COMPLIANCE · RESILIENCE

Regulatory compliance audit

Assess your DORA or NIS2 compliance posture and define a prioritised remediation roadmap.

Request an audit Learn more

What is a DORA / NIS2 audit?

A DORA or NIS2 compliance audit evaluates your organisation's readiness against European regulatory requirements for digital operational resilience and cybersecurity.

The DORA regulation (EU 2022/2554), applicable since January 2025, imposes strict requirements on financial entities regarding the management of information and communication technology (ICT) risks. The NIS2 directive (EU 2022/2555) broadens the scope of affected organisations and strengthens cybersecurity obligations for essential and important entities.

The audit precisely identifies the gaps between your current practices and regulatory requirements, then defines a prioritised remediation roadmap. It serves as an essential governance tool for management and oversight bodies.

The DORA regulation is built around five pillars that our audit covers comprehensively: ICT risk management, including the governance framework and policies; incident management, covering the detection, classification and reporting of major incidents; digital operational resilience testing through vulnerability assessments and penetration testing; third-party risk management, addressing ICT provider oversight and contractual arrangements; and cyber threat information sharing.

DORA

digital resilience financial entities

NIS2

cybersecurity essential entities

5

pillars covered by the audit

METHODOLOGY

How do we proceed?

The audit follows a structured four-phase process, covering organisational, functional and technical aspects.

Information gathering

Interviews with stakeholders to identify existing ICT systems and services, understand information flows and identify critical or important functions as defined by the regulation. Review of ICT asset inventory, risk management documentation, incident management processes, documented tests and the contractual framework with ICT providers.

Analysis

Detailed gap analysis between current practices and regulatory requirements using the MONARC platform. Pragmatic assessment of critical operational areas: exit strategies, concentration risk, backup procedures, business recovery plans and documented test evidence.

Deliverables & presentation

Compliance analysis in MONARC evaluating regulatory requirements point by point, reusable for future iterations. Comprehensive compliance report with a clear view of gaps and remediation recommendations. Presentation to management during a restitution session.

Remediation

Support in implementing corrective measures: drafting internal documents (ICT risk management policy, incident management procedures, continuity plans), implementing organisational or technical measures, and delivering training sessions.

Prerequisites

ICT asset and information systems inventory. Existing documentation: security policies, incident management procedures, continuity plans, ICT provider contracts. Access to key personnel: compliance officers, IT, security and risk management teams. Identification of critical or important functions as defined by the regulation. A dedicated client contact for engagement coordination.

CASE STUDY

Financial services

Independent DORA compliance audit for an insurance and reinsurance company

Insurance & reinsurance

A Luxembourg-based insurance and reinsurance company had been running a DORA compliance programme for over a year. After this initial phase of internal work, management wanted an independent audit to ensure the organisation was fully aligned with all regulatory requirements.

Tomeris conducted a DORA compliance audit covering all five pillars of the regulation. The analysis, carried out using the MONARC platform, assessed the company's posture point by point across organisational, functional and technical dimensions: ICT risk governance, incident management, resilience testing, third-party provider oversight and information sharing.

The audit identified residual gaps and produced pragmatic, actionable recommendations for the teams in place. The compliance report and MONARC analysis were delivered to management, providing a clear view of the remaining path to demonstrate compliance to the regulator.

Regular follow-up is planned to support the implementation of recommendations and measure the evolution of the compliance posture.

Results

DORA MONARC 5 pillars

Ready to assess your compliance?

Request a DORA or NIS2 audit and get a comprehensive gap analysis with a prioritised remediation roadmap.

Contact us View our other services