=”” rt_row_shadows=”” id=”#contact” rt_row_paddings=”true” rt_row_borders=”” rt_bg_effect=”classic” rt_transparent_bg=”false” rt_bg_image_repeat=”repeat” rt_bg_size=”cover” rt_bg_position=”right top” rt_bg_attachment=”scroll” rt_bg_layer=”” rt_bg_video_format=”self-hosted” rt_bg_image=”36245″][vc_column rt_col_paddings=”true” rt_wrp_col_paddings=”false” rt_column_shadow=”” rt_border_top=”” rt_border_bottom=”” rt_border_left=”” rt_border_right=”” rt_border_top_mobile=”” rt_border_bottom_mobile=”” rt_border_left_mobile=”” rt_border_right_mobile=”” rt_bg_image_repeat=”repeat” rt_bg_size=”auto auto” rt_bg_position=”right top” rt_bg_attachment=”scroll”]
\n\t\t\t\t\t\t<\/span>Questions? Book an Introductory call with our Compliance Team!<\/h2>\n\t\t\t\t\t<\/div>[\/vc_column][\/vc_row][vc_row rt_row_background_width=”fullwidth” rt_row_content_width=”default” rt_row_style=”default-style” rt_row_height=”” rt_column_gaps=”” rt_row_shadows=”” rt_row_paddings=”true” rt_row_borders=”” rt_bg_effect=”classic” rt_transparent_bg=”false” rt_bg_image_repeat=”repeat” rt_bg_size=”cover” rt_bg_position=”right top” rt_bg_attachment=”scroll” rt_bg_layer=”” rt_bg_video_format=”self-hosted” rt_margin_top=”0″][vc_column width=”2\/3″ rt_col_paddings=”true” rt_wrp_col_paddings=”false” rt_column_shadow=”” rt_border_top=”” rt_border_bottom=”” rt_border_left=”” rt_border_right=”true” rt_border_top_mobile=”” rt_border_bottom_mobile=”” rt_border_left_mobile=”” rt_border_right_mobile=”” rt_bg_image_repeat=”repeat” rt_bg_size=”auto auto” rt_bg_position=”right top” rt_bg_attachment=”scroll” rt_bg_color=”” rt_bg_overlay_color=””]\n\t\t\t\t\t\tBook a meeting for DORA Compliance<\/h2>\n\t\t\t\t\t<\/div>[vc_column_text css=”.vc_custom_1702842033251{margin-bottom: 15px !important;}”]<\/p>\n
We provide a step-by-step plan and documentation checklist after a short discovery call. Our methodology follows a mapped control framework to ensure full coverage of DORA obligations and evidence requirements.<\/strong> Please contact our compliance team through the contact form below and we will revert shortly.<\/p>\n[\/vc_column_text]\n
\n<\/p>
<\/ul><\/div>\n
Key Services for DORA Compliance and ICT Risk Management<\/h2>\n\t\t\t\t\t<\/div>[vc_column_text css=”.vc_custom_1759206473180{margin-bottom: 15px !important;}”]<\/p>\n
We can support at all stages of the DORA compliance journey while taking care of all cybersecurity measures and policies required.<\/strong> We provide companies with tools and documentation that withstand regulatory scrutiny while remaining workable in daily operations. Each area is supported by evidence, registers, and reporting mechanisms, ensuring compliance is demonstrable and sustainable.<\/p>\n [\/vc_column_text][vc_tta_tour][vc_tta_section i_icon_fontawesome=”fas fa-angle-right” add_icon=”true” title=”ICT Risk Frameworks & Governance” tab_id=”1759043207742-f7178f9a-9271″][vc_column_text]A core requirement of DORA is the establishment of a structured ICT risk management framework that demonstrates both accountability and proportionality. Regulators expect companies to maintain verifiable processes that show risks are identified, assessed, and governed in line with compliance obligations.<\/p>\n We support with designing and documenting ICT risk frameworks that meet these expectations while remaining practical for daily operations. This includes the preparation of risk registers that categorise ICT threats, control mappings that connect risks to mitigation measures, and escalation procedures that ensure incidents are reported and addressed in a timely manner. Governance structures are aligned so ICT risks are integrated into overall management oversight and board reporting.<\/p>\n The outcome is not only a documented risk framework but a defensible system that can be presented to regulators during inspections or supervisory dialogue. Our approach ensures companies can demonstrate that ICT risks are actively monitored, proportionately mitigated, and continuously reviewed, fulfilling the key obligations of DORA compliance in a regulator-ready manner.