DORApp Blog
DORA Fundamentals

DORA Concentration Risk (2026 Guide)

M
By Matevž RostaherLast updated: June 15, 2026
dora-concentration-risk-concept-shown-in-a-compliance-workspace-with-dependency-.jpg

You finish a Register of Information review and, on the surface, everything looks fine. Contracts are logged, providers are named, countries are filled in, and reporting fields seem complete. Then someone asks a harder question: what happens if too many critical services depend on the same provider, the same group, or the same region? That is where dora concentration risk becomes more than a reporting detail. It becomes a resilience issue.

For many compliance teams, this is the point where the Register of Information stops being a filing exercise and starts acting like a management tool. Under what is dora, financial entities are expected to understand not only who their ICT providers are, but also how dependency builds up across functions, contracts, and supply chains. In 2026, that matters even more because supervisors are moving from initial readiness to proof of compliance.

DORApp was built to simplify DORA compliance for EU financial institutions through a modular approach, turning complex regulatory requirements into structured, manageable workflows. If you are trying to understand how concentration risk dora concerns should be identified inside your Register of Information, this article will help you sort the practical from the theoretical.

  • What concentration risk means under DORA
  • Why the Register of Information is where it shows up first
  • Where dora concentration risk usually hides
  • How to assess concentration risk in practice
  • How concentration risk is assessed and “calculated” in practice
  • What regulators are likely to expect in 2026
  • Mitigation options: what to do when concentration is high
  • How tools can help without replacing judgment
  • Frequently Asked Questions
  • Key Takeaways
  • Conclusion

    • What concentration risk means under DORA

    At a practical level, dora concentration risk means you rely too heavily on a limited set of ICT third-party providers, subcontractors, service models, or geographic locations. If one point fails, too much of your operation could be affected at once.

    The reality is that concentration is not limited to “one big cloud vendor.” It can appear through shared infrastructure, one corporate group serving multiple critical functions, the same subcontractor appearing behind different direct providers, or several important services being delivered from the same country or region.

    Under the digital operational resilience act dora, financial entities need to manage ICT third-party risk as part of operational resilience. That includes understanding dependency, criticality, substitutability, and potential single points of failure. So while DORA may not reduce concentration risk to one simple score, it clearly pushes institutions to identify and manage it as part of broader ICT risk governance.

    Where concentration risk sits within DORA’s third-party risk pillars

    Now, when it comes to DORA in day-to-day governance, concentration risk tends to sit at the intersection of several DORA themes, not in a single isolated requirement. Teams often see it first through the Register of Information because that is where provider, service, location, and subcontracting data lives. The follow-through typically spans:

  • ICT risk management: identifying and managing dependencies that could affect availability, integrity, or continuity of ICT-supported services.
  • ICT third-party risk management: understanding who you rely on, what is critical, what can be substituted, and where you may need stronger controls or exit options.
  • Digital operational resilience testing: validating whether your continuity and recovery assumptions hold when a concentrated dependency is disrupted.
  • ICT-related incident management and reporting: recognizing that concentrated dependencies can turn one provider event into multiple internal incidents, sometimes across entities or business lines.

    • Think of it this way: your register points to the dependency. Your third-party risk process frames the oversight. Your testing and incident processes show whether the oversight works in reality.

    It also helps to separate two related ideas. Institution-level concentration is about your firm’s dependency profile. Market-wide or systemic concentration is about many firms relying on the same underlying providers or infrastructures. The designation of Critical Third-Party Providers by the ESAs adds a layer of supervisory attention to systemic issues, but your own obligation is still to understand and manage how concentrated your critical services are, based on your situation.

    For most small business owners and entrepreneurs, proportionality is a familiar concept in practice, you do what is reasonable for your size and complexity. Under DORA, proportionality may also shape how deep and formal your concentration assessment needs to be, but the details can depend on your institution type and supervisory context. The important part is that your approach is explainable, repeatable, and evidence-based.

    It is not just a procurement issue

    What many people overlook is that concentration risk sits across procurement, compliance, IT, operational resilience, and business ownership. A contract team may know who signed the agreement. IT may know how the service is used. Risk may know it supports a critical or important function. Unless those views meet in one reliable dataset, the risk can stay hidden.

    This is one reason the distinction between a list of vendors and a real dora register matters so much. A register should help you connect entities, providers, functions, services, and dependencies, not just store names in rows.

