Resilience. Compliance. Operational security.

DORA: digital resilience is a requirement, not a choice

The DORA regulation does not only apply to banks and insurers: it directly affects critical ICT service providers serving the financial sector. It has been in force since 17 January 2025, and in Italy, Banca d'Italia has harmonised national rules with the 51st update to Circular 285. AtWorkStudio, based in Piacenza, supports your compliance journey with a management system certified to ISO/IEC 27001, 27017, 27018 and ISO 9001.

Request DORA consulting Learn more

Free online assessment

Is your ICT resilience level adequate?

Find out in 15 minutes with our assessment based on the NIST Cybersecurity Framework 2.0, the international standard for cyber risk management. The ideal starting point to evaluate your security posture against DORA requirements.

106 questions · Instant report · No commitment

Start the free assessment

EU Regulation 2022/2554

The pillars of DORA: what organisations must do

DORA establishes binding requirements for the digital operational resilience of financial entities and their critical ICT service providers. In Italy, Banca d'Italia published the 51st update to Circular 285 on 3 February 2026, harmonising national rules with the European regulation. Non-compliance carries significant penalties and the risk of exclusion from the financial supply chain.

ICT risk management

Financial entities must adopt a comprehensive ICT risk management framework: identification, protection, detection, response and recovery. The framework must be documented, regularly updated and approved by senior management.

Incident reporting

Obligation to classify and report major ICT incidents to competent authorities. Timelines are strict: initial notification, intermediate report and final report according to criteria defined by the ESAs.

Operational resilience testing

Organisations must conduct periodic digital resilience tests, including vulnerability assessments, penetration tests and, for significant entities, advanced threat-led penetration testing (TLPT).

Third-party ICT management

Specific requirements for managing risks related to third-party ICT providers. Contracts must include clauses on security, audit rights, exit strategies and operational continuity. Critical providers are subject to direct oversight.

ICT governance

Senior management is directly responsible for the digital resilience strategy. They must define, approve and supervise ICT policies, ensuring adequate competencies and continuous training.

ATWS compliance support

AtWorkStudio operates as a qualified ICT provider with ISO 27001, 27017, 27018 and ISO 9001 certifications. We offer incident response, vulnerability assessment, business continuity and structured security governance.

Not just banks: ICT providers too

Who must comply with DORA and why it concerns you

DORA applies to banks, insurance companies, investment firms, payment providers and all critical ICT service providers serving the financial sector. If your company develops software, manages cloud infrastructure or delivers IT services to financial clients, you are directly affected. Compliance is not optional: it is a condition for operating within the financial value chain.

NIST CSF 2.0 Assessment

We start with a free assessment based on the NIST framework to capture your current cyber maturity level. 106 questions, an instant report and a concrete action plan to close the gaps against DORA requirements.

Incident response and resilience

We support you in defining ICT incident response processes, business continuity and disaster recovery plans, and the operational resilience testing required by the regulation.

Certifications and governance

Our management system, certified to ISO/IEC 27001, 27017, 27018 and ISO 9001, demonstrates structured ICT governance. We help you achieve the certifications that attest DORA compliance.

DORA as a competitive advantage: prove your organisation's resilience

Contact us for dedicated DORA compliance consulting. Whether you are a financial entity or an ICT provider, we will guide you on the path to full compliance.