ICT risk management
A documented ICT risk framework approved by the management body: accountability sits with the board, not just IT. Asset mapping, protection, detection, response and recovery.
DORA requires financial entities to prove demonstrable digital operational resilience: ICT risk governed by the board, major incidents reported within hours, tests driven by the real threat. An attack on the financial sector is not a balance-sheet event: it is someone, with a name and known TTPs.
DORA does not ask for policies: it asks you to detect, classify, report, test and oversee. Every pillar presupposes an operation that actually works, 24·7·365.
A documented ICT risk framework approved by the management body: accountability sits with the board, not just IT. Asset mapping, protection, detection, response and recovery.
Classification of ICT incidents and reporting of major ones to the supervisor: 4 hours from classification, intermediate report at 72 hours, final within 1 month. Harmonised templates (RTS 2025/301).
A risk-proportionate testing programme, up to TIBER-EU based TLPT at least every 3 years for significant entities: scenarios built on the actors that actually target the sector.
Register of ICT contracts, mandatory clauses, exit strategies, direct European oversight of critical providers. Your supplier's resilience becomes part of yours.
Voluntary exchange of cyber threat intelligence between financial entities: IOCs, TTPs, sector alerts. Sector defence is collective or it is nothing.
More than 20 categories of financial entities: banks, investment firms, insurers and reinsurers, payment and e-money institutions, fund managers, trading venues, crypto-asset service providers, plus critical ICT providers designated by the European authorities. Unlike NIS2, DORA is a regulation: identical across the EU, no national transposition, applicable since 17 January 2025.
Detection and containment in minutes, evidence and timeline ready for the 4-hour notification. Incident classification rests on facts, not estimates.
Discover MDR →Intelligence on 287 tracked adversary groups and attack tools: threat-led scenarios for TIBER-EU testing and a contribution to sector information sharing.
Discover CTI →The Fortgale vertical for the financial sector: actors active against European banks, documented cases and service architecture.
Go to the vertical →EU financial entities: banks, investment firms, insurers, payment and e-money institutions, fund managers, trading venues, crypto-asset service providers, plus designated critical ICT providers. Supervision sits with your national financial authority together with the ESAs (EBA, ESMA, EIOPA).
Three stages (RTS 2025/301): initial notification within 4 hours of classifying the incident as major, and no later than 24 hours from detection; intermediate report within 72 hours; final report within 1 month with complete root cause analysis.
DORA is lex specialis: on the obligations it covers (ICT risk, reporting, testing) it prevails over NIS2 for financial entities. Non-financial suppliers in the chain remain in the NIS2 perimeter.
Threat-led penetration tests on the TIBER-EU framework: scenarios built on the actors and TTPs that actually target your sector. Mandatory at least every 3 years for significant entities. Their quality depends on the threat intelligence behind them.
Yes, since 17 January 2025, in all Member States and with no national transposition. The technical standards on reporting, testing and third parties are operational too.
A DORA assessment clarifies the distance between your operational capability and the one the regulation presupposes. European SOC headquartered in Milan since 2017, 24·7·365: we reply within one business day.
No nurturing sequences, no auto-replies. One of our analysts calls you back within one business day.
The full Report (executive summary · operational IoCs · technical runbook) is restricted. Share two details and one of our analysts contacts you with access and a short technical briefing.
Response in 30 minutes, containment in 1–4 hours. Even if you are not a Fortgale customer.