[\/vc_column_text][\/vc_tta_section][vc_tta_section i_icon_fontawesome=”fas fa-angle-right” add_icon=”true” title=”Incident Management & Continuity Planning” tab_id=”1759043207767-08936f7f-e250″][vc_column_text]Under DORA, companies must show they can detect, escalate, and recover from ICT-related disruptions within defined timeframes. Regulators expect clear escalation paths, crisis communication procedures, and documented recovery objectives. Two key metrics are the Recovery Time Objective (RTO), the maximum time a service may be unavailable, and the Recovery Point Objective (RPO), the maximum tolerable data loss measured in time.<\/p>\n We design incident playbooks, escalation workflows, and Business Continuity and Disaster Recovery (BCP\/DR) arrangements that address both internal processes and third-party dependencies. Our work includes conducting business impact assessments, setting measurable recovery objectives, and organising test exercises that validate plans in practice.<\/p>\n The outcome is a tested and regulator-ready framework that ensures disruptions can be managed effectively, recovery targets are realistic and evidenced, and continuity measures are integrated into daily operations in line with DORA compliance requirements.[\/vc_column_text][\/vc_tta_section][vc_tta_section i_icon_fontawesome=”fas fa-angle-right” add_icon=”true” title=”Third-Party Oversight & Testing” tab_id=”1759043335715-a519a521-5966″][vc_column_text]DORA places strong emphasis on risks arising from ICT service providers and outsourcing arrangements.<\/p>\n Regulators expect companies to maintain registers of critical providers, perform due diligence and ongoing assessments, and ensure contracts include enforceable provisions such as audit rights, resilience obligations, and exit strategies. These requirements aim to reduce dependency risks and ensure operational continuity even if a provider fails.<\/p>\n We establish oversight frameworks that classify vendors by risk level, assess their resilience, and document clear exit plans. Where required, we coordinate resilience testing, including Threat-Led Penetration Testing (TLPT) for entities in scope, and prepare verifiable evidence for regulators.<\/p>\n The outcome is a structured and defensible system of third-party oversight. Companies gain visibility into their ICT supply chain, maintain regulator-ready documentation, and demonstrate that outsourcing risks are actively managed in line with DORA compliance requirements.[\/vc_column_text][\/vc_tta_section][vc_tta_section i_icon_fontawesome=”fas fa-angle-right” add_icon=”true” title=”Policy & Documentation Development” tab_id=”1759043354437-661455dc-42d6″][vc_column_text]An effective DORA compliance framework depends on a maintained and consistent set of policies, procedures, and evidence logs. Regulators require companies not only to adopt written rules but to demonstrate that they are actively implemented, regularly reviewed, and tailored to the business model. Policies must cover ICT risk management, incident response, third-party oversight, and testing obligations, all mapped directly to the regulation.<\/p>\n We prepare and adapt full documentation sets, including policies, registers, playbooks, and logs, ensuring they are aligned with both regulatory obligations and operational practices. Each document is drafted in a regulator-ready format, clearly referencing the relevant articles of DORA and integrated into the company\u2019s governance structure.<\/p>\n The result is a coherent compliance library that can withstand supervisory review, reduce ambiguity during audits, and provide management with clear guidance. Companies benefit from a system that is not theoretical but embedded into daily operations, with documentation that both supports staff and satisfies regulatory scrutiny.