The Digital Operational Resilience Act (Regulation (EU) 2022/2554) has applied to financial entities since 17 January 2025, bringing roughly 22,000 EU banks, insurers, investment firms, and their critical ICT providers under a single operational-resilience rulebook. The firms below help institutions close gaps across DORA's five pillars: ICT risk management, incident reporting, resilience testing, third-party risk, and information sharing. No firm pays for placement on this directory.
DORA is not a single project but five interlocking workstreams, and most institutions need different partners for different pillars. The strongest selection signal is depth on threat-led penetration testing (TLPT), which DORA models on the TIBER-EU framework and mandates for significant entities on a roughly three-year cycle. Firms that can field accredited red teams and threat-intelligence providers under the TIBER-EU rules of engagement are scarce, and this capability separates serious resilience-testing partners from generic audit shops.
Weight three further criteria heavily. First, the register of information: DORA requires a structured inventory of all ICT third-party arrangements in the European Supervisory Authorities' prescribed format, and tooling plus data quality here is where many programmes stall. Second, ICT incident classification and reporting against the regulatory technical standards, including the major-incident thresholds and initial, intermediate, and final report timelines. Third, third-party risk and the contractual remediation needed for critical ICT providers, including the designation of Critical Third-Party Providers that the ESAs began in 2025. For platform-level security comparisons see our independent cybersecurity for financial services ranking, and for adjacent governance work see IT governance and compliance and cybersecurity services.
Tell us what you're evaluating and we'll send a tailored shortlist of vendors that actually fit — no vendor funding, no pay-to-play.
6,000+ vendors · 893 comparisons · 48 country guides · Independent & vendor-neutral