AboutTechnologiesBlog
GWARDNEW
Back to Blog

DORA Compliance for Belgian Financial Institutions

1 May 20269 min readCaner Korkut

The Digital Operational Resilience Act (DORA) is the EU's regulatory framework for ensuring that financial institutions can withstand, respond to, and recover from ICT-related disruptions. Since its application date of January 17, 2025, Belgian financial entities supervised by the National Bank of Belgium (NBB) and the FSMA must comply with its comprehensive requirements.

What Is DORA?

DORA establishes a uniform set of requirements for the digital operational resilience of financial entities across the EU. Unlike NIS2, which applies broadly across sectors, DORA is specifically designed for the financial sector and takes precedence for entities within its scope.

The regulation aims to ensure that all participants in the financial system have the necessary safeguards to mitigate ICT risks, including cyberattacks, technology failures, and third-party service disruptions. It moves beyond a purely compliance-based approach to require genuine operational resilience.

Who Must Comply in Belgium?

DORA applies to a wide range of financial entities operating in Belgium:

  • Credit institutions — banks supervised by the NBB under the Single Supervisory Mechanism.
  • Payment institutions — licensed payment service providers.
  • Investment firms — entities supervised by the FSMA.
  • Insurance and reinsurance undertakings — all licensed insurers and reinsurers.
  • Crypto-asset service providers — entities authorized under MiCA.
  • Central securities depositories — including Euroclear Belgium.
  • Trading venues — including Euronext Brussels.
  • ICT third-party service providers — critical third-party providers designated by the European Supervisory Authorities, including cloud providers and managed IT services serving financial institutions.

Five Pillars of DORA Compliance

DORA is organized around five key areas that financial institutions must address:

1. ICT Risk Management

Financial entities must establish a comprehensive ICT risk management framework that includes identification and classification of ICT assets, continuous risk assessment, implementation of protection and prevention measures, and detection capabilities. The management body bears ultimate responsibility for defining and approving the ICT risk management strategy.

2. ICT-Related Incident Reporting

DORA requires financial entities to classify ICT-related incidents using standardized criteria and report major incidents to the NBB or FSMA. The reporting timeline includes an initial notification within four hours of classification, an intermediate report within 72 hours, and a final report within one month. This aligns with but differs from NIS2 reporting timelines.

3. Digital Operational Resilience Testing

Entities must conduct regular testing of their ICT systems, including:

  • Basic testingvulnerability scanning, network security assessments, and gap analyses performed annually.
  • Advanced testing (TLPT) — threat-led penetration testing modeled on the TIBER-EU framework, required at least every three years for significant financial entities. This goes beyond standard penetration testing and simulates real-world threat scenarios.

4. ICT Third-Party Risk Management

Financial institutions must maintain a register of all ICT third-party service providers, conduct due diligence before engagement, include mandatory contractual provisions for security and resilience, and regularly monitor third-party performance. Critical ICT third-party providers will be subject to direct oversight by European Supervisory Authorities.

5. Information Sharing

DORA encourages voluntary sharing of cyber threat intelligence among financial entities. Belgian financial institutions can participate in information sharing arrangements, including through the CCB's coordination mechanisms, while respecting data protection requirements.

DORA vs NIS2: Key Differences for Belgian Financial Entities

Belgian financial institutions may wonder how DORA relates to NIS2:

  • DORA takes precedence — as a sector-specific regulation, DORA overrides NIS2 for entities within its scope (the lex specialis principle).
  • Stricter requirements — DORA generally imposes more detailed and stringent requirements than NIS2, particularly around testing and third-party management.
  • Different supervisors — DORA compliance is overseen by financial supervisors (NBB/FSMA), while NIS2 is overseen by the CCB.
  • ICT third-party providers — companies providing ICT services to financial institutions may need to comply with both DORA (through contractual requirements) and NIS2 (directly).

Steps to Achieve DORA Compliance

  1. Assess your current state — conduct a gap analysis comparing existing ICT risk management practices against DORA requirements.
  2. Establish governance — ensure the management body has defined responsibilities for ICT risk and that reporting lines are clear.
  3. Build your ICT risk framework — implement or enhance identification, protection, detection, response, and recovery capabilities.
  4. Map third-party dependencies — create and maintain a comprehensive register of all ICT service providers and assess concentration risks.
  5. Implement incident reporting — establish processes to classify, escalate, and report ICT incidents within DORA's timelines.
  6. Plan resilience testing — develop a testing program that includes annual basic tests and, if applicable, three-yearly TLPT exercises.
  7. Document everything — DORA requires extensive documentation. Ensure policies, procedures, and records are comprehensive and audit-ready.

How ICTLAB Can Help

ICTLAB supports Belgian financial institutions in meeting DORA's demanding requirements. Our cybersecurity services include DORA gap assessments, ICT risk framework design, resilience testing programs including penetration testing and vulnerability assessments, and third-party risk management support. We understand the unique challenges facing Belgian financial entities and provide practical, implementation-focused guidance.

Whether you are a bank, insurer, payment provider, or an ICT service provider to the financial sector, our Brussels-based team can help you build the operational resilience that DORA demands.

Need Help with Security Audit?

Comprehensive evaluation of your security posture against industry standards. Our audits identify gaps and provide actionable remediation plans.

Learn More Contact Us

Related Articles

15 January 2025

NIS2 Compliance Belgium: Complete Guide 2026

NIS2 compliance guide for Belgian organizations: who must comply, key requirements, deadlines, penalties, and step-by-step preparation checklist.

20 February 2025

Penetration Testing Cost in Belgium: 2026 Pricing

Penetration testing costs in Belgium: web app pentest from €4,000, network pentest from €5,000, red team from €20,000. Full pricing breakdown and budget tips.