    Why the Register of Information is where it shows up first

    The Register of Information is mandatory under DORA and must cover all ICT third-party service arrangements. Its first EU-level submission deadline was 30 April 2025, and from there the focus shifted toward ongoing maintenance, consistency, and supervisory usability.

    If you want a fuller picture of structure and required scope, see this overview of the dora register of information. For concentration analysis, the key point is simple: the register contains the raw ingredients regulators and internal teams use to identify dependency patterns.

    In practice, this means your register may reveal concentration through recurring provider names, linked parent groups, clustered service countries, repeated support for critical or important functions, or supply chain relationships that converge behind the scenes.

    Why data quality matters more than volume

    Consider this: a large register with incomplete legal entity names, inconsistent country values, and missing subcontracting data may be worse than a smaller register that is clean and structured. Concentration analysis depends on matching records accurately. If the same provider appears under four different spellings, your dependency may look smaller than it really is.

    Platforms like DORApp streamline the creation and maintenance of the Register of Information process through a structured approach that includes importing existing data, managing records through an intuitive interface, enriching them from public sources, validating against reporting rules, and generating compliant outputs. That does not remove your obligation to assess risk, but it can make the underlying data more usable for the people doing that assessment.

    concentration-risk-dora-illustration-with-multiple-critical-services-linked-to-o.jpg

    Where dora concentration risk usually hides

    Most institutions do not miss concentration risk because they do not care. They miss it because it appears in forms that are less obvious than “we use one provider a lot.”

    Provider group concentration

    You may have multiple contracts with what look like separate vendors, while the services ultimately sit within the same corporate group. From a resilience standpoint, group-level concentration may matter more than contract count.

    Critical function dependency

    If several critical or important functions rely on the same provider, your exposure grows quickly. Even if each service looks manageable on its own, the combined impact of a disruption may be far more serious.

    Geographic concentration

    Concentration can also appear at country or regional level. Hosting, support, data processing, or operational delivery concentrated in one jurisdiction may create issues tied to political events, local outages, legal restrictions, or regional infrastructure failures.

    Subcontracting chains

    Delegated Regulation (EU) 2025/532 brought sharper focus to subcontracting risk. Under DORA, this means you should not stop at the direct provider if material parts of the service depend on downstream providers. Two direct vendors may still create one shared vulnerability if they rely on the same subcontracted infrastructure.

    False diversification

    Think of it this way: having three contracts is not the same as having three independent options. If those contracts are operationally intertwined, rely on the same data center model, or are hard to replace in the time available, you may have less diversification than your spreadsheet suggests.

    How to assess concentration risk in practice

    The best assessments usually combine Register of Information data with business context. You are not just counting suppliers. You are asking how dependency affects resilience.

    Start with four practical questions

  • Which providers support critical or important functions?
  • Where do multiple services roll up to the same provider group or subcontractor?
  • How realistic is substitution, both contractually and operationally?
  • Would one disruption affect multiple entities, business lines, or countries at the same time?

    • Then review the patterns that matter most

    From a practical standpoint, you should usually analyze concentration across at least these dimensions:

  • Provider and provider group
  • Critical or important function support
  • Country and operational location
  • Type of ICT service
  • Subcontracting and supply chain concentration
  • Entity-level versus group-level dependency

    • This is also where cross-functional review becomes essential. Your procurement data may answer who the provider is. Your business owner may explain whether the service is replaceable. Your ICT team may identify technical coupling. Your risk team may map this back to what is ict risk in operational terms rather than just reporting fields.

    Use the register as evidence, not as the whole answer

    Here's the thing: the Register of Information helps you identify potential concentration, but it does not fully determine whether that concentration is acceptable. You still need judgment around business continuity, exit planning, substitutability, contractual rights, testing, and the realistic time required to move away from a provider.

    If your team is still aligning the broader legal and structural background, this explainer on dora regulation explained can help frame why these risk reviews sit inside a larger operational resilience program.

    dora-concentration-risk-in-the-register-of-information-through-repeated-provider.jpg

    How concentration risk is assessed and “calculated” in practice

    Teams often ask for a single calculation method for dora concentration risk. In most cases, there is no one mandated DORA formula that turns concentration into a universal number. What supervisors and internal stakeholders usually want instead is a consistent method that makes sense for your operating model, can be repeated over time, and is supported by evidence from the Register of Information and related governance artifacts.

