DORA readiness for CySEC-regulated FX and CFD brokers
DORA has applied to EU financial entities since 17 January 2025, and a CySEC-regulated FX or CFD broker is squarely in scope. A certificate proves your controls exist. DORA asks whether you can report an incident on the regulator's clock, test your resilience, and show a register of every ICT provider you depend on.
Kellwick maps your existing ISO 27001 evidence to DORA, builds the Register of Information a supervisor asks for first, and hands you a prioritised path - proportionate to your firm, not a compliance department you cannot staff.
Building the ISMS underneath it? ISO 27001 readiness for brokers →
Can your firm show these 5 things?
Why this becomes expensive late
No DORA fine against a financial entity exists to date. That is not a reason to wait: the first request is usually for a Register of Information, and a firm that cannot produce one is answering from behind.
ISO 27001 is a voluntary standard. DORA - Regulation (EU) 2022/2554 - is binding, directly applicable law, and it makes specific demands your ISMS was never built to satisfy on its own. The certificate is a genuine head start. It is not the finish line.
Certified proves your controls exist. DORA asks whether you can report, test and recover.
Where certified stops
What DORA actually requires
These apply to your firm as a Cyprus Investment Firm in DORA scope under Article 2(1)(e), with CySEC as your competent authority.
A documented, management-body-owned framework for identifying, protecting, detecting, responding and recovering across your ICT systems - not an IT checklist.
Classifying ICT-related incidents and reporting major ones to CySEC on a strict clock: an initial notification, an intermediate report and a final report, each on its own deadline.
An annual register of your ICT third-party (outsourcing) arrangements - which provider supports which function, on what terms - not a folder of scattered contracts.
A programme of testing proportionate to your firm, from vulnerability assessments to scenario-based tests, with findings tracked to closure.
Governing your PSPs, cloud, liquidity and platform providers: criticality classification, contractual terms, monitoring, exit plans and concentration risk.
Proportionality is real. A firm that qualifies as a small and non-interconnected investment firm can use DORA's Article 16 simplified ICT risk-management framework - materially lighter, and one of the first things worth confirming.
Major-incident reporting
Good incident response is not DORA reporting. Once an ICT incident is classified as major, a defined sequence of reports to CySEC begins, each on its own deadline under Commission Delegated Regulation (EU) 2025/301.
| Report | Deadline |
|---|---|
| Initial notification | Within 4 hours of classifying the incident as major, and no later than 24 hours from becoming aware of it where the classification falls within that window. |
| Intermediate report | Within 72 hours of the initial notification. |
| Final report | Within one month of the intermediate report. |
Timelines per Commission Delegated Regulation (EU) 2025/301. The point is the machinery: a classification test, an owner and a workflow, in place before a live incident - not during one.
Quick DORA readiness check
If the answer is not clear, you are not ready. You are hoping the certificate covers it.
What trips CySEC-regulated brokers up
An ISO 27001 certificate treated as DORA done
A certificate proves controls exist. DORA asks whether you can report, test and recover under supervision. It is not the same question.
No Register of Information on ICT arrangements
The register is the first thing a supervisor asks for. A shared drive full of contracts is not a register, and it is not annual.
Incident response with no reporting clock
Good recovery is not DORA reporting. The gap is the major-incident classification test and the deadline that starts when you classify.
ICT risk owned by IT, not the management body
DORA places the ICT risk-management framework with the management body. Left with IT, there is no oversight cadence and no reporting line.
One annual penetration test, no programme
DORA expects a digital operational resilience testing programme on a defined cadence, not a single event once a year.
The simplified framework never assessed
A small and non-interconnected investment firm may fall under DORA's Article 16 simplified framework - materially lighter, and easily missed.
Not ready for a full review?
Start with a 2-day Mini Gap Review.
Scoped and priced on a short call. We hand back your top Stage 1 blockers and the single next step that matters most.
ISO 27001 as the backbone
ISO 27001 is not legally required by DORA and does not discharge it. But the evidence a good ISMS already produces - risk treatment, incident records, supplier assessments, access reviews - is the same evidence DORA leans on. The work is the crosswalk: showing what carries over, and isolating the genuine regulatory gaps so you build one system, not two.
If you are still standing the ISMS up, that is the natural place to start - see ISO 27001 readiness for FX brokers.
The honest boundary
What you receive
A direct view of where your firm stands against DORA today.
A control-by-control map of what your ISMS evidence already answers under DORA, and where the genuine regulatory gaps are.
A structured register of your ICT third-party arrangements, classified by criticality, ready to hand to a supervisor.
The machinery DORA expects around incidents and resilience testing.
A direct walkthrough with your team: what is defensible, what is missing, and the prioritised path before a supervisory dialogue.
