Skip to main content
FORTISEU
Framework Comparison

FortisEU — DORA vs ISO 27001

Regulation Meets Certification

Financial services firms with ISO 27001 often assume they're covered for DORA. Learn where ISO 27001 falls short and what DORA demands beyond a certified ISMS.

Feature
DORA
ISO 27001

Nature & Scope

Type
EU Regulation (directly applicable)
International Standard (voluntary)
Sector Scope
Financial entities + ICT third-party providers
Any sector, any organization size
Legal Force
Mandatory, supervisory enforcement
Voluntary, certification body audit

ICT Risk Management

Risk Framework
Prescriptive ICT risk management framework
Flexible ISMS risk approach
ICT Asset Management
Mandatory ICT asset register + classification
Asset inventory (A.8)
ICT Change Management
Formal ICT change control processes
Change management (A.8.32)

Third-Party Oversight

Third-Party Risk Depth
Extensive: register, exit plans, concentration risk
Supplier relationships (A.15)
Critical ICT Providers
Direct oversight by EU supervisory authorities
No specific provision
Subcontracting Chains
Mandatory sub-outsourcing controls
Not explicitly addressed

Testing & Resilience

Resilience Testing
Mandatory TLPT for significant entities
Internal audit + penetration testing
Incident Reporting
Mandatory reporting to competent authority
Internal incident management process
Business Continuity
ICT-specific continuity + recovery plans
Comprehensive BCM (A.17)
How FortisEU Helps

Manage Both with FortisEU

ISO 27001 as a Head Start

An existing ISMS covers roughly 60-70% of DORA's risk management requirements. FortisEU identifies the remaining gaps so you build on what you have.

ICT Third-Party Register

DORA requires a detailed register of ICT third-party providers with exit strategies and concentration risk analysis—far beyond ISO 27001's supplier controls. FortisEU automates this.

TLPT Coordination

Threat-Led Penetration Testing is mandatory for significant financial entities under DORA. FortisEU tracks TLPT planning, execution, and remediation in one workflow.

Unified Evidence Base

Maintain one evidence repository that satisfies both ISO 27001 auditors and DORA supervisory reporting, eliminating duplicate documentation.

FAQ

Common Questions

Does ISO 27001 certification mean I'm DORA-compliant?

No. ISO 27001 provides a strong foundation—particularly around risk management, access control, and incident processes—but DORA adds prescriptive requirements for ICT third-party oversight, mandatory TLPT testing, supervisory incident reporting, and ICT concentration risk analysis that ISO 27001 does not cover.

What are the biggest DORA gaps for ISO 27001-certified firms?

The three largest gaps are typically: (1) ICT third-party risk register with exit strategies and concentration risk, (2) Threat-Led Penetration Testing (TLPT) for significant entities, and (3) mandatory incident reporting to competent authorities within prescribed timelines. FortisEU maps these gaps automatically against your existing ISO 27001 controls.

When does DORA apply and who enforces it?

DORA has applied since January 17, 2025, as a directly applicable EU regulation (no national transposition needed). It covers banks, insurers, investment firms, payment institutions, crypto-asset service providers, and their critical ICT third-party providers. Enforcement is by national competent authorities, with the ESAs providing an EU-wide oversight framework for critical ICT providers.

Ready to See FortisEU in Action?

Experience how FortisEU simplifies compliance management. Create an account or schedule a personalized demo.

Create Account Schedule Demo