DORA Costs and Process

What Does DORA Compliance Cost?

The cost of DORA compliance varies significantly depending on the size of the financial entity, its existing security maturity, the complexity of its ICT third-party landscape, and whether it is designated for advanced requirements like TLPT. There is no one-size-fits-all answer, but we can provide a transparent breakdown of the key cost drivers and realistic ranges.

Understanding costs upfront is critical for securing management body approval and allocating budget. Art. 5(2)(e) of DORA explicitly requires the management body to allocate and periodically review adequate budget for ICT security, making cost transparency a regulatory expectation.

Key Cost Factors

Internal Personnel Costs

Internal personnel effort is typically the largest cost block. DORA compliance requires significant involvement from IT, risk management, compliance, legal, and procurement. Key activities include the gap analysis, framework documentation, information register build-out, contract review, and testing programme coordination.

For a mid-sized entity, expect at least 1-2 FTEs dedicated to DORA for 12-18 months during the initial implementation phase. For larger entities or groups, a dedicated project team of 3-5 FTEs is typical.

External Consulting

Most financial entities engage external consultants for specialised tasks: gap analysis against DORA requirements, framework design, RTS and ITS interpretation, contract clause drafting, and TLPT coordination. Day rates for DORA-specialised consultants typically range from EUR 1,500 to 2,500 per day.

GRC Tooling

A GRC tool is essential for managing the information register, tracking control implementation, documenting evidence, and generating supervisory reports. While DORA can theoretically be managed in spreadsheets, this approach does not scale and creates significant audit risk. GRC tool costs depend on the vendor and scope but typically range from EUR 15,000 to 80,000 per year depending on entity size and features required.

Technical Security Measures

DORA may require investment in technical security measures to close gaps in your ICT risk management framework. Common investments include: SIEM systems or upgrades, intrusion detection and prevention, network segmentation improvements, enhanced backup and recovery infrastructure, and identity and access management enhancements.

Resilience Testing

Annual basic testing (vulnerability assessments, penetration tests) typically costs EUR 20,000 to 80,000 per year depending on scope. TLPT engagements, where required, are substantially more expensive at EUR 200,000 to 500,000+ per engagement every three years. See our Resilience Testing page for details.

Legal Review and Contract Amendments

Reviewing and amending ICT third-party contracts to meet Art. 30 requirements is a significant cost factor, especially for entities with many provider relationships. Legal costs depend on the number of contracts and negotiation complexity but can range from EUR 30,000 to 150,000 for the initial review and amendment cycle.

Total Cost Ranges by Entity Size

These ranges cover the initial implementation year. Ongoing annual costs (maintenance, testing, tooling) typically amount to 30-50% of the first-year investment. Entities with an existing ISO 27001 ISMS typically save 30-40% on internal effort and consulting costs.

Implementation Timeline

DORA has applied since January 2025. Entities still closing gaps must move quickly. Here are realistic timelines based on starting position:

These timelines assume dedicated resources. If DORA compliance runs as a side project, expect timelines to double. For a step-by-step guide, see our DORA Checklist.

ROI of GRC Tooling

Investing in a GRC tool for DORA compliance delivers measurable return on investment through several channels:

• Time savings: Pre-built DORA control frameworks and information register templates reduce the gap analysis and documentation effort by 40-60%
• Audit readiness: Automated evidence collection and structured documentation mean you are always prepared for supervisory inquiries, avoiding costly fire drills
• Reduced consulting spend: Structured tooling reduces the need for external consultants to build frameworks and templates from scratch
• Penalty avoidance: DORA penalties for non-compliance can be substantial. See our DORA Penalties page for details on sanctions
• Multi-framework synergies: A GRC tool enables you to map DORA controls against ISO 27001, NIS2, and other frameworks, avoiding duplicate work. See our ISO 27001 mapping for a concrete example.

Cost Optimisation Tips

• Leverage existing frameworks: If you have ISO 27001 or BAIT/VAIT compliance, use the existing documentation and controls as a starting point. This can save 30-40% of implementation effort.
• Check proportionality: Smaller entities may qualify for the simplified framework under Art. 16, significantly reducing requirements and costs.
• Prioritise by risk: Focus initial investment on the highest-risk areas: incident reporting readiness, the information register, and critical-function contract review.
• Combine with other compliance initiatives: If you are also implementing NIS2 or preparing for ISO 27001 certification, coordinate efforts to avoid duplication.
• Start early: Time pressure leads to premium consulting rates and rushed implementations. A methodical approach over 12 months is far cheaper than a 6-month crash programme.