DORA Advisory Services by Tymans Group
As I have been working in financial services for over 30 years, I'll explain it as if this is our company. This is important, because I want you to really understand the impact on the company.
What is our Advisory Service?
The DORA advisory service is tailored to your needs. We can focus on the whole DORA regulation versus the IT operations, or on those specific areas that have already analysed to be lacking in the company.
We look at the existing policies and procedures and analyse where they are compliant with the DORA regulations. We identify the gaps and propose remedial updates. Our updates are verified through earlier work which was vetted by second line and sometimes even regulators (where possible, the regulators themselves are still getting to grips with this.)
Test of Existence and Design
With our updates, you can be sure that you are "Test of Existence" ready. But that is not enough.
Thus we go further, if you want us to. We sample every required policy and procedure against actual implementation and if the policy or procedure actually protects against the purposed risk. This is called the "Test of Design." If the risk, validated against the DORA requirements is not met, we adjust in alignment with the management the policies and procedures.
Test of Effectiveness
In alignment with you, we can then proceed to the actual effectiveness advisory. That is much more of a longer term commitment.
Here we need to demonstrate that the systems and procedures are effective during normal operations.
This requires that all critical al important systems and operations can demonstrate that they comply with all DORA regulations and that if any incident were to happen on these systems, that the firm is capable of handling this in a manner consistent with the DORA regulation.
That will propably require more work, both on legacy systems, and on new systems that were built for delivery of business value, but not necessarily for resilience (for all the right reasons known at the time.
Bottom Line
You receive a tailored-made governance and procedure-set, per your needs and our agreement, that will stand up against regulatory audit. More even, It protect your clients, and hence your reputation and bottom line.
As an aside
You need to know that the regulatory and political world is changing rapidly in 2025. the European commision is reviewing key pieces of the regulation as of this writing. E.g., the European Commission has rejected the RTS on Third Party outsourcing chain responsibility. While knowing how your subcontractants handle your critical and important function is a good thing, the reality is that this might be hard to enforce. Especially now that the EU Commision has stated that article 5 of that RTS is outside the scope of the EU Commission mandate. last word clearly to be spoken about this.
TY keeps track of these EU legislative and juridical evolutions and helps you with applying the right balance to your policies, procedures and actual IT operations. And this at a significantly better cost aspect than the big consultancies. How can we do this? Because we have our boots on the ground, TY is connected with the financial industry associations like Assuralia and Febelfin to just name-drop two.
We decide on the scope together with you:
- Is this about of all of DORA, or only certain areas
- Do you want us to coordinate the implementation or only indentify the gaps?
- Until what level do you want us to go ?
- Existence
- Design
- Effectiveness (meaning, just fix it)
What does this cost?
The answer you hate? It depends.
If you are a large international enterprise, you will probably have already spent several hundreds of thousands Euro, if not millions on this.
If you are an SME and you just realised you provide services to or within the financial industry , you may have not yet spent any or minor funds on this.
I also hate open answers on the cost question, so here it goes..
Full DORA Analysis for a single country company or Business Unit: from €65,000 +VAT
What is DORA?
DORA—the Digital Operational Resilience Act—is essentially a regulatory framework designed to make sure that financial institutions can withstand, respond to, and quickly recover from all kinds of digital disruptions. It came into full effect on January 17th, 2025.
In today’s environment, where our operations, customer interactions, and even strategic decisions hinge on technology, having such a robust framework isn’t optional—it has to be part of our DNA.
What DORA Means for Us:
- Comprehensive ICT Risk Management:
DORA requires us to review and reinforce our information and communication technology (ICT) risk management processes. It’s not just about installing firewalls or having backups; it’s about ensuring that from the top down, our entire digital infrastructure is resilient against cyberattacks, system failures, or any unexpected digital incidents.
I have seen that many advisors, even from the big four, make the mistake of focusing on cybersecurity and governance only. It goes further. We have to look at our systems, our IT processes and even how we as a business prioritise our business service developments
- Accountability at the Highest Level:
One key point is that DORA places significant responsibility on senior management and the board. The board is expected to have an active role in overseeing digital risk management. In practical terms, this means you and your colleagues need to be fully aware of the risks and the measures we’re putting in place to mitigate them. It’s no longer sufficient to delegate all digital security issues to IT—we all have skin in the game.
That skin is to the tune of personal fines and even jail sentences if it turns out that as a board member, you have not been paying attention. In this respect it is not so different from your obligations under other financial services laws.
- Third-Party and Vendor Management:
DORA doesn’t stop at our internal systems. It extends to all third-party ICT service providers we rely on. Whether it’s our cloud services, software vendors, or cybersecurity consultants, we must ensure that they meet rigorous standards. This pushes us to conduct regular due diligence and enforce strict contractual obligations to guarantee that their risk posture aligns with ours.
- Regular Testing and Incident Reporting:
The regulation mandates regular, rigorous testing of our digital resilience. This includes stress tests, scenario-based exercises, and penetration tests to identify vulnerabilities before they can be exploited. Additionally, should an incident occur, DORA outlines clear protocols for reporting. This transparency ensures that regulators—and by extension, the market—have confidence in our ability to manage disruptions.
Why did this law come to pass?:
Over the past few decades, we’ve seen that a major ICT incident can disrupt not just a single company, but entire financial systems. DORA is a proactive step to mitigate those risks. While it does require us to invest in better systems, stronger oversight, and more robust contingency planning, it also strengthens our reputation with regulators, investors, and customers. Essentially, it turns potential vulnerabilities into competitive advantages by demonstrating that we’re serious about risk management in an increasingly digital world.
The Bottom Line:
DORA is more than another regulatory hurdle—it’s a comprehensive approach to ensuring our digital infrastructure is as resilient as our financial operations. By integrating these practices into our business model, we protect not only our bottom line but also the integrity of the entire financial system. As a board, our focus should be on ensuring that the strategies and investments necessary to comply with DORA are prioritized, integrated into our overall risk management framework, and continuously updated as technology evolves.
I’d be happy to discuss how we can implement these measures and what immediate steps we should consider. This isn’t about ticking boxes; it’s about safeguarding our future in a digital-first economy.
How TY can help you
TY started looking at DORA as early as 2020