    In practice, institutions tend to quantify concentration using a mix of volume indicators and impact indicators. The goal is to answer two questions at the same time: how much do we rely on this provider or group, and what would break if that reliance was disrupted?

    Common ways institutions quantify concentration

    These are some of the indicators teams commonly use, often in combination:

  • Spend share: the proportion of total ICT third-party spend attributed to a provider or provider group. This can be a useful starting signal, but it rarely tells the whole story because low spend can still support a critical function.
  • Service count and critical service count: how many ICT services, and how many services supporting critical or important functions, are tied to the same provider, group, or subcontractor.
  • Workload or volume share: capacity, transaction volume, users served, environments hosted, or operational throughput supported by one provider. This is often closer to resilience impact than spend.
  • Single point of failure mapping: a structured view of where a single provider, location, or underlying component could interrupt multiple services at once. This can include shared identity services, shared monitoring, shared network paths, or shared data platforms.
  • Geographic clustering: the share of critical services delivered from one country or region, or reliant on the same data center footprint or operational hub.

    • For most small business owners and entrepreneurs, the simplest place to start is usually one provider-group view and one critical-function view. Even a lightweight breakdown can reveal hidden concentration that is not obvious from contract lists.

    Simple scoring models that work in real reviews

    Once you have indicators, many teams create a scoring approach to support governance decisions. Two common models show up because they are easy to explain during internal challenge and supervisory Q&A.

    One option is tiered risk bands. For example, you may define a small set of thresholds that place each provider or provider group into a low, medium, or high concentration category based on a few measures such as number of critical services supported and substitution feasibility. This is often useful when you want a repeatable governance rhythm and clear triggers for escalation.

    Another option is a weighted factor score. In this model, you assign points to factors that typically drive resilience outcomes, then aggregate them. A practical set of factors often includes:

  • Criticality: whether and how strongly the provider supports critical or important functions.
  • Substitutability: realistic time and effort to move or rebuild, including technical coupling and data portability.
  • Concentration dimension: provider group concentration, subcontractor concentration, and geographic clustering.
  • Complexity of exit: number of systems involved, integration depth, and operational dependencies.

    • A weighted model can be helpful when you want to compare very different provider relationships in a consistent way. The tradeoff is that you need to document how weights were set and keep the scoring stable enough to be meaningful from year to year.

    Common pitfalls that make concentration look smaller than it is

    What many people overlook is that concentration measurement can go wrong in predictable ways. A few patterns come up again and again:

  • Double-counting or miscounting contracts: the same arrangement recorded multiple times across entities or business units, or split into multiple records that hide the shared dependency.
  • Missing provider group mapping: treating subsidiaries, brands, or recently acquired entities as independent vendors, even though a group-level disruption could affect all of them.
  • Ignoring subcontractors and shared infrastructure: relying only on direct provider names even where the underlying service chain converges.
  • Confusing “many contracts” with diversified dependency: multiple agreements that still rely on one environment, one region, or one technical control plane.
  • Mixing metrics without context: spend share used as a proxy for criticality, or service count used without checking whether services are actually independent.

    • The difference often comes down to careful mapping. If your register is clean enough to tie providers to groups, services to critical functions, and services to locations and subcontractors, your concentration view becomes much more defensible, even if your scoring method is relatively simple.

    What regulators are likely to expect in 2026

    In 2026, many institutions are no longer being assessed only on whether they created a DORA register and filed it in the correct technical format. Supervisors increasingly want to see whether the institution can use that information to govern third-party risk.

    From a regulatory standpoint, this means concentration risk review may show up through questions such as:

  • Can you identify your most concentrated providers and provider groups?
  • Can you explain why those concentrations exist?
  • Do you know which critical or important functions are affected?
  • Do you have mitigation, oversight, contingency, or exit planning where dependency is high?
  • Are group entities reporting consistently enough for regulators to cross-reference them?

    • The designation of Critical Third-Party Providers by the ESAs in late 2025 also changed the conversation. It did not automatically make every heavy dependency unacceptable, but it reinforced the expectation that financial entities understand where systemic and institution-specific concentration may exist.