ISO 27001 to DORA crosswalk preview
| Area | What DORA expects | Common broker gap | Kellwick output |
|---|---|---|---|
| ICT risk framework | Management-body-owned framework with an oversight cadence | Risk owned by IT, no reporting line to the board | Board-owned framework mapped to your ISMS |
| Incident reporting | Major-incident classification test and a regulator clock | Strong recovery, no classification test or deadline | Classification test + CySEC reporting workflow |
| ICT third parties | Register of Information with criticality classification | PSP, cloud and liquidity contracts in a shared drive | Structured register + concentration and exit view |
| Resilience testing | A testing programme on a defined cadence | One annual pen test on the public-facing app only | Coverage map across critical functions |
| Proportionality | A documented simplified-framework position | Never assessed, so the whole effort is over-scoped | Article 16 assessment sized to your firm |
The process
You share what you already have: your ISO 27001 ISMS and evidence, ICT contracts, incident records, risk register, testing history and management-body papers.
We confirm your scope as a CIF, assess whether the simplified framework applies, and crosswalk your ISMS to DORA - so you see what carries over and where the real gaps are.
A DORA gap analysis mapped to ISO 27001, a Register of Information, an incident and testing playbook, and a prioritised roadmap ahead of any supervisory dialogue.
Before Kellwick
That sentence does not survive a supervisory request.
After Kellwick
Book this if
Led by a CQI/IRCA-trained ISO 27001 Lead Auditor
CQI/IRCA ISO/IEC 27001:2022 Lead Auditor trained. IRCA Associate Auditor - ISMS. CQI Practitioner Member - PCQI. 18 years in IT, SaaS, fintech, product and operations.
Kellwick is an independent advisory practice, not a certification body.
Typical starting points
Final scope and pricing are confirmed after a readiness call.
Scoped on a call
CySEC-regulated brokers that need a fast, external read on DORA exposure before committing to a full programme.
Scoped on a call
FX and CFD brokers preparing seriously for DORA, mapped against an existing or in-progress ISO 27001 ISMS.
Scoped on a call
Teams that need structured support keeping the ICT risk framework, register and testing cadence alive between supervisory touchpoints.
This is for you if
This is not for you if
Why Kellwick
Kellwick prepares regulated technology firms for the standards and regulations their customers and supervisors demand. DORA readiness for brokers is led by a CQI/IRCA-trained ISO/IEC 27001 Lead Auditor who understands how a CySEC-regulated broker actually runs - MT4 and MT5, PSPs, liquidity providers, IB portals and the vendor stack behind them.
That matters because DORA is not a documentation exercise. It is about whether ICT risk is owned at board level, whether you can classify and report an incident on the regulator's clock, and whether you can show a supervisor a governed register instead of a shared drive.
FAQ
Yes. A CySEC-regulated Cyprus Investment Firm, including an FX or CFD broker, is in scope as an investment firm under DORA Article 2(1)(e). DORA is Regulation (EU) 2022/2554 and has been directly applicable since it applied on 17 January 2025. Your competent authority is CySEC.
No. ISO 27001 is not legally required by DORA and does not discharge it. ISO 27001 is a voluntary ISMS, and it makes a natural backbone for DORA's ICT-risk, incident and third-party-register evidence - but DORA is the binding legal obligation. We map what carries over and show you the genuine gaps.
It can be. A firm that qualifies as a small and non-interconnected investment firm falls under DORA's Article 16 simplified ICT risk-management framework, which is materially lighter. It is easy to miss, so confirming whether you qualify is one of the first things we check.
Under Commission Delegated Regulation (EU) 2025/301, the initial notification to the competent authority is due within 4 hours of classifying the incident as major, and no later than 24 hours from becoming aware where the classification falls in that window. An intermediate report follows within 72 hours of the initial notification, and a final report within one month of the intermediate report.
No. DORA is Regulation (EU) 2022/2554 and is directly applicable across the EU. There is a separate instrument, Directive (EU) 2022/2556, which requires national transposition. They are different instruments and we do not conflate them.
No DORA fine against any financial entity exists to date. Supervisors are, however, actively checking - and the first thing they tend to ask for is your Register of Information. Readiness is about being able to answer that properly, not about a headline penalty.
From the blog
ICT risk, incident reporting and third-party governance for CySEC-regulated brokers.
MT4 and MT5 admin credentials are among the highest-risk access points in any FX broker. Here is the ISO 27001 evidence gap that appears in almost every readiness review.
Read →FX & Trading GRCA CySEC-regulated FX broker is not a standard SaaS company. Here is what an ISO 27001 auditor looks for first - and where most brokers fail Stage 1.
Read →Evidence & Audit PrepControl by control, what strong ISO 27001 evidence actually looks like - what auditors sample, what counts, and how to make your evidence findable before the audit.
Read →Certification is issued by accredited certification bodies; DORA supervision is performed by regulators. Kellwick prepares you for these processes; it does not perform them and cannot guarantee their outcome.
Find the gap before the bank or CySEC does.
Kellwick is an independent advisory practice. We are not a certification body and do not issue ISO certifications. Certification decisions are made only by accredited certification bodies.