DORA and ISO 27001: where they overlap for EU financial firms
DORA has applied across EU financial entities since January 2025. Here is where its ICT risk and incident requirements map onto ISO 27001, and where genuine gaps remain.
By Kellwick Team · July 19, 2026 · 6 min read
The Digital Operational Resilience Act (DORA) became applicable across EU financial entities in January 2025. Since then, compliance, IT, and risk teams at banks, payment institutions, investment firms, and crypto-asset service providers have been working through what DORA actually requires in practice - and how it relates to existing frameworks like ISO 27001 that many of those entities already hold or are pursuing.
The answer is nuanced. There is genuine overlap between DORA and ISO 27001, particularly around ICT risk management, supplier governance, and incident handling. But there are also areas where DORA imposes requirements that ISO 27001 does not fully cover, and areas where an ISO 27001 certificate provides evidence that satisfies DORA expectations without additional documentation work. Getting the mapping right matters for firms that want to avoid maintaining two parallel compliance programmes.
What DORA actually requires
DORA is structured around five pillars: ICT risk management, ICT-related incident management and reporting, digital operational resilience testing, ICT third-party risk management, and information sharing. The regulation applies directly to a wide range of entities including credit institutions, payment institutions, electronic money institutions, investment firms, crypto-asset service providers (CASPs under MiCA), and central securities depositories.
The ICT risk management requirements in Chapter II of DORA require firms to maintain an ICT risk management framework, identify and classify ICT assets and functions, protect those assets with appropriate controls, detect anomalous activities, and have tested response and recovery capabilities. That description will sound familiar to anyone who has implemented ISO 27001 - because it is broadly the same risk-based lifecycle that ISO 27001 clause 6 and Annex A describe, anchored to information assets.
The key difference is that DORA is a regulation with direct supervisory consequences, not a voluntary certification standard. Non-compliance is a matter for national competent authorities (the relevant financial regulator in each member state), not a certification body.
Where ISO 27001 and DORA map closely
The strongest overlap is in ICT risk management and asset management.
ISO 27001 clause 6 (risk management) - the requirement to identify, assess, and treat information security risks maps directly onto DORA Article 6, which requires firms to identify all sources of ICT risk and maintain a risk management framework with documented risk tolerance levels. A well-maintained ISO 27001 risk register, with treatment plans, owners, and evidence of review, is directly useful evidence for DORA ICT risk management obligations.
ISO 27001:2022 Annex A.5.9 and A.5.10 (asset management) - DORA Article 8 requires firms to identify and classify ICT assets supporting critical or important functions. ISO 27001's asset inventory requirements overlap significantly here. If the ISMS asset register covers information assets, IT systems, software, and data flows, that register can serve double duty for DORA asset identification - provided it is specific enough to identify which assets support functions the firm has classified as critical or important under DORA.
ISO 27001:2022 Annex A.5.25 to A.5.28 (information security incident management) - DORA Chapter III imposes a structured incident management and classification process, with specific reporting timelines for major ICT-related incidents: initial notification, intermediate report, and final report to the competent authority. ISO 27001's incident management controls require documented procedures, defined roles, and a record of incidents and responses. The ISO 27001 incident management procedure does not automatically include the DORA reporting timelines or the classification criteria under the regulatory technical standards, but the underlying process documentation is shared.
ISO 27001:2022 Annex A.5.19 to A.5.23 (supplier relationships) - DORA Chapter V on ICT third-party risk is one of its most detailed chapters. It requires contractual provisions with ICT providers to include termination rights, audit rights, performance standards, and data location requirements. ISO 27001's supplier security controls require written agreements with information security terms and periodic supplier review. There is meaningful overlap, but DORA adds specific contractual content requirements that go beyond what ISO 27001 Annex A specifies.
Where DORA goes further than ISO 27001
There are three areas where DORA imposes obligations that ISO 27001 does not fully address.
