Skip to main content

SOC2+ Tailored to DORA

A Strategic Asset for ICT Service Providers

Our cybersecurity, regulatory compliance, and risk management experts guide you through SOC2+ reporting, integrating additional regulatory requirements relevant for you, such as those under the Digital Operational Resilience Act (DORA), into a single audit. The result: a stronger, more comprehensive security and compliance posture, with less duplication and greater efficiency.

Contact us
Submit RFP

The Digital Operational Resilience Act (DORA) became applicable   in January 2025, representing a significant shift in how financial institutions and ICT service providers address digital risk and regulatory compliance. As the emphasis on operational resilience grows, ICT service providers face rising expectations to demonstrate their ability to ensure business continuity and protect the security and reliability of critical ICT systems.

In this context, a SOC2+ report customized to cover not only AICPA Trust Services Criteria  but also specific requirements stemming from relevant regulations, such as DORA, offers a useful solution and significant advantage of an integrated framework, reducing redundant work, streamlining documentation, and improving overall audit efficiency. 

The Value of SOC2+

SOC2+ is an enhanced version of standard SOC2 reports used to demonstrate how security, availability, and data protection are managed by integrating additional regulatory or industry-specific requirements . When tailored specifically to DORA, the regulation’s main pillars – ICT risk management, incident management & reporting, digital operational resilience testing, and ICT third-party risk management – are included into the SOC2 structure . This approach allows ICT service providers to:

  • Coordinate overlapping requirements and reduce the burden of maintaining multiple compliance processes, streamlining audit processes.
  • Demonstrate adherence to relevant regulatory obligations through a single, well-structured report.
  • Increase transparency and trust with both – clients who rely on compliant, resilient service providers, as well as regulators.

Compliance Meets Competitive Advantage

The benefits of SOC2+ extend beyond reporting simplification. Preparing for a SOC2+ audit tailored to DORA requires enhancements in ICT governance, internal controls, documentation practices, and testing procedures. This process not only helps identify and close control gaps but also reduces operational risks and builds resilience against service disruptions, thus driving internal improvements. By embedding resilience into day-to-day operations, your organization’s capacity to respond to incidents, recover from disruptions, and maintain service quality is significantly strengthened. 

Besides, in a market where many ICT service providers compete for the same regulated clients, a SOC2+ report aligned with relevant regulatory requirements is a powerful differentiator, clearly showing that your controls meet both established Trust Services Criteria and specific resilience requirements. For financial institutions under DORA, for instance, this reduces onboarding risk and due diligence effort, making your organization stand out in terms of maturity and responsibility. 

DORA-Focused SOC2+ Program

Pursuing a SOC2+ report tailored to DORA requires a structured approach. Key elements include:

Understanding where DORA requirements intersect with your control framework.

Conducting gap assessments  to identify where additional controls or evidence may be required.

Ensuring that all relevant controls are clearly documented, implemented, and tested.

Working with experienced auditors to validate compliance and issue the SOC2+ report.

Because DORA requires specific measures focused on digital operational resilience, ICT risk management, as well as vendor management, a tailored implementation plan is essential for success.

How Deloitte Can Help

Our team of experts in IT and cyber security, regulatory compliance, ICT risk management, and audit and assurance will support you at every stage of the journey. Our services include:

We help you design a structured, actionable roadmap for the audit preparation, starting from initial scoping, control mapping, design, and implementation, to testing and a comprehensive audit readiness assessment. We help you review, adjust, and design internal controls to meet the DORA requirements. Whether starting from scratch or enhancing an existing framework, we ensure your control environment is both compliant and audit-ready.

We conduct structured assessments to evaluate your current state of compliance with obligations stemming from DORA. We identify compliance gaps, provide practical recommendations, and lay out a tailored roadmap to help you prioritize and implement the changes needed for full alignment with applicable rules.

We design a Target Operating Model (TOM) to embed digital operational resilience into your organization’s daily operations. This includes defining roles, processes, governance structures, and reporting lines that support sustainable DORA compliance across ICT risk, incident response, and third-party oversight.

We assist in building or upgrading your ICT risk management framework to meet the DORA standards. This includes identifying critical systems, defining risk tolerances, implementing control measures, and establishing robust risk governance aligned with enterprise-level priorities.

We help you build a comprehensive third-party risk management program that meets the DORA expectations – from pre-contract due diligence and contract clause reviews to criticality assessments and regulatory notifications.

We ensure your organization is prepared for a SOC audit, conducting a pre-audit assessment, identifying gaps to reduce surprises during the audit, and improving your control environment.

We understand the challenges of operational resilience in the digital age and aim to tailor our services to your specific needs. SOC2+ customized to DORA is not merely a checkbox exercise. It is a practical approach aimed at building resilience, demonstrating accountability, and unlocking value in an increasingly regulated ecosystem. 

If you want to be sure that your organization is prepared to comply with legal requirements stemming from DORA or you are interested in SOC2+ reporting, do not hesitate to contact us. 

Our Other Related Services

DORA regulation and Deloitte DORA Maturity Assessment Tool

DORA is an initiative of the EU on digital operational and cyber resilience relevant mainly to the financial services sector. We will guide you through a complete assessment of your DORA maturity, using our specialized tool.
Service

Cybersecurity & Digital Compliance Advisory

Digital regulation is expanding rapidly, imposing new obligations that encompass various domains from cloud infrastructure to software supply chains and AI systems. Navigating each regulation separately creates inefficiency, redundancy, and confusion.
Analysis

Critical Entities Resilience Directive

The role of IT and information security is one of the key factors in maintaining competitiveness. To achieve sustainable growth, companies must enhance transparency, relevance, and the value of performance-related information shared with investors, regulators, and the market. We provide a range of IT consulting services, including audit analytics, technology audits with a focus on security and internal controls, SOC1, SOC2, and SOC2+ reporting, readiness assessments and gap analyses for frameworks such as TISAX, as well as Extended Enterprise Risk Management (EERM).
Service

CISO as a Service (vCISO)

The Network and Information Systems 2 (NIS2) and Critical Entities’ Resilience  directives introduce stringent obligations regarding cybersecurity and resilience for thousands of entities across the Czech Republic, Slovakia, and the broader EU. The requirements stemming from these directives have to be transposed into national laws within set deadlines, thus altering the obligations for the target group of organizations, including critical infrastructure, essential services, and a wide range of private and public organizations in sectors such as finance, healthcare, manufacturing, energy, and ICT.
Service

Contact us

Jakub Höll

Jakub Höll

Director
+420 734 353 815
Martin Antoš

Martin Antoš

Manager