[\/vc_column_text][\/vc_tta_section][vc_tta_section i_icon_fontawesome=”fas fa-angle-right” add_icon=”true” title=”Incident Reporting & Registers” tab_id=”1759043374477-049ed727-4806″][vc_column_text]Timely incident reporting is a cornerstone of DORA compliance. Regulators require companies to detect ICT-related incidents, escalate them internally, notify authorities when thresholds are met, and maintain verifiable records of incidents and remediation. Failure to demonstrate structured reporting can lead to supervisory findings and sanctions.<\/p>\n We assist companies in implementing reporting procedures aligned with DORA\u2019s incident classification and notification standards. This includes designing escalation protocols, maintaining incident registers, and preparing external notification templates for regulatory submissions. We also ensure companies have logs of remediation actions and testing results, which provide evidence of continuous improvement.<\/p>\n The outcome is a compliant incident reporting system that demonstrates accountability and preparedness. Companies can show regulators that incidents are recorded, assessed, and reported in line with legal obligations, while also using the process to strengthen internal resilience.[\/vc_column_text][\/vc_tta_section][vc_tta_section i_icon_fontawesome=”fas fa-angle-right” add_icon=”true” title=”Staff & Management Training” tab_id=”1759043411704-5e6720b0-4393″][vc_column_text]DORA requires companies to ensure that staff, management, and boards understand their roles in maintaining ICT risk management and operational stability. Regulators expect evidence of structured training programmes, attendance logs, and awareness initiatives that embed digital resilience into daily operations and decision-making.<\/p>\n We provide targeted training sessions for senior management, compliance teams, and operational staff. Content covers ICT risk awareness, incident response protocols, third-party oversight duties, and regulatory reporting expectations. Programmes are customised to the company\u2019s business model, ensuring relevance and engagement. Attendance is tracked, and participants receive updated materials as regulations evolve.<\/p>\n The result is a workforce that is informed, accountable, and capable of responding to ICT disruptions in line with regulatory expectations. By documenting training sessions and outcomes, companies can demonstrate to regulators that operational resilience is not limited to policies, but is actively supported and maintained across the organisation.[\/vc_column_text][\/vc_tta_section][vc_tta_section i_icon_fontawesome=”fas fa-angle-right” add_icon=”true” title=”Ongoing Monitoring & Advisory” tab_id=”1759043393151-b3b9f04a-8b8e”][vc_column_text]DORA is not a one-time exercise but a continuous compliance obligation. Regulators expect companies to demonstrate that ICT risk frameworks, continuity arrangements, and third-party oversight remain up to date as systems, providers, and threats evolve. Regular reviews and monitoring cycles are therefore a critical part of maintaining compliance and avoiding supervisory findings.<\/p>\n We support companies by establishing monitoring routines and review schedules that fit their operational model. This includes scheduled policy reviews, periodic testing of continuity and recovery procedures, supplier re-assessments, and updates to risk registers. Evidence logs are maintained so that every review and remediation step can be demonstrated to regulators upon request.<\/p>\n The outcome is a living compliance framework that evolves with the company and the threat landscape. By embedding monitoring and reviews into governance, organisations can show regulators that they are not only compliant at a single point in time but consistently sustaining digital operational resilience in line with DORA obligations.