Regulatory incident reporting - ISO 27001 requires an internal incident management process and evidence that incidents are handled. DORA requires external reporting of major incidents to the competent authority within defined timelines. Under Commission Delegated Regulation (EU) 2025/301, the initial notification is due within 4 hours of classifying the incident as major - and no later than 24 hours from becoming aware of it, where classification falls inside that window. An intermediate report follows within 72 hours of the initial notification, and a final report no later than one month after the intermediate report - or, where updated intermediate reports have been submitted, one month after the latest updated one. ISO 27001 does not require external regulatory reporting. A firm with ISO 27001 certification needs a separate DORA incident classification process and a tested reporting procedure that connects to the regulator.
Digital operational resilience testing - DORA Chapter IV requires regular testing of ICT systems and, for firms above certain size thresholds, threat-led penetration testing (TLPT) against critical systems. ISO 27001:2022 Annex A.8.8 covers management of technical vulnerabilities, and Annex A.5.36 covers independent information security review. Penetration testing is a common ISO 27001 implementation practice, but it is not a mandatory Annex A control in the way DORA's testing requirements are regulatory obligations. The scope, frequency, and methodology requirements under DORA's TLPT framework exceed what ISO 27001 prescribes.
ICT third-party concentration risk - DORA Articles 28 to 30 require firms to assess concentration risk at the entity level (how dependent are you on a single ICT provider) and at the sector level (is the financial system as a whole over-reliant on a small number of critical ICT providers). ISO 27001 supplier management is focused on individual supplier risk and does not address systemic or sector-level concentration. This is a genuinely new obligation for most firms.
The practical mapping question
For a firm holding ISO 27001 certification and now working through DORA compliance, the practical question is: which DORA obligations are already evidenced by the ISMS, which need supplementary evidence, and which require net-new work?
A useful starting point is the firm's Statement of Applicability (SoA). The SoA should already map Annex A controls to the firm's risk context. Extending that mapping to include the relevant DORA article for each control - where one exists - gives a clear picture of dual-use evidence. Controls that appear in both the SoA and the DORA mapping can be evidenced once; controls that appear only in DORA require additional work.
The areas that almost always require net-new work regardless of ISO 27001 status are: the major incident classification and reporting procedure (aligned to the classification criteria and materiality thresholds in Commission Delegated Regulation (EU) 2024/1772), the TLPT programme (for firms in scope), the ICT third-party register with DORA-specific contractual provisions, and the concentration risk assessment.
What auditors and supervisors look for
ISO 27001 auditors assess whether the management system is effective and conforms to the standard. DORA supervisors (national competent authorities) assess whether the firm has implemented DORA's specific requirements and can demonstrate operational resilience. The audiences and assessment criteria are different.
A common mistake is assuming that an ISO 27001 certificate demonstrates DORA compliance. It demonstrates that the firm has an effective information security management system, which is relevant and useful context for a DORA supervisor - but it is not a substitute for DORA compliance documentation. The firm still needs to be able to produce its DORA ICT risk framework document, its major incident classification procedure, its ICT register with criticality classifications, and its register of ICT third-party providers with contractual provisions.
The upside of holding ISO 27001 before working through DORA is significant: the governance infrastructure, the risk management discipline, the supplier documentation, and the internal audit habit all reduce the DORA implementation workload materially. Starting DORA compliance from scratch without an existing management system is considerably harder.
Where Kellwick fits
Kellwick advises EU financial firms on how to use existing ISO 27001 evidence to support DORA compliance, and how to identify the genuine gaps that need independent treatment. If you are an FX broker, payment institution, or CASP working through the overlap between DORA obligations and your ISO 27001 programme, see how the FX broker readiness review addresses regulatory alignment.
Where this fits
ISO 27001
Pass the audit. We find what blocks Stage 1 before the certification body does.
Read the ISO 27001 hubNeed a second pair of eyes before the auditor does?
A readiness review shows exactly where your ISMS stands - and what to fix first - while there is still time to act on it.
Stay audit-ready
Occasional, practical notes on ISO 27001 readiness and ISMS maintenance. No noise.