Long reads on operational resilience and the quantum transition
Longer pieces on DORA Compliance and post-quantum cryptography (PQC), for leaders, boards, risk and audit committees, procurement and risk teams.
DORA, read as a risk problem.
The regulation is in force; the interesting questions are now about how it bites. These reads take the parts that are easy to file and hard to actually use — the critical-provider list, the Register of Information, supplier obligations, the testing regime — and ask what a financial entity or its suppliers should do differently.
The Critical 19: CCTP list analysis
The nineteen ICT providers designated critical under DORA, tested against Article 31(2): subcontracting chains, substitutability, the on-prem and co-location segments, and the sovereignty profile of Europe's financial-sector supply chain. The verdict — defensible as a political artefact, but as an analytical instrument it has structural problems firms should understand before letting it shape their own concentration-risk assessment.
Read on dora-consultancy.com → DORA · Register of InformationThe Register of Information trap
The Register is being treated as a filing exercise rather than a risk tool. Why the 99.87% of ICT providers below the critical threshold is where incidents actually originate — and what to do with the register you have already paid to assemble. Fifteen months after DORA took effect, the regulators' dry run cleared barely 6.5% on data quality: a measure of how far most firms still are from a register that does any real work.
Read on dora-consultancy.com → DORA · Suppliers & contractsIT suppliers' legal obligations under DORA
DORA does not bind IT suppliers directly — but their regulated European clients' auditors will hold them to it anyway. When the ICT Third-Party Risk Addendum lands with its many vague clauses, googling it or asking your lawyer or ChatGPT tends to produce contradictory answers. Practical guidance on reading those addenda, negotiating the contract, and the obligations that arrive through the customer relationship rather than the statute.
Read on dora-consultancy.com → DORA · Resilience testingThreat-led penetration testing
What DORA's TLPT regime actually asks of financial entities: scope, the testers permitted to carry it out, the role of internal teams, and the obligations that follow from a live red-team engagement. Though modelled on the TIBER-EU framework, the requirements are legally binding and prevail over it — and not everyone who can run a scanner qualifies, so most entities will struggle to deliver the testing in-house.
Read on dora-consultancy.com → DORA · RTS / Article 15ESA technical standards: the full framework
A read of the ESA Regulatory Technical Standards for the full ICT risk-management framework under Article 15 — security policies, access control, incident response and business continuity. The draft RTS give the first concrete flavour of the control levels supervisors expect, while deliberately staying technology-neutral rather than naming products, which leaves each firm to translate them onto its own stack.
Read on dora-consultancy.com →The quantum transition, planned not panicked.
The threat is real but the timeline is a planning problem, not an emergency. These reads are about the decisions that can be made now — which vendors will be ready and when, where cryptographic risk hides in a deal, and how to explain the whole thing to someone encountering it for the first time.
Vendor PQC timeline
When will Microsoft, AWS, Oracle and the rest of your stack actually support post-quantum cryptography? You cannot remediate most vulnerable cryptography until your vendors ship it — Microsoft is not fully quantum-safe until 2033, Oracle is targeting 2027 — so the real critical path is the “waiting for the vendor” bottleneck. A tracker for planning the migration around vendor reality rather than the headlines.
Read on pqcconsultancy.com → PQC · Mergers & acquisitionsQuantum-aware M&A due diligence
Cryptographic risk rarely appears on a deal's radar until after close. When you acquire a company you also acquire its data-protection obligations — and encrypted data harvested before signing can become readable once a quantum computer arrives, so a breach in the target's past lands as the acquirer's legal and reputational problem. How to assess harvest-now-decrypt-later exposure and PQC readiness while there is still time to price it in.
Read on pqcconsultancy.com → PQC · PrimerThe PQC guide
A plain-English introduction to the quantum threat to cryptography and what it means for an organisation — written for business owners rather than technicians, with no technical background required. The short read to hand to a colleague who is new to the topic before the vendor and diligence conversations begin.
Read on pqcconsultancy.com →Get in touch.
- gleb@inkasec.com
- Phone
- +44 78 7316 8482
- Location
- London, United Kingdom