    For broader context, Dorapp readers may also find DORA Pillars Explained: Complete Breakdown (2026) and DORA European Commission Timeline and History (2026) useful background reading.

    team-assessing-and-mitigating-dora-concentration-risk-with-diversified-provider-.jpg

    Mitigation options: what to do when concentration is high

    If your assessment shows high concentration, the next question is usually not “can we eliminate it.” The question is “what do we do that is proportionate, evidence-based, and realistic.” In regulated environments, including FinTech, InsurTech, and RegTech contexts, this often means you need a clear story: what the concentration is, why it exists, what controls are in place, and what you will do if the dependency fails. This is not legal advice, but it is a practical way to think about supervisory expectations.

    In most institutions, mitigations fall into a few repeatable categories. Regulators often expect to see evidence that you considered them, even if your final decision is that a mitigation is not proportionate for a specific service.

    A practical menu of mitigation options

    These are common mitigation types teams use to reduce impact, improve recoverability, or improve control over a concentrated dependency:

  • Exit planning depth: a documented path to exit or replace the service, including sequencing, estimated timelines, key dependencies, and internal owners. For critical services, “we would switch provider” is rarely enough without showing how.
  • Portability plans: practical steps that make moving feasible, such as data export routines, infrastructure-as-code approaches, standardized interfaces, or tested restore processes. The goal is not perfection, it is reducing unknowns.
  • Contractual controls: rights that support oversight and change management, such as audit and access rights, incident notification, subcontracting transparency, termination assistance, and service continuity commitments. The right set of clauses depends on the service and jurisdiction, and should be reviewed with qualified legal counsel.
  • Resilience testing and failover evidence: scenario-based testing that demonstrates how the institution would maintain service or recover within acceptable timeframes. This can include tabletop exercises, technical recovery tests, and operational runbooks.
  • Operational workarounds: manual processes, alternative channels, degraded-mode operations, or internal contingencies that keep critical outcomes moving while a provider issue is resolved.

    • Match mitigations to the type of concentration

    Not all concentration is the same. The mitigation that helps depends on where the dependency is concentrated.

    If concentration is primarily at provider group level, mitigations often focus on exit planning, portability, and strong contractual oversight, because a group-level issue can affect multiple “different” vendors at once. If concentration is primarily geographic, mitigations may lean toward multi-region delivery, alternative operational locations, or recovery procedures that do not rely on the same local infrastructure. If the concentration sits in a subcontractor chain, the focus is often on transparency, notification of material changes, and verification that downstream dependencies are covered by resilience expectations.

    The reality is that smaller entities may not have the resources to build complex multi-provider architectures. Proportionate mitigation can still be meaningful. A simpler but well-documented exit plan, a tested data export and restore routine, and clear contractual rights may be more realistic and more defensible than an ambitious design that never gets tested.

    Document decisions so the register supports supervisory Q&A

    One of the easiest ways to reduce pain during supervisory review is to document your rationale while you are making decisions, not months later. In practice, that often means keeping a clear link between:

  • the concentration indicator you observed (provider group, critical function dependence, geography, subcontracting)
  • the impact statement (what could be disrupted, across which entities or functions)
  • the decision (accept, mitigate, reduce over time, or redesign)
  • the evidence (exit plan version, test results, contract clause review outcome, governance approvals)

    • Done well, this turns the Register of Information from a static output into something you can actually use in conversations with internal stakeholders and supervisors. It also helps avoid a common problem: having a good mitigation plan in one team’s files, but no traceability back to the register records and critical function mapping that triggered it.

    How tools can help without replacing judgment

    By this stage, most compliance teams understand that spreadsheets can reach a breaking point. They may still be useful early on, but concentration analysis becomes harder when naming is inconsistent, records are duplicated, and updates are scattered across business units.

    With features such as automated workflows, audit trail, configurable reports and analytics, data import support, public-source enrichment, and XBRL-ready report generation described in DORApp documentation, compliance teams can work with a more controlled operating model. That is especially helpful when the goal is not only to file a report, but also to review provider concentration across functions, countries, and service dependencies.

    DORApp is modular, with the Register of Information at the center and adjacent modules for third-party risk management and other DORA workflows either available or on the roadmap. In practice, that may help institutions connect register data to broader operational oversight rather than treating reporting as a one-time exercise.

    What a good tool should actually improve

    A platform should not make the risk decision for you. It should make it easier to:

  • maintain consistent provider records
  • trace relationships across entities, functions, and services
  • validate data before submission
  • generate evidence for internal review and supervisory questions
  • support repeatable updates over time

    • If you want to browse related content, the Dorapp categories for Register of Information and Digital Operational Resilience are good next stops. And if you are evaluating operational support, DORApp is one platform worth exploring through its Free Trial – 14 Days or by using the Book a Demo option for a more guided review.

