DORA readiness
ISO 27001 gets you certified. DORA keeps your licence. We close the gap between them.
A DORA gap analysis for FX brokers and financial entities, mapped against your ISO 27001 ISMS - so you can see exactly where 'certified' stops and 'DORA compliant' begins.
CQI/IRCA ISO/IEC 27001:2022 Lead Auditor trained · IRCA Associate Auditor - ISMS · CQI Practitioner Member - PCQI
The problem
DORA has applied to EU financial entities since 17 January 2025, and supervisors are now actively checking. If you are a regulated financial entity, compliance is not optional - it is a condition of your licence, supervised by your competent authority.
ISO 27001 is a genuine foundation. It gives you a governed ISMS, a risk process and a control set that map onto much of what DORA expects. But ISO 27001 is a voluntary standard, and DORA is binding regulation. The distance between the two - incident reporting on the regulator's timeline, a prescribed ICT third-party register, mandatory resilience testing, board-level oversight - is precisely the ground a supervisor probes first. Certified is a head start. It is not the finish line.
Coming from the ISO side? Start with an ISO 27001 readiness assessment and build DORA on top of it.
The four DORA pillars
Four pillars carry most of the obligation. Each one is somewhere your ISMS either already helps - or leaves a gap a supervisor can see.
A governed framework for identifying, protecting, detecting and recovering ICT systems - board-owned, documented and tested, not just an IT checklist.
Classifying ICT-related incidents and reporting major ones to your regulator inside strict timelines. ISO 27001 asks you to manage incidents; DORA dictates when and how you report them.
A programme of resilience testing - from vulnerability assessments to scenario-based tests - proving you can keep operating through disruption, not just that controls exist on paper.
A register of ICT providers with contractual, monitoring and exit requirements. Your PSPs, cloud, liquidity and platform vendors are in scope - concentration risk included.
What Kellwick delivers
One control set, one evidence base, one roadmap - so DORA reinforces your ISO 27001 programme instead of duplicating it.
DORA gap analysis mapped to your ISMS
A structured gap analysis against your existing ISO 27001 controls, so you can see exactly where 'certified' stops and 'DORA compliant' begins.
ICT third-party register review
A review of your register of information - PSPs, cloud, liquidity and platform vendors - against DORA's contractual, monitoring and exit requirements, concentration risk included.
Incident-reporting readiness
Whether you can classify a major ICT incident and report it to your regulator inside the required deadlines, with the process and templates to do it under pressure.
Resilience-testing gap
Where your testing programme sits against DORA - from vulnerability assessments to scenario-based tests - and what a supervisor would expect to see evidenced.
A prioritised remediation roadmap
A clear, sequenced plan of what to close first, mapped to effort and supervisory exposure, so the work is a project and not a panic.
ISO 27001 vs DORA
Same territory, different force. This is the difference a broker actually needs to plan around.
| Area | ISO 27001 | DORA |
|---|---|---|
| Nature | Voluntary certification against a standard. | Binding EU regulation for financial entities. |
| Incident reporting | Manage and learn from incidents. | Classify and report major ICT incidents to the regulator within set deadlines. |
| Resilience testing | Recommended; scope is yours to define. | Mandatory testing programme, with threat-led testing for significant entities. |
| Third-party risk | Supplier controls in Annex A. | Prescribed ICT third-party register, contract terms, monitoring and exit plans. |
| Enforcement | Certificate withdrawn by the certification body. | Supervisory action by your competent authority - a licence matter. |
FX broker specifically? See our FX broker ISO 27001 readiness page for the ISMS side of the same picture.
DORA + ISO self-check
Answer honestly. This is an indicative signal, not a formal gap analysis - but it will tell you fast whether your ISO 27001 programme has left DORA gaps a competent authority would expect you to have closed.
Want the maintenance side handled continuously? See vCISO / Managed ISMS.
DORA questions, answered
A DORA gap analysis, mapped against your ISO 27001 ISMS, with a prioritised roadmap to close what is missing. Scoped on a short call.
Certification is issued by accredited certification bodies; DORA supervision is performed by regulators. Kellwick prepares you for these processes; it does not perform them and cannot guarantee their outcome.
Kellwick is an independent advisory practice. We are not a certification body and do not issue ISO certifications. Certification decisions are made only by accredited certification bodies.