Skip to main content
DORA Auditor

Best DORA Auditors & Compliance Providers

Based on our published methodology, Deloitte currently ranks first among the 19 DORA providers we track. The full ranking below scores each firm on DORA expertise, regulatory track record, entity and geographic coverage, service breadth, client evidence, and pricing transparency.

Full ranking (19)

#ProviderCategoryScoreRating
1Deloitte

Deloitte is a Big Four network delivering DORA readiness assessments, ICT and operational-resilience advisory, third-party risk management, and threat-led penetration testing (TLPT) support. It serves the largest EU banks, insurers, and market infrastructures alongside a growing fintech practice.

Big 486/100
4.5 out of 5
Profile →
2PwC

PwC is one of the Big Four professional-services networks, offering DORA gap assessments, ICT risk-management advisory, third-party risk programmes, and resilience-testing support across the full range of EU financial entities. Its scale and regulatory relationships make it a common choice for large, complex institutions.

Big 486/100
4.5 out of 5
Profile →
3EY

EY (Ernst & Young) is a Big Four network providing DORA readiness and gap assessments, ICT and cyber-risk advisory, third-party risk programmes, and operational-resilience testing. It works across banking, insurance, and capital-markets clients throughout the EU.

Big 485/100
4.4 out of 5
Profile →
4KPMG

KPMG is a Big Four network offering DORA gap analysis, ICT risk-management frameworks, third-party risk advisory, and regulatory-reporting support. With its global headquarters in the Netherlands, it maintains a strong EU-centred regulatory practice.

Big 484/100
4.4 out of 5
Profile →
5NCC Group

NCC Group is a cybersecurity specialist offering threat-led penetration testing, security assurance, and resilience services directly relevant to DORA's digital operational-resilience testing pillar. It is a recognised provider of TLPT-style engagements for financial institutions.

Cybersecurity specialist70/100
4.2 out of 5
Profile →
6OneTrust

OneTrust is a governance, risk, and compliance (GRC) software platform used to operationalise DORA requirements, including ICT third-party risk registers, incident workflows, and control mapping. It complements advisory firms rather than delivering audit services itself.

GRC platform68/100
4.0 out of 5
Profile →
7BDO

BDO is a global network of public accounting, tax, and advisory firms and one of the largest mid-tier providers after the Big Four. Its risk-advisory and cybersecurity practices support financial entities with DORA gap assessments, ICT risk-management frameworks, third-party risk, and resilience testing across EU member states.

Mid-tier66/100
4.0 out of 5
Profile →
8Forvis Mazars

Forvis Mazars is an international audit, tax, and advisory partnership with deep roots in European financial services. Its regulatory and risk teams advise banks, insurers, and investment firms on DORA gap assessments, ICT governance, and third-party-risk arrangements.

Mid-tier65/100
3.9 out of 5
Profile →
9Softstack

Softstack (formerly Chainsulting) is a Germany-based security firm specialising in smart-contract audits, blockchain security reviews, and penetration testing. For DORA, its relevance sits in the ICT security-testing and third-party-risk pillars, particularly for crypto-asset service providers, tokenisation platforms, and fintechs handling digital assets.

Cybersecurity / crypto-native64/100
4.3 out of 5
Profile →
10Grant Thornton

Grant Thornton is a leading mid-tier network of independent audit, tax, and advisory member firms. Its financial-services risk and cyber teams help banks, insurers, and investment firms scope DORA obligations, run gap assessments, and build ICT risk-management and third-party-risk registers.

Mid-tier64/100
3.9 out of 5
Profile →
11MetricStream

MetricStream is a governance, risk, and compliance (GRC) software vendor. Its platform supports DORA programmes with ICT and operational-risk management, third-party risk, incident management, and the register of information, rather than hands-on advisory or audit services.

GRC platform61/100
3.9 out of 5
Profile →
12RSM

RSM is a global network of independent audit, tax, and consulting firms focused on the middle market. Its risk-advisory practices support financial entities with DORA readiness, ICT and third-party risk management, and operational-resilience reviews across European jurisdictions.

Mid-tier61/100
3.8 out of 5
Profile →
13Crowe

Crowe Global is an international network of public accounting, consulting, and technology firms serving the financial sector. Its risk-consulting practices help financial entities assess DORA compliance gaps, strengthen ICT governance, and manage third-party dependencies.

Mid-tier60/100
3.8 out of 5
Profile →
14Fusion Risk Management

Fusion Risk Management provides operational-resilience, business-continuity, and third-party-risk software. Its platform maps closely to DORA's operational-resilience and ICT third-party-risk pillars, helping financial entities identify important business services and manage dependencies.

GRC platform59/100
3.9 out of 5
Profile →
15WithSecure

WithSecure (formerly F-Secure Business) is a European cybersecurity company offering managed detection and response, security consulting, and red-teaming. For DORA, it supports the resilience-testing and ICT risk-management pillars, including threat-led penetration testing for financial entities.

Cybersecurity specialist58/100
4.1 out of 5
Profile →
16Kudelski Security

Kudelski Security, the cybersecurity division of the Kudelski Group, provides advisory, managed security, and testing services, including blockchain and digital-asset security. For DORA it supports resilience testing, ICT risk management, and third-party risk for financial and crypto-asset entities.

Cybersecurity specialist56/100
4.0 out of 5
Profile →
17TÜV SÜD

TÜV SÜD is a German testing, inspection, and certification body with a large cybersecurity and information-security practice. For DORA it supports ICT security testing, audits against recognised standards, and independent assurance for financial entities and their ICT third-party providers.

Certification / testing56/100
3.9 out of 5
Profile →
18SureCloud

SureCloud offers GRC software alongside cybersecurity and risk-advisory services. Its combined platform-and-services model supports DORA programmes across ICT risk management, third-party risk, and the register of information, with penetration testing available for resilience testing.

GRC / resilience56/100
3.8 out of 5
Profile →
19DQS

DQS is a German-headquartered certification body specialising in management-system audits and information-security certification. For DORA it provides independent assessment against standards such as ISO 27001, supporting ICT risk-management assurance for financial entities and their ICT third-party providers.

Certification body53/100
3.7 out of 5
Profile →

Scores are computed from public information against our ranking methodology and refreshed quarterly. We may earn referral fees from listed providers; this does not affect scores.