    Disclaimer: The information in this article is intended for general informational and educational purposes only. It does not constitute professional technical, legal, financial, or regulatory advice. Website performance outcomes, platform capabilities, and business results will vary depending on your specific circumstances, goals, and implementation. Always evaluate tools and platforms based on your own needs and, where relevant, seek professional guidance.

    This article is for informational purposes only and does not constitute financial, legal, or regulatory advice. DORA compliance requirements may vary based on your institution type, size, and national regulatory framework. Content referencing regulated industries is provided for general context only and should not be interpreted as legal, regulatory, compliance, or financial advice. If you operate in a regulated sector, always consult qualified financial, legal, and compliance professionals for guidance specific to your situation.

    Frequently Asked Questions

    What is dora concentration risk in simple terms?

    DORA concentration risk is the risk that your institution depends too heavily on a small number of ICT providers, provider groups, subcontractors, or locations. If one of those concentrated dependencies fails, several important services or functions could be disrupted at the same time. In simple terms, it is about avoiding too many eggs in one basket. The challenge is that the basket is not always obvious. Different contracts may still point to the same group, infrastructure, or subcontracted service chain, which is why structured register data matters.

    Is concentration risk explicitly part of the Register of Information?

    Not as a single box labeled “concentration risk score,” but the Register of Information contains much of the data used to identify it. Provider identity, group relationships, service details, countries, criticality links, and subcontracting information all help compliance teams analyze dependency. So the register is usually the starting point, not the final answer. Your institution still needs governance, risk assessment, and business input to decide whether the level of concentration is acceptable and what mitigation may be needed.

    Does using multiple vendors automatically reduce concentration risk?

    No, not necessarily. You may have several direct vendors that rely on the same parent company, cloud environment, subcontractor, or operational location. That creates the appearance of diversification without true resilience. This is why many teams now look beyond contract counts and focus on underlying dependency. Real diversification usually depends on independence, substitutability, and operational separation. If multiple vendors fail in the same event, your concentration may still be high even if your spreadsheet shows several names.

    What data points are most useful for spotting concentration risk?

    The most useful data points usually include provider legal name, provider group, supported critical or important functions, service type, country of provision, hosting or processing location, subcontractor involvement, and entity-level usage. Good data consistency is just as important as field coverage. If names are duplicated or relationships are unclear, patterns may be missed. Many institutions also review contract duration, termination rights, and practical substitutability alongside the register, because concentration is a resilience question, not only a reporting one.

    How often should concentration risk be reviewed?

    In many cases, it should be reviewed as part of regular Register of Information maintenance and also when major changes happen. Examples include onboarding a new critical ICT service, renewing a major provider contract, entering a new country, or identifying a material subcontracting change. Annual review alone may be too slow for institutions with active provider changes. A more practical model is periodic review with trigger-based reassessment. The right cadence depends on your institution’s size, complexity, and supervisory expectations.

    Is concentration risk only about large cloud providers?

    No. Large cloud providers often get the attention because they can support many critical services across the market, but concentration risk can arise with smaller niche vendors too. A local managed service provider, a sector-specific software provider, a data feed, or a specialist subcontractor may create a serious dependency if there are few alternatives or if several critical functions rely on that service. The key issue is not provider size alone. It is the combination of dependency, criticality, substitutability, and operational impact.

    Can a tool solve concentration risk for us?

    A tool can help you identify, organize, and monitor concentration indicators, but it cannot replace institutional judgment. You still need decisions from compliance, ICT, procurement, legal, and business owners about whether a concentration is acceptable and what controls should follow. The best platforms improve data quality, traceability, reporting, and workflow discipline. That makes it easier to see the risk and evidence your review. The actual risk appetite, mitigation, and governance choices remain your responsibility.

    Why does concentration risk matter more in 2026 than it did at initial filing?

    Because 2026 is increasingly about demonstrating that DORA compliance is operational, not just documented. Early efforts focused heavily on creating the Register of Information and getting submissions technically right. Now supervisors are more likely to ask what your data tells you, how you use it, and whether your oversight process is working over time. Concentration risk sits right in that shift. It shows whether your register supports real resilience management rather than functioning as a static reporting archive.

