Ga naar inhoud

DORA for ICT suppliers

DORA for ICT suppliers: practical guide for executives, IT and compliance — with evidence, risk and audit preparation.

Book an informal conversation

ISO Ready helps you align policy, risk, and evidence — without endless document churn.

Run the ISO 27001 readiness scan

Who is in scope?

DORA for ICT suppliers affects financial entities and critical ICT providers (including many SaaS vendors to banks/insurers). Requirements cover ICT risk, incidents, testing, chain and exit.

ICT risk and vendors

Your ICT risk register should include contracts, concentration risk, exit and monitoring. Link to ISO 27001 vendor management — one register, audit and supervision audiences.

Incidents and continuity

DORA incident reporting needs tight timelines and roles. Align with NIS2 reporting where relevant. Test recovery and document failover/backup evidence.

Common mistakes

Spreadsheet vendor lists without tiers; no exit plan; incidents fixed only technically; no board decisions on ICT risk.

Checklist

  • Scope DORA vs contracts
  • Tier vendors + exit
  • ICT risk register
  • Test incident playbooks
  • Link BCP/DR to DORA

Practical next step

For DORA ICT suppliers, ISO Ready keeps actions, evidence, risks and vendors aligned toward audit or supervision. Run the readiness scan on iso-ready.nl.

No certification guarantee — you retain ownership of scope, risks and decisions.

More in this cluster

Key takeaways

  • Scope and ownership first — then documents and evidence.
  • Link controls to risks and verify they work.
  • Use internal audit and management review as dress rehearsal.

Veelgestelde vragen

Where should we start with DORA for ICT suppliers?
Confirm scope and owners, capture current practice and evidence, then schedule an internal sample on the highest risk.
How much documentation is enough?
Enough to show decisions, operation and monitoring. Consistency between records and reality matters more than volume.
Does this align with ISO 27001 and NIS2?
Often yes — map overlaps explicitly so you do not maintain duplicate registers.
What does ISO Ready add?
Central follow-up of actions, evidence and vendors toward audit — use the on-page CTA.
How long does a DORA for ICT suppliers programme take?
Depends on maturity: from weeks for targeted improvement to months for certification or a first external audit.

Run the ISO 27001 readiness scan

See where you stand before investing in documents or consultants.

Start the readiness scan