Comparison GuideEU

DORA vs ISO/IEC 27001 Legal resilience obligations versus ISMS assurance

DORA is an EU financial-sector regulation for digital operational resilience. ISO/IEC 27001 is a certifiable information security management system standard.

Use this comparison to see where ISO/IEC 27001 evidence can help DORA work, and where DORA still requires separate legal, reporting, testing, register, contract, and supervisory evidence.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 9, 2026
Sections
4

Structured answer sets in this page tree.

Primary sources
7

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 9, 2026
Overview

DORA and ISO/IEC 27001 overlap on risk management, security controls, evidence, audits, incident handling, supplier controls, and management accountability, but they are not substitutes. A financial entity can use an ISO/IEC 27001 ISMS as part of its control baseline, yet DORA still requires regulation-specific ICT operational resilience governance, major incident reporting, resilience testing, register-of-information records, ICT third-party contract controls, and supervisory readiness.

Side-by-side comparison

DORA vs ISO/IEC 27001: what overlaps and what does not

Use these rows to decide when an ISO/IEC 27001 ISMS artifact can support DORA and when a DORA-specific legal, supervisory, reporting, testing, or supplier record is still required.

Review all sources
First framework
EU DORA

Binding EU financial-sector regulation focused on ICT operational resilience, major ICT-related incidents, resilience testing, ICT third-party risk, registers, and supervisory oversight.

Second framework
ISO/IEC 27001

International standard for an information security management system that organisations can implement and, if they choose, certify through an accredited certification process.

Comparison row 1

Scope boundary

EU DORA

DORA scope starts with covered financial entities, their ICT-supported business functions, critical or important functions, ICT risk, ICT incidents, ICT third-party services, and related supervisory records.

Regulation (EU) 2022/2554 (DORA)Sources 1
ISO/IEC 27001

ISO/IEC 27001 scope is set by the organisation for its ISMS boundaries and applicability, taking account of internal and external issues, interested-party requirements, and information security risks.

ISO - ISO/IEC 27001 information security managementSources 1
Operational implication

A DORA scope memo should identify the regulated entity, function, ICT service, supplier, or incident. An ISO/IEC 27001 scope statement can support that memo only if its ISMS boundary covers the same facts.

Regulation (EU) 2022/2554 (DORA)Sources 1
Comparison row 2

Covered actors

EU DORA

DORA is EU law for the financial sector. It creates regulatory obligations for covered financial entities and establishes an oversight framework for critical ICT third-party providers.

Regulation (EU) 2022/2554 (DORA)Sources 1
ISO/IEC 27001

ISO/IEC 27001 is a management-system standard. It defines ISMS requirements and can be used for internal assurance or third-party certification, but it is not an EU financial-sector regulation.

ISO - ISO/IEC 27001 information security managementSources 1
Operational implication

Do not describe ISO/IEC 27001 certification as DORA compliance. Treat it as possible control evidence for specific DORA obligations.

ISO - ISO/IEC 27001 information security managementSources 1
Comparison row 3

Trigger

EU DORA

DORA puts ICT risk governance on the financial entity, including management-body oversight of ICT risk management arrangements and resilience responsibilities.

Regulation (EU) 2022/2554 (DORA)Sources 1
ISO/IEC 27001

ISO/IEC 27001 requires top-management leadership, ISMS roles and responsibilities, risk treatment, performance evaluation, internal audit, management review, and continual improvement.

ISO - ISO/IEC 27001 information security managementSources 1
Operational implication

Management review minutes can help, but DORA evidence should show the management body's DORA ICT-risk decisions, approvals, risk appetite, remediation, and supplier-risk oversight.

Regulation (EU) 2022/2554 (DORA)Sources 1
Comparison row 4

Core obligations

EU DORA

DORA requires classification of ICT-related incidents and reporting of major ICT-related incidents through an initial notification, intermediate report, and final report. The reporting RTS sets specific time limits, including initial reporting within four hours of major classification and no later than 24 hours after awareness.

Delegated Regulation (EU) 2024/1772 on ICT incident classificationSources 1Delegated Regulation (EU) 2025/301 on DORA incident reportingSources 2
ISO/IEC 27001

ISO/IEC 27001 supports incident-management planning, event assessment, evidence preservation, and contact with relevant authorities, but it does not create DORA's major-incident reporting sequence or clocks.

