Best DORA Auditors & Compliance Providers
Based on our published methodology, Deloitte currently ranks first among the 19 DORA providers we track. The full ranking below scores each firm on DORA expertise, regulatory track record, entity and geographic coverage, service breadth, client evidence, and pricing transparency.
Full ranking (19)
| # | Provider | Category | Score | Rating | |
|---|---|---|---|---|---|
| 1 | Deloitte Deloitte is a Big Four network delivering DORA readiness assessments, ICT and operational-resilience advisory, third-party risk management, and threat-led penetration testing (TLPT) support. It serves the largest EU banks, insurers, and market infrastructures alongside a growing fintech practice. | Big 4 | 86/100 | 4.5 out of 5 | Profile → |
| 2 | PwC PwC is one of the Big Four professional-services networks, offering DORA gap assessments, ICT risk-management advisory, third-party risk programmes, and resilience-testing support across the full range of EU financial entities. Its scale and regulatory relationships make it a common choice for large, complex institutions. | Big 4 | 86/100 | 4.5 out of 5 | Profile → |
| 3 | EY EY (Ernst & Young) is a Big Four network providing DORA readiness and gap assessments, ICT and cyber-risk advisory, third-party risk programmes, and operational-resilience testing. It works across banking, insurance, and capital-markets clients throughout the EU. | Big 4 | 85/100 | 4.4 out of 5 | Profile → |
| 4 | KPMG KPMG is a Big Four network offering DORA gap analysis, ICT risk-management frameworks, third-party risk advisory, and regulatory-reporting support. With its global headquarters in the Netherlands, it maintains a strong EU-centred regulatory practice. | Big 4 | 84/100 | 4.4 out of 5 | Profile → |
| 5 | NCC Group NCC Group is a cybersecurity specialist offering threat-led penetration testing, security assurance, and resilience services directly relevant to DORA's digital operational-resilience testing pillar. It is a recognised provider of TLPT-style engagements for financial institutions. | Cybersecurity specialist | 70/100 | 4.2 out of 5 | Profile → |
| 6 | OneTrust OneTrust is a governance, risk, and compliance (GRC) software platform used to operationalise DORA requirements, including ICT third-party risk registers, incident workflows, and control mapping. It complements advisory firms rather than delivering audit services itself. | GRC platform | 68/100 | 4.0 out of 5 | Profile → |
| 7 | BDO BDO is a global network of public accounting, tax, and advisory firms and one of the largest mid-tier providers after the Big Four. Its risk-advisory and cybersecurity practices support financial entities with DORA gap assessments, ICT risk-management frameworks, third-party risk, and resilience testing across EU member states. | Mid-tier | 66/100 | 4.0 out of 5 | Profile → |
| 8 | Forvis Mazars Forvis Mazars is an international audit, tax, and advisory partnership with deep roots in European financial services. Its regulatory and risk teams advise banks, insurers, and investment firms on DORA gap assessments, ICT governance, and third-party-risk arrangements. | Mid-tier | 65/100 | 3.9 out of 5 | Profile → |
| 9 | Softstack Softstack (formerly Chainsulting) is a Germany-based security firm specialising in smart-contract audits, blockchain security reviews, and penetration testing. For DORA, its relevance sits in the ICT security-testing and third-party-risk pillars, particularly for crypto-asset service providers, tokenisation platforms, and fintechs handling digital assets. | Cybersecurity / crypto-native | 64/100 | 4.3 out of 5 | Profile → |
| 10 | Grant Thornton Grant Thornton is a leading mid-tier network of independent audit, tax, and advisory member firms. Its financial-services risk and cyber teams help banks, insurers, and investment firms scope DORA obligations, run gap assessments, and build ICT risk-management and third-party-risk registers. | Mid-tier | 64/100 | 3.9 out of 5 | Profile → |
| 11 | MetricStream MetricStream is a governance, risk, and compliance (GRC) software vendor. Its platform supports DORA programmes with ICT and operational-risk management, third-party risk, incident management, and the register of information, rather than hands-on advisory or audit services. | GRC platform | 61/100 | 3.9 out of 5 | Profile → |
| 12 | RSM RSM is a global network of independent audit, tax, and consulting firms focused on the middle market. Its risk-advisory practices support financial entities with DORA readiness, ICT and third-party risk management, and operational-resilience reviews across European jurisdictions. | Mid-tier | 61/100 | 3.8 out of 5 | Profile → |
| 13 | Crowe Crowe Global is an international network of public accounting, consulting, and technology firms serving the financial sector. Its risk-consulting practices help financial entities assess DORA compliance gaps, strengthen ICT governance, and manage third-party dependencies. | Mid-tier | 60/100 | 3.8 out of 5 | Profile → |
| 14 | Fusion Risk Management Fusion Risk Management provides operational-resilience, business-continuity, and third-party-risk software. Its platform maps closely to DORA's operational-resilience and ICT third-party-risk pillars, helping financial entities identify important business services and manage dependencies. | GRC platform | 59/100 | 3.9 out of 5 | Profile → |
| 15 | WithSecure WithSecure (formerly F-Secure Business) is a European cybersecurity company offering managed detection and response, security consulting, and red-teaming. For DORA, it supports the resilience-testing and ICT risk-management pillars, including threat-led penetration testing for financial entities. | Cybersecurity specialist | 58/100 | 4.1 out of 5 | Profile → |
| 16 | Kudelski Security Kudelski Security, the cybersecurity division of the Kudelski Group, provides advisory, managed security, and testing services, including blockchain and digital-asset security. For DORA it supports resilience testing, ICT risk management, and third-party risk for financial and crypto-asset entities. | Cybersecurity specialist | 56/100 | 4.0 out of 5 | Profile → |
| 17 | TÜV SÜD TÜV SÜD is a German testing, inspection, and certification body with a large cybersecurity and information-security practice. For DORA it supports ICT security testing, audits against recognised standards, and independent assurance for financial entities and their ICT third-party providers. | Certification / testing | 56/100 | 3.9 out of 5 | Profile → |
| 18 | SureCloud SureCloud offers GRC software alongside cybersecurity and risk-advisory services. Its combined platform-and-services model supports DORA programmes across ICT risk management, third-party risk, and the register of information, with penetration testing available for resilience testing. | GRC / resilience | 56/100 | 3.8 out of 5 | Profile → |
| 19 | DQS DQS is a German-headquartered certification body specialising in management-system audits and information-security certification. For DORA it provides independent assessment against standards such as ISO 27001, supporting ICT risk-management assurance for financial entities and their ICT third-party providers. | Certification body | 53/100 | 3.7 out of 5 | Profile → |
Scores are computed from public information against our ranking methodology and refreshed quarterly. We may earn referral fees from listed providers; this does not affect scores.