[\/vc_column_text][\/vc_tta_section][\/vc_tta_tour][\/vc_column][\/vc_row][vc_row rt_row_background_width=”fullwidth” rt_row_content_width=”default” rt_row_style=”default-style” rt_row_height=”” rt_column_gaps=”” rt_row_shadows=”” rt_row_paddings=”true” rt_row_borders=”” rt_bg_effect=”classic” rt_transparent_bg=”false” rt_bg_image_repeat=”repeat” rt_bg_size=”cover” rt_bg_position=”right top” rt_bg_attachment=”scroll” rt_bg_layer=”” rt_bg_video_format=”self-hosted” rt_bg_image=”36245″][vc_column rt_col_paddings=”true” rt_wrp_col_paddings=”false” rt_column_shadow=”” rt_border_top=”” rt_border_bottom=”” rt_border_left=”” rt_border_right=”” rt_border_top_mobile=”” rt_border_bottom_mobile=”” rt_border_left_mobile=”” rt_border_right_mobile=”” rt_bg_image_repeat=”repeat” rt_bg_size=”auto auto” rt_bg_position=”right top” rt_bg_attachment=”scroll”] [\/vc_column_text][\/vc_column][\/vc_row][vc_row rt_row_background_width=”fullwidth” rt_row_content_width=”default” rt_row_style=”default-style” rt_row_height=”” rt_column_gaps=”” rt_row_shadows=”” id=”#contact” rt_row_paddings=”true” rt_row_borders=”” rt_bg_effect=”classic” rt_transparent_bg=”false” rt_bg_image_repeat=”repeat” rt_bg_size=”cover” rt_bg_position=”right top” rt_bg_attachment=”scroll” rt_bg_layer=”” rt_bg_video_format=”self-hosted” rt_bg_image=”36245″][vc_column rt_col_paddings=”true” rt_wrp_col_paddings=”false” rt_column_shadow=”” rt_border_top=”” rt_border_bottom=”” rt_border_left=”” rt_border_right=”” rt_border_top_mobile=”” rt_border_bottom_mobile=”” rt_border_left_mobile=”” rt_border_right_mobile=”” rt_bg_image_repeat=”repeat” rt_bg_size=”auto auto” rt_bg_position=”right top” rt_bg_attachment=”scroll”] We provide a step-by-step plan and documentation checklist after a short discovery call. Our methodology follows a mapped control framework to ensure full coverage of DORA obligations and evidence requirements.<\/strong> Please contact our compliance team through the contact form below and we will revert shortly.<\/p>\n [\/vc_column_text]\n <\/p> <\/span>Frequently Asked Questions<\/h2>\n\t\t\t\t\t<\/div>[\/vc_column][\/vc_row][vc_row rt_row_background_width=”fullwidth” rt_row_content_width=”default” rt_row_style=”default-style” rt_row_height=”” rt_column_gaps=”” rt_row_shadows=”” rt_row_paddings=”true” rt_row_borders=”” rt_bg_effect=”classic” rt_transparent_bg=”false” rt_bg_image_repeat=”repeat” rt_bg_size=”cover” rt_bg_position=”right top” rt_bg_attachment=”scroll” rt_bg_layer=”” rt_bg_video_format=”self-hosted” rt_margin_top=”0″][vc_column width=”1\/2″ rt_col_paddings=”true” rt_wrp_col_paddings=”false” rt_column_shadow=”” rt_border_top=”” rt_border_bottom=”” rt_border_left=”” rt_border_right=”true” rt_border_top_mobile=”” rt_border_bottom_mobile=”” rt_border_left_mobile=”” rt_border_right_mobile=”” rt_bg_image_repeat=”repeat” rt_bg_size=”auto auto” rt_bg_position=”right top” rt_bg_attachment=”scroll” rt_bg_color=”” rt_bg_overlay_color=””][vc_toggle title=”Which types of companies face the strictest obligations under the Digital Operational Resilience Act (DORA)?”]While DORA applies to all financial entities in scope, larger institutions and those providing critical services, such as major EMIs, PIs, and CASPs, will face heightened regulatory scrutiny. These companies may be designated for advanced requirements such as Threat-Led Penetration Testing (TLPT) and more frequent reporting.[\/vc_toggle][vc_toggle title=”What are the core obligations and requirements introduced by DORA?”]DORA sets mandatory rules for ICT risk management, incident detection and reporting, business continuity and disaster recovery (BCP\/DR), third-party oversight, resilience testing, and training. All obligations must be documented, tested, and demonstrable to regulators.[\/vc_toggle][vc_toggle title=”Under what conditions is Threat-Led Penetration Testing (TLPT) required?”]TLPT is required for entities considered critical based on size, systemic importance, and risk exposure. Supervisory authorities will identify which companies must undergo TLPT and specify the testing frequency.[\/vc_toggle][vc_toggle title=”How does the DORA incident classification and reporting process work in practice?”]Companies must classify ICT-related incidents by severity, notify regulators within strict timeframes, and provide follow-up reports. Each report must show the timeline, mitigation measures, and corrective actions taken, supported by evidence.