ISO - ISO/IEC 27001 information security managementSources 1
Operational implication

Use ISO/IEC 27001 incident procedures for preparation and records, but run a separate DORA classification and reporting workflow for potentially major ICT-related incidents.

Delegated Regulation (EU) 2025/301 on DORA incident reportingSources 1
Comparison row 5

Evidence record

EU DORA

DORA evidence should include ICT risk framework records, management-body approvals, incident classification and reporting records, register-of-information entries, ICT service contract evidence, resilience test results, remediation records, and supervisory-response material.

Regulation (EU) 2022/2554 (DORA)Sources 1
ISO/IEC 27001

ISO/IEC 27001 evidence should include ISMS scope, risk assessment and treatment records, Statement of Applicability, control evidence, internal audit results, management review records, nonconformities, corrective actions, and certification records if applicable.

ISO - ISO/IEC 27001 information security managementSources 1
Operational implication

Store shared evidence once if useful, but label every record by obligation. The same supplier control can support both regimes; a DORA reporting deadline or register template usually cannot be replaced by an ISO artifact.

Delegated Regulation (EU) 2025/301 on DORA incident reportingSources 1
Comparison row 6

Testing and TLPT

EU DORA

DORA requires a digital operational resilience testing programme and includes threat-led penetration testing for financial entities identified under DORA criteria.

Regulation (EU) 2022/2554 (DORA)Sources 1Delegated Regulation (EU) 2025/1190 on TLPT criteriaSources 2
ISO/IEC 27001

ISO/IEC 27001 requires evaluation of ISMS effectiveness and controls but does not itself determine which financial entities must perform DORA TLPT.

ISO - ISO/IEC 27001 information security managementSources 1
Operational implication

Security testing evidence can be reused only after confirming it satisfies the DORA testing objective, entity scope, scenario, independence, remediation, and TLPT criteria where relevant.

Delegated Regulation (EU) 2025/1190 on TLPT criteriaSources 1
Comparison row 7

Enforcement

EU DORA

DORA requires governance of ICT third-party risk, registers of information for ICT third-party arrangements, and detailed policy content for contracts supporting critical or important functions.

Implementing Regulation (EU) 2024/2956 on register templatesSources 1Delegated Regulation (EU) 2024/1773 on ICT third-party contractsSources 2
ISO/IEC 27001

ISO/IEC 27001 can support supplier security selection, monitoring, and control evidence within the ISMS, but it does not provide DORA's register templates or contract-policy requirements.

ISO - ISO/IEC 27001 information security managementSources 1
Operational implication

Reuse supplier due-diligence evidence where it fits, but create DORA register rows, critical-or-important-function flags, subcontracting records, contractual rights, and exit evidence separately.

Implementing Regulation (EU) 2024/2956 on register templatesSources 1
Comparison row 8

Overlap and reuse

EU DORA

If the record must answer a DORA legal question, such as whether an incident is major, whether an ICT service supports a critical or important function, or whether TLPT applies, use DORA and its RTS or ITS as the source.

Regulation (EU) 2022/2554 (DORA)Sources 1
ISO/IEC 27001

If the record must answer an ISMS question, such as whether a control is selected, implemented, audited, improved, or within certification scope, use ISO/IEC 27001 as the source.

ISO - ISO/IEC 27001 information security managementSources 1
Operational implication

A useful comparison output is a gap register with columns for DORA obligation, ISO/IEC 27001 supporting control, reusable evidence, missing DORA-specific evidence, owner, and next review trigger.

Delegated Regulation (EU) 2024/1772 on ICT incident classificationSources 1ISO - ISO/IEC 27001 information security managementSources 2
Comparison row 9

Practical decision rule

EU DORA

DORA assurance is regulatory: competent authorities supervise financial entities, Member States set administrative penalties and remedial measures, and critical ICT third-party providers can fall within the DORA oversight framework.

Regulation (EU) 2022/2554 (DORA)Sources 1
ISO/IEC 27001

ISO/IEC 27001 assurance is management-system assurance. Certification is optional and can demonstrate commitment to information security, especially when issued by an accredited conformity assessment body.

