How Much Does a DORA Certification Cost?

Key Takeaways

• DORA is mandatory from 17 January 2025.
• There is no single cost; it depends on how complex your organization is.
• €5–15M usually covers planning.
• Large institutions often spend €25–150M in total.
• Compliance creates ongoing costs.
• Testing, vendors, and incident reporting are the biggest cost drivers.
• Non-compliance can mean fines of up to 2% of global turnover.
• Using integrated platforms can significantly reduce total cost.

​​The Digital Operational Resilience Act (DORA) is the European Union’s attempt to ensure that banks, insurers, brokers, payment services, investment firms, and their third‑party ICT providers can withstand and quickly recover from information‑system failures and cyber‑attacks. Enacted on 16 January 2023, DORA becomes fully applicable on 17 January 2025. The regulation unifies and expands existing ICT‑risk rules across the EU and imposes tough penalties on those who fall short.

How Much Does DORA Certification Cost?

It’s a question often asked, and hard to answer. This blog attempts to break down the regulatory requirements, cost drivers, and price tags quoted by reputable studies and official documents.

What DORA Requires: The Five Pillars

DORA covers five interconnected domains:

• ICT risk‑management framework 
• Digital operational resilience testing (DORT)
• ICT‑related incident management and reporting 
• ICT third‑party risk management 
• Information‑sharing arrangements 

DORA applies to over 22 000 financial entities and critical ICT service providers. It harmonizes numerous sectoral rules that were previously fragmented and led to high compliance costs. The act is enforced by national supervisory authorities and the European Supervisory Authorities (ESAs). Critical ICT third‑party providers face oversight and may be fined up to 1 % of their average daily worldwide turnover for up to six months if they fail to comply with the measures imposed by the lead overseer.

The Price of Failure

Non‑compliance with DORA can be extremely expensive. Under the regulation:

• Financial penalties: institutions could be fined up to 2 % of their annual worldwide turnover or €5 million for critical third‑party providers, whichever is higher.
  
• Daily penalty payments for critical ICT providers: the lead overseer may impose daily penalty payments of up to 1 % of average daily worldwide turnover until compliance is achieved.
  
• Personal liability: executives may face personal fines of up to €1 million for serious compliance failures.
  
• Reporting of major incident costs: the ESAs’ joint guidelines require financial entities to estimate and report the aggregated annual costs and losses of major ICT‑related incidents; firms must aggregate gross costs, losses, and financial recoveries for major incidents and submit this information to regulators.
  

Beyond fines, non‑compliance invites reputational damage, customer attrition, higher cyber‑insurance premiums, and, for smaller firms, the possibility of exiting heavily regulated markets altogether.

What Drives Compliance Costs?

1. Program orchestration and gap analysis

Institutions first need to perform gap assessments, design compliance programs and orchestrate cross‑functional teams.   McKinsey survey of major European financial institutions found that most firms have earmarked €5 million to €15 million just for the strategy, planning, design, and orchestration phase of DORA programs.

2. Full implementation costs and technology upgrades

Implementation involves upgrading legacy systems, building or buying resilience‑testing capability, revising contracts, and deploying integrated risk‑management platforms. McKinsey’s research shows that full implementation costs are typically five to ten times the initial program budget, meaning total costs can reach €25–150 million for large institutions. One large bank projected a total DORA spend of nearly €100 million. A Forbes analysis echoes this, noting that typical budgets of €5–15 million are ballooning to five‑to‑ten times that range, with only a third of organizations confident of meeting the deadline.

3. Human resources and expertise

Compliance is labour‑intensive. McKinsey observed that roughly 40 % of financial entities dedicate more than seven full‑time equivalents (FTEs) to their DORA programs, while SBS’s analysis (citing the same study) notes that almost four in ten entities assign more than seven FTEs. Salaries for cybersecurity specialists, legal counsel and compliance officers significantly contribute to the cost. Consultants and external advisors add further expense.

4. Resilience testing and threat‑led penetration testing (TLPT)

Systemically important institutions must conduct TLPT at least every three years. These simulated attack exercises often require ethical hackers, threat‑intelligence teams and independent evaluators. TLPT can cost hundreds of thousands of euros per test, and the requirement to repeat them periodically adds to ongoing costs. Firms must also budget for vulnerability scanning, scenario testing and disaster‑recovery drills.

5. Third‑party and supply‑chain risk management

DORA demands comprehensive oversight of all ICT service providers, including subcontractors. Organisations must maintain registers of all ICT services and remediate contracts to insert mandatory clauses. For firms with hundreds of vendors, this exercise requires contract management systems and legal review. The EY Irish Financial Services analysis warns that for smaller entities, the cost of DORA compliance certification may outweigh the value, potentially forcing them to leave the EU market.