[\/vc_toggle][\/vc_column][vc_column width=”1\/2″ rt_col_paddings=”true” rt_wrp_col_paddings=”false” rt_column_shadow=”” rt_border_top=”” rt_border_bottom=”” rt_border_left=”” rt_border_right=”” rt_border_top_mobile=”” rt_border_bottom_mobile=”” rt_border_left_mobile=”” rt_border_right_mobile=”” rt_bg_image_repeat=”repeat” rt_bg_size=”auto auto” rt_bg_position=”right top” rt_bg_attachment=”scroll”][vc_toggle title=”How does DORA interact with existing EU regulations such as GDPR and NIS2?”]DORA complements rather than replaces GDPR and NIS2. For example, a cyber incident may trigger reporting obligations under both GDPR (personal data breaches) and DORA (ICT operational disruption). Companies must align policies to avoid duplication and ensure consistency across frameworks.[\/vc_toggle][vc_toggle title=”What does DORA expect from companies when outsourcing ICT functions or using third-party providers?”]Companies must maintain vendor registers, conduct risk assessments, and ensure contracts contain audit rights, resilience clauses, and exit strategies. Continuous monitoring of ICT providers is expected, not just one-time due diligence.[\/vc_toggle][vc_toggle title=”What documentation and evidence will regulators typically request during inspections?”]Regulators will ask for ICT risk registers, incident logs, continuity and recovery test results, third-party oversight records, staff training logs, and management reporting packs. Evidence must show not only that policies exist, but that they are tested and effective in practice.[\/vc_toggle][vc_toggle title=”How long does DORA compliance implementation usually take, and what factors influence the timeline?”]Implementation typically takes several months, depending on the company\u2019s size, risk profile, and existing ICT maturity. Factors such as legacy systems, reliance on multiple third-party providers, and the need for advanced testing (like TLPT) can extend the timeline.[\/vc_toggle][\/vc_column][\/vc_row][vc_row disable_element=”yes” rt_row_background_width=”fullwidth” rt_row_content_width=”default” rt_row_style=”default-style” rt_row_height=”” rt_column_gaps=”” rt_row_shadows=”” rt_row_paddings=”true” rt_row_borders=”” rt_bg_effect=”classic” rt_transparent_bg=”false” rt_bg_image_repeat=”repeat” rt_bg_size=”cover” rt_bg_position=”right top” rt_bg_attachment=”scroll” rt_bg_layer=”” rt_bg_video_format=”self-hosted”][vc_column rt_col_paddings=”true” rt_wrp_col_paddings=”false” rt_column_shadow=”” rt_border_top=”” rt_border_bottom=”” rt_border_left=”” rt_border_right=”” rt_border_top_mobile=”” rt_border_bottom_mobile=”” rt_border_left_mobile=”” rt_border_right_mobile=”” rt_bg_image_repeat=”repeat” rt_bg_size=”auto auto” rt_bg_position=”right top” rt_bg_attachment=”scroll”][vc_column_text]<\/p>\n
<\/span>Questions? Book an Introductory call with our Compliance Team!<\/h2>\n\t\t\t\t\t<\/div>[\/vc_column][\/vc_row][vc_row rt_row_background_width=”fullwidth” rt_row_content_width=”default” rt_row_style=”default-style” rt_row_height=”” rt_column_gaps=”” rt_row_shadows=”” rt_row_paddings=”true” rt_row_borders=”” rt_bg_effect=”classic” rt_transparent_bg=”false” rt_bg_image_repeat=”repeat” rt_bg_size=”cover” rt_bg_position=”right top” rt_bg_attachment=”scroll” rt_bg_layer=”” rt_bg_video_format=”self-hosted” rt_margin_top=”0″][vc_column width=”2\/3″ rt_col_paddings=”true” rt_wrp_col_paddings=”false” rt_column_shadow=”” rt_border_top=”” rt_border_bottom=”” rt_border_left=”” rt_border_right=”true” rt_border_top_mobile=”” rt_border_bottom_mobile=”” rt_border_left_mobile=”” rt_border_right_mobile=”” rt_bg_image_repeat=”repeat” rt_bg_size=”auto auto” rt_bg_position=”right top” rt_bg_attachment=”scroll” rt_bg_color=”” rt_bg_overlay_color=””]
Book a meeting for DORA Compliance<\/h2>\n\t\t\t\t\t<\/div>[vc_column_text css=”.vc_custom_1702842033251{margin-bottom: 15px !important;}”]<\/p>\n
<\/ul><\/div>\n