ISO - ISO/IEC 27001 information security managementSources 1
Operational implication

An ISO/IEC 27001 certificate may help customers and auditors trust the ISMS, but DORA remediation and supervisory questions still go to the DORA accountable owner.

Regulation (EU) 2022/2554 (DORA)Sources 1
Practical decision rule

How should a financial entity use ISO/IEC 27001 for DORA?

  • Start with DORA: identify the financial entity, ICT-supported business function, critical or important function, incident, supplier, test, or register obligation.
  • Check whether an ISO/IEC 27001 process or control already produces evidence for that exact DORA point.
  • Reuse ISO/IEC 27001 evidence only when the scope, owner, record, and timing match the DORA obligation.
  • Create separate DORA evidence for major incident reporting, register templates, ICT contract policy content, TLPT determination, supervisory responses, and management-body ICT risk oversight.
Regulation (EU) 2022/2554 (DORA)Sources 1ISO - ISO/IEC 27001 information security managementSources 2
Section 2

Where ISO/IEC 27001 helps DORA

ISO/IEC 27001 can provide a useful operating layer for DORA because it requires scoped management-system governance, risk assessment, risk treatment, documented information, performance evaluation, internal audit, management review, and continual improvement.

Those ISMS records can support DORA evidence when they are tied to the financial entity's ICT-supported business functions, critical or important functions, ICT assets, incident processes, supplier services, and resilience tests.

  • Risk assessment and treatment records can support DORA ICT risk management, but DORA still needs financial-entity and ICT-function context.
  • Internal audits and management reviews can support oversight evidence, but DORA still expects management-body accountability for ICT risk.
  • Supplier controls can support due diligence, but DORA still needs ICT-service contract terms, register rows, subcontracting oversight, and exit planning where applicable.
  • Incident controls can support preparation and evidence preservation, but DORA major incident classification and reporting clocks remain separate.
Sources for this answer
ISO - ISO/IEC 27001 information security management
Supports the ISMS role of ISO/IEC 27001: risk-aware management of information security using people, policies, and technology.
Regulation (EU) 2022/2554 (DORA)
Supports the DORA obligation categories that need financial-sector-specific evidence beyond a generic ISMS.
Section 3

Where DORA goes beyond ISO/IEC 27001

DORA adds legal mechanics that an ISO/IEC 27001 certificate does not supersede: classification and reporting of major ICT-related incidents, standard templates for the register of information, detailed ICT third-party contract policy content, and criteria for identifying financial entities required to perform threat-led penetration testing.

For covered financial entities, the practical gap is usually not whether controls exist. The gap is whether the controls are linked to DORA's required records, reporting sequence, supervisory expectations, and critical or important functions.

  • Major ICT-related incidents need DORA classification and reporting evidence, not only an internal incident ticket.
  • ICT third-party arrangements need DORA-specific contract and register evidence, not only supplier security questionnaires.
  • Resilience testing needs a DORA testing programme and, for identified entities, TLPT readiness rather than only vulnerability-management records.
  • Management-body evidence needs to show DORA ICT risk oversight, not only ISMS management review minutes.
Sources for this answer
Delegated Regulation (EU) 2024/1772 on ICT incident classification
Sets DORA criteria and materiality thresholds for classifying ICT-related incidents and cyber threats.
Implementing Regulation (EU) 2024/2956 on register templates
Provides the DORA standard templates for financial entities' registers of information on ICT third-party arrangements.
Delegated Regulation (EU) 2024/1773 on ICT third-party contracts
Specifies detailed DORA policy content for contractual arrangements supporting critical or important functions.
Delegated Regulation (EU) 2025/1190 on TLPT criteria
Specifies criteria used to identify financial entities required to perform threat-led penetration testing under DORA.
Section 4

Practical implementation pattern

Treat ISO/IEC 27001 as a reusable evidence layer, not as a DORA compliance label. Start with the DORA obligation, identify the exact ICT-supported function, supplier, incident, test, asset, or management decision, then decide whether existing ISMS evidence proves that point.

When the answer is yes, tag the ISO/IEC 27001 evidence to the DORA requirement and keep the source citation. When the answer is no, create a DORA-specific record instead of stretching an ISMS artifact beyond what it proves.