6. Incident reporting and cost estimation

DORA’s incident reporting rules require financial entities to classify incidents and notify regulators quickly, using standardised templates. The ESAs’ guidelines on aggregated annual costs and losses demand that firms estimate the gross costs, losses and financial recoveries for each major ICT‑related incident and aggregate them for the reference year. Implementing systems to capture this data, assign cost codes, and generate reports adds overhead.

7. DORA Training and awareness

Staff across business units must be trained on new processes, reporting obligations, and cyber‑hygiene. Regular drills, awareness campaigns, and board‑level briefings are necessary to instil a culture of digital resilience. Digital Operational Resilience Act training costs are recurring and scale with workforce size.

How Much? Case Studies and Market Estimates

Source / Study	Key Cost Findings
McKinsey survey (2024)	Most surveyed financial institutions budgeted €5–15 million for DORA strategy, planning and orchestration, but full implementation costs are expected to be 5–10 × higher, reaching €25–150 million; one large FI projected €100 million total spend. 70 % of respondents expect higher ongoing run‑rate costs for technology and controls after DORA takes effect.
Forbes analysis (2025)	Typical €5–15 million budgets are ballooning up to 10×; integrated suites can reduce total compliance costs by up to 40 %, and only 31 % of organisations believe they will be DORA‑ready on time.
Infosecurity Magazine (2024)	In a survey of 350 CISOs, 47 % of UK CISOs and 38 % of EU CISOs reported spending more than €1 million on DORA compliance; large financial organisations may spend tens of millions.
FinTech Futures (2024)	Compliance costs across the financial sector average $181 billion annually, with an average cost per employee of about $10 000; DORA’s additional requirements are expected to increase these costs. Non‑compliance fines can reach 2 % of annual worldwide turnover or €5 million.

Strategies to Manage and Reduce Costs

1. Start early and take a risk‑based approach. Delays inflate budgets, as organisations scramble to remediate contracts and implement controls. Prioritise critical functions and high‑risk vendors to allocate resources efficiently.
   
2. Leverage existing frameworks and certifications. Many institutions have already invested in ISO 27001, NIST CSF or operational‑resilience frameworks. Mapping these to DORA requirements can reduce duplication and save money.
   
3. Invest in integrated platforms and automation. McKinsey’s scenario analysis suggests that integrated RegTech suites can cut total compliance costs by up to 40 %. Centralised tools for risk management, incident reporting and third‑party oversight reduce manual effort and improve data accuracy.
   
4. Negotiate with third‑party providers. Vendors can incorporate DORA‑compliant clauses into standard contracts, leveraging economies of scale. Some large technology providers are proactively offering contract templates.
   
5. Continuous training and awareness. Building a culture of resilience reduces the likelihood of costly incidents and ensures that staff understand their roles in incident reporting and recovery.
   
6. Plan for ongoing costs. DORA compliance certification is not a one‑off exercise. McKinsey notes that 70 % of institutions anticipate permanently higher run‑rate costs for technology and controls. Budgeting for ongoing maintenance, periodic TLPT exercises and regular updates will prevent unpleasant surprises.

Centraleyes and Dora

DORA is reshaping the way European financial entities manage digital risk. Compliance is non‑negotiable, yet the costs are high and vary widely by organization size, complexity and readiness. 

For those seeking to simplify and centralise compliance management, platforms like Centraleyes offer governance, risk, and compliance (GRC) solutions tailored to DORA requirements. 

FAQs

1. Does DORA require a full redesign of existing ICT or cyber risk frameworks?

In most cases, no. Existing frameworks can be extended to meet DORA requirements. The challenge lies in achieving consistent structure, traceability, and coverage across ICT risk management, resilience testing, incident response, and vendor oversight.

2. How detailed must ICT risk documentation be to meet DORA expectations?

Documentation must go beyond high-level statements. Risks are expected to be:

• Linked to critical or important functions
  
• Mapped to specific systems, services, and dependencies
  
• Maintained dynamically as environments change
  

3. What qualifies as a “major ICT-related incident” in practice?

While DORA defines thresholds, classification often requires judgment. Many challenges arise from partial disruptions that affect services without causing a complete outage. Clear internal criteria and escalation paths are essential to ensure consistent classification and reporting.

4. How should third-party ICT risk be handled under DORA?

DORA raises expectations around vendor visibility and oversight. Financial entities are expected to:

• Maintain updated inventories of ICT service providers
  
• Assess concentration and substitution risks
  
• Monitor critical third parties on an ongoing basis
  

5. Does DORA apply equally across all EU financial entities?

The core requirements apply broadly, but proportionality matters. Size, complexity, and systemic importance influence how controls are implemented, though all in-scope entities must demonstrate resilience appropriate to their risk profile.

6. How frequently must ICT risk assessments be updated under DORA?

DORA expects assessments to be living processes, not annual exercises. Updates should occur when:

• Critical systems change
  
• New services or vendors are introduced
  
• Significant incidents occur