DORA Compliance Consulting for Financial Entities in Belgium
Make digital operational resilience auditable. We help Belgian financial entities and their ICT third parties meet DORA's five pillars — from the ICT risk-management framework to incident reporting, resilience testing, and third-party oversight.
The Digital Operational Resilience Act (Regulation (EU) 2022/2554) has applied since 17 January 2025 and binds virtually every EU financial entity — banks, insurers, investment firms, payment and electronic-money institutions, and crypto-asset service providers — together with the critical ICT third parties that serve them. DORA replaces fragmented national guidance with a single harmonised rulebook built on five pillars: ICT risk management, ICT-related incident management and reporting, digital operational resilience testing, ICT third-party risk management, and information sharing. ICTLAB helps Belgian entities operationalise these obligations under the supervision of the NBB and FSMA, integrating DORA with existing NIS2, ISO 27001, and NIST programmes so that operational resilience becomes provable rather than aspirational.
What We Deliver
DORA Scoping & Gap Assessment
Assessment against DORA's five pillars and the applicable RTS/ITS, with a proportionality determination and prioritized remediation items.
ICT Risk Management Framework
Governance, policies and controls meeting DORA Articles 5-16, including board accountability, the ICT risk framework, and backup & business-continuity arrangements.
Incident Classification & Reporting Procedures
Major-incident classification thresholds and initial, intermediate and final notification workflows to the NBB/FSMA in line with Articles 17-23.
Digital Operational Resilience Testing Programme
A testing plan covering vulnerability assessments, scenario-based tests and, for significant entities, threat-led penetration testing (TLPT) aligned with TIBER-EU under Articles 24-27.
ICT Third-Party Risk & Register of Information
Third-party risk policy, a complete Register of Information, and Article 30 contractual clauses including audit rights and documented exit strategies.
Resilience Roadmap & Board Reporting
A multi-phase implementation plan with timelines, ownership and board-level reporting to evidence and maintain DORA compliance.
How We Work
Scoping & Proportionality Assessment
Confirm whether your entity is in scope, whether the simplified or full ICT risk framework applies, and map obligations to NBB/FSMA supervisory expectations.
Gap Analysis against DORA & RTS/ITS
Evaluate current ICT risk, incident, testing and third-party controls against the regulation and its technical standards, then prioritize remediation.
ICT Risk Framework & Policy Implementation
Build the ICT risk-management framework, governance and documentation required by Chapter II, integrating with existing ISO 27001 and NIS2 controls.
Incident Reporting & Resilience Testing Setup
Implement incident classification and reporting workflows and a testing programme, including TLPT/TIBER-EU coordination where required.
Third-Party Register & Ongoing Oversight
Establish the Register of Information, embed Article 30 clauses into contracts, and maintain continuous monitoring as standards and the threat landscape evolve.
Technologies We Use
Frequently Asked Questions
Does DORA apply to my organization?
DORA applies to a broad range of EU financial entities — banks, insurers, investment firms, payment and e-money institutions, crypto-asset service providers, and more — and to the critical ICT third parties that serve them. Smaller entities may qualify for a simplified ICT risk framework under the proportionality principle. We assess your specific scope.
Since when does DORA apply, and what are the deadlines?
DORA entered into force in January 2023 and has applied since 17 January 2025. Obligations such as the Register of Information and major-incident reporting are already enforceable, so supervisors (NBB/FSMA) expect demonstrable compliance now — any remaining gaps should be closed without delay.
How does DORA relate to NIS2, ISO 27001 and NIST?
DORA acts as lex specialis for the financial sector and overlaps heavily with NIS2 risk-management measures, ISO 27001 controls and the NIST CSF. Entities with a mature ISMS or NIS2 programme have a head start; we map existing controls onto DORA to avoid duplicated effort.
What must a contract with an ICT provider contain under Article 30?
Article 30 requires specific contractual provisions for ICT services, including clear service descriptions, data location and processing terms, access, inspection and audit rights, incident-assistance obligations, sub-contracting conditions, and documented exit strategies — all recorded in the Register of Information.
Do we need threat-led penetration testing (TLPT)?
Significant financial entities must perform advanced threat-led penetration testing at least every three years, aligned with the TIBER-EU framework. We determine whether TLPT applies to you and coordinate testing with certified red teams and threat-intelligence providers.
From Our Blog
13 June 2026
DORA vs NIS2: Overlap, Differences and Which One Applies
DORA and NIS2 both govern cyber resilience — but which applies to your organisation? Scope, the lex specialis rule, the five DORA pillars, key dates, and a decision guide for Belgian entities.
13 June 2026
DORA ICT Third-Party Risk: Building Your Register of Information
DORA's third-party rules (Art. 28–30): what the Register of Information must contain, the mandatory contractual clauses (Art. 30(2) vs 30(3)), critical-or-important functions, and the 2025 reporting deadlines.
12 June 2026
NIST CSF 2.0 for European SMEs: A Practical Implementation Guide
A step-by-step guide to NIST Cybersecurity Framework 2.0 for European SMEs: the six functions (Govern, Identify, Protect, Detect, Respond, Recover), tiers, profiles, and how it maps to NIS2 and ISO 27001.
12 June 2026
NIST AI RMF: Building Trustworthy AI (and How It Maps to the AI Act)
NIST AI Risk Management Framework explained: the four functions (Govern, Map, Measure, Manage), the Generative AI Profile, trustworthy-AI characteristics, and how it complements the EU AI Act.
9 June 2026
AI Act Risk Classification: Prohibited, High-Risk or Limited-Risk?
A practical decision guide to classify your AI system under the EU AI Act: prohibited practices (Art. 5), high-risk systems (Annex III), limited and minimal risk — with concrete examples.
9 June 2026
GDPR & AI: Training Data, Automated Decisions and DPIAs in Belgium
How GDPR applies to AI for Belgian companies: lawful basis for training data, automated decision-making (Art. 22), data protection impact assessments, and where GDPR meets the AI Act.
Related Services
Security Audit
Comprehensive evaluation of your security posture against industry standards. Our audits identify gaps and provide actionable remediation plans.
NIS2 Compliance
Navigate NIS2 with confidence. We help Belgian organizations understand their obligations, close compliance gaps, and build the security capabilities the directive demands.
SOC as a Service
Enterprise-grade security monitoring without the overhead. Our SOC-as-a-Service provides 24/7 threat detection, automated incident response, and NIS2 compliance — built for SMEs.