  • Create a DORA-to-ISMS control map with one row per DORA obligation, not one row per ISO control.
  • Keep separate owners for DORA legal interpretation, ISMS operation, incident reporting, supplier contracting, and resilience testing.
  • Record unsupported gaps explicitly: missing critical-function mapping, missing register fields, missing incident clock evidence, missing exit plan, or missing TLPT determination.
  • Do not claim that ISO/IEC 27001 certification equals DORA compliance; use it as evidence for specific controls only.
Sources for this answer
ISO - ISO/IEC 27001 information security management
Supports the certification distinction: organisations may implement ISO/IEC 27001 for best practice or seek certification to reassure stakeholders.
Regulation (EU) 2022/2554 (DORA)
Supports using DORA as the controlling source for financial-sector ICT operational resilience obligations.
Recommended next step

Turn the comparison into an obligation-by-obligation evidence map

Sorena can help separate DORA legal obligations from ISO/IEC 27001 control evidence, so incident, supplier, testing, register, and governance records do not get merged into an unsupported compliance claim.

Research workflow
Open Research Copilot for DORA

Ask source-linked questions about DORA obligations, ISO/IEC 27001 overlap, incident reporting, ICT third-party risk, and resilience testing.

Explore next step
Talk to Sorena
Talk through implementation

Review which ISO/IEC 27001 records can support DORA and which DORA gaps need separate evidence.

Explore next step
Primary sources

References and citations

Regulation (EU) 2022/2554 (DORA)
eur-lex.europa.eu
Referenced sections
  • Supports starting from DORA where the question concerns EU financial-sector ICT operational resilience obligations.
"digital operational resilience"
Related guides