    How does subcontracting affect concentration risk under DORA?

    Subcontracting can significantly increase concentration risk because dependencies often sit below the direct contract level. Two separate providers may depend on the same downstream infrastructure or specialist subcontractor. If that underlying party fails, your exposure may be much larger than it first appears. Based on current guidance and the 2025 subcontracting developments, institutions should pay close attention to material subcontracting chains, especially where critical or important functions are involved. Clear visibility into those relationships is increasingly important for defensible oversight.

    What is a practical first step if our register is still messy?

    Start by cleaning the provider master data and mapping critical or important functions consistently. In practice, that usually gives you the fastest improvement in concentration visibility. Standardize legal names, identify parent groups, remove duplicates, and make sure function links are accurate. After that, review country fields and subcontracting data. You do not need a perfect dataset to begin, but you do need enough consistency to spot patterns. A controlled import and validation workflow can help if your current data lives in multiple spreadsheets.

    What is a concentration risk?

    A concentration risk is the risk that too much operational impact is tied to a single dependency or a small cluster of dependencies. In ICT third-party terms, that usually means one provider, one provider group, one subcontractor, one region, or one shared infrastructure component supports a large share of important services. If that dependency is disrupted, the impact can spread quickly across multiple processes and teams.

    What is DORA in risk?

    In a risk context, DORA is an EU regulatory framework focused on digital operational resilience. It connects ICT risk management, incident handling, operational resilience testing, and ICT third-party oversight into a more structured set of expectations. Concentration risk fits into this because heavy dependency on a small set of ICT providers can amplify the impact of incidents and make recovery harder if substitution and exit options are limited.

    How is concentration risk calculated?

    Typically, it is calculated using a set of consistent indicators rather than one universal formula. Many teams use measures like spend share, the number of critical services per provider or provider group, workload or volume share, and single point of failure mapping. Some institutions use simple tier bands, while others use weighted scores based on criticality, substitutability, and geographic or subcontractor clustering. The best method is usually the one you can explain clearly and repeat over time with evidence from your register and governance process.

    How to assess vendor concentration risk?

    A practical approach is to start with your Register of Information and identify which vendors and vendor groups support critical or important functions, where services cluster in the same region, and where subcontractors create shared dependencies. Then add business context: how replaceable the service really is, what the exit path would look like, and what a disruption would affect. Many institutions formalize this with a simple score or tiering model and document the rationale and mitigation decisions so the assessment holds up in internal challenge and supervisory review.

    Key Takeaways

  • DORA concentration risk is about dependency on too few providers, groups, locations, or subcontracting chains, not just vendor count.
  • The Register of Information is usually the first place where concentration becomes visible, but it is only part of the assessment.
  • Good analysis depends on clean data, especially provider identity, group relationships, function criticality, geography, and subcontracting.
  • In 2026, supervisors are increasingly focused on whether institutions can use register data for real oversight, not only for technical submission.
  • Tools may improve data quality, workflow control, and evidence generation, but they do not replace internal risk judgment.

    • Conclusion

    DORA concentration risk is one of those topics that sounds narrow until you start tracing how ICT services support your business. Then it becomes clear that this is not just about vendor management. It is about resilience, decision-making, and knowing where your institution could be more exposed than it first appears.

    If your Register of Information is treated as a living management dataset rather than a one-time reporting file, it can reveal concentration patterns early enough for useful action. That may mean better mitigation, stronger oversight, cleaner evidence for regulators, and more confident conversations across compliance, procurement, ICT, and leadership teams.

    DORApp's approach is built around making that operational work more structured and manageable, especially where Register of Information data, validation, reporting, and audit traceability need to fit together. If you want to explore how DORApp handles these challenges, you can start with a demo or browse more practical guidance on the Dorapp blog.

    M

    About the Author

    Matevž Rostaher is Co-Founder and Product Owner of DORApp. He brings deep experience in building secure and compliant ICT solutions for the financial sector and is positioned by DORApp as an expert trusted by financial institutions on complex regulatory and operational challenges. DORApp’s own webinar materials list him as CEO and Co-Founder of Skupina Novum d.o.o. and CEO and Co-Founder of FJA OdaTeam d.o.o. His articles should carry the voice of someone who understands not just compliance requirements, but the systems and delivery realities behind them.