Explore more topics

DORA Critical or Important Functions: mapping ICT dependencies and evidence
How DORA critical or important functions affect ICT service mapping, third-party contracts, register-of-information records, incidents, testing, and evidence.
DORA deadlines and compliance calendar for financial entities
Calendar the grounded DORA dates and recurring evidence: 17 January 2025 application, incident reporting clocks, register updates, annual reporting, TLPT cadence, and CTPP oversight milestones.
DORA ICT Third-Party Contract Remediation Workflow
A DORA workflow for remediating ICT third-party contracts covering critical or important functions, subcontracting, audit rights, exits, register updates, and evidence.
DORA ICT Third-Party Contracts FAQ
What DORA requires in ICT third-party contracts, including critical or important functions, audit and access rights, termination, exit, subcontracting, register updates, and evidence.
DORA ICT third-party risk and contract clauses guide
Source-grounded DORA guide for financial entities in scope, ICT third-party risk, contract clauses, subcontracting controls, register evidence, audit rights, exit planning, and oversight.
DORA incident classification forms: criteria, fields, and reporting clocks
Grounded guide to DORA ICT incident classification forms: major-incident criteria, significant cyber-threat notifications, report fields, time limits, evidence, and reclassification records.
DORA incident clock workflow: classification, reports, deadlines, and evidence
Grounded DORA workflow for starting the major-incident reporting clock, classifying ICT incidents, submitting initial, intermediate, and final reports, and preserving authority evidence.
DORA major ICT incident reporting: classification, reports, and timing
Source-grounded DORA guide to major ICT-related incident classification, initial notifications, intermediate and final reports, competent authority routing, and significant cyber threat notifications.
DORA major ICT incident thresholds: what triggers reporting?
FAQ on DORA major ICT-related incident classification thresholds, recurring incidents, reporting triggers, and evidence inputs grounded in EU DORA RTS and ITS texts.
DORA Register of Information FAQ: ICT Third-Party Arrangements
FAQ on the DORA register of information: who maintains it, which ICT third-party arrangements it covers, template fields, critical functions, reporting, data quality, and evidence.
DORA Register of Information Import and Build Workflow
Build a DORA register of information from procurement, vendor, contract, service, function, and subcontractor data using the official register templates and validation checks.
DORA Register of Information Template: ICT Provider Fields and Evidence
A grounded DORA register of information template for ICT third-party contracts, provider hierarchy, critical functions, dates, statuses, reporting, and evidence.
DORA TLPT selection: who can be required to test?
FAQ on DORA threat-led penetration testing selection: who identifies financial entities, what criteria are used, what the TLPT authority validates, and what evidence to keep.
DORA vs EBA outsourcing guidelines: ICT third-party risk comparison
Compare binding DORA ICT third-party risk duties with the EBA/ESA outsourcing baseline for registers, critical functions, contracts, subcontracting, exit, incident reporting, and evidence.
DORA vs ISO 22301: ICT resilience and business continuity compared
Compare DORA's binding ICT operational resilience duties for financial entities with ISO 22301's business continuity management system requirements.
DORA vs NIS2: financial-sector obligations, overlap, and evidence
Compare DORA and NIS2 for financial entities, ICT providers, incident reporting, management accountability, third-party risk, supervisory routes, and reusable evidence.
DORA vs PSD2 incident reporting: major ICT and payment incidents
Compare DORA major ICT-related incident reporting with PSD2 major operational or security payment incident reporting, including scope, triggers, report stages, recipients, and evidence.
EU DORA Applicability Test for Financial Entities and ICT Providers
A source-grounded DORA applicability test for financial-entity scope, ICT third-party services, critical or important functions, exclusions, proportionality, and evidence.
EU DORA Compliance Checklist for Financial Entities
A source-grounded DORA checklist covering ICT risk governance, major incident reporting, resilience testing, TLPT, ICT third-party contracts, register-of-information records, and audit evidence.
EU DORA Compliance Obligations and Evidence Guide
A source-grounded DORA compliance guide covering ICT risk management, incident reporting, resilience testing, TLPT, ICT third-party risk, registers, governance, oversight, and evidence.
EU DORA FAQ: scope, incidents, ICT contracts, testing, and evidence
Concise DORA FAQ covering who is in scope, proportionality, ICT third-party contracts, register-of-information records, major ICT incident thresholds and reporting, TLPT, testing, enforcement, and evidence.
EU DORA ICT risk management control baseline
A source-grounded DORA control baseline for ICT risk governance, asset and dependency mapping, protection, detection, response, recovery, testing, third-party risk, and evidence.
EU DORA ICT subcontracting chain controls for critical functions
DORA guide to ICT subcontracting chains for critical or important functions: prior assessment, contract conditions, register fields, monitoring, exit rights, and evidence.
EU DORA penalties and fines: enforcement powers and limits
Grounded guide to DORA enforcement: competent-authority powers, administrative penalties, remedial measures, publication rules, and Lead Overseer penalty payments for critical ICT third-party providers.
EU DORA Register of Information Data Model: templates, fields, and evidence
Field-level guide to the EU DORA register of information data model: templates B_01 to B_07, provider identifiers, contract links, subcontracting chains, critical-function assessments, dates, and export evidence.
EU DORA Requirements Overview: ICT risk, incidents, testing, and third-party risk
A grounded overview of the main EU DORA requirements for financial entities: governance, ICT risk management, incident reporting, resilience testing, TLPT, ICT third-party risk, register of information, oversight, proportionality, and evidence.
EU DORA Scope and Covered Entities: financial entities and ICT providers
Classify whether DORA applies to a financial entity, ICT third-party provider, group arrangement, branch, or critical ICT service dependency.
EU DORA Scope and Proportionality Workflow
Classify DORA covered entities, simplified-framework status, critical or important functions, ICT dependencies, evidence records, and governance approvals.
EU DORA testing and TLPT readiness guide
A grounded DORA guide for resilience testing, TLPT eligibility, authority interaction, test evidence, remediation plans, and avoiding unsupported testing cadence.
EU DORA TLPT eligibility workflow for financial entities
Check how DORA TLPT authorities identify financial entities for threat-led penetration testing and what evidence supports scope, readiness, providers, and governance.
EU DORA TLPT Runbook: scope, providers, reports, and remediation
Build a DORA threat-led penetration testing runbook around authority coordination, scope validation, provider controls, active testing, closure reports, remediation, and attestation.
How does proportionality work under EU DORA?
A grounded FAQ on DORA proportionality: what can be scaled, who may use the simplified ICT risk framework, what evidence supports the decision, and which duties cannot be waived.
How to build a DORA register of information
Build a DORA register of information from contracts, ICT services, providers, functions, subcontractors, risk assessments, audit evidence, exit plans, and export checks.