Overview

The EU Digital Operational Resilience Act (DORA) Readiness Assessment helps financial entities and ICT third-party service providers evaluate their preparedness for Regulation (EU) 2022/2554 — the EU's landmark regulation establishing uniform requirements for digital operational resilience across the financial sector.

The assessment adapts to your role, presenting the specific obligations and questions relevant to your responsibilities under DORA. For financial entities, the assessment covers approximately 60 questions across 7 domains — from ICT risk management governance through to digital operational resilience testing and information sharing. ICT third-party service providers receive a tailored question set of approximately 35 questions aligned to their distinct contractual and oversight obligations under DORA Articles 28–30.

Through structured evaluation criteria aligned to DORA's five pillars and supporting regulatory technical standards (RTS), you will assess your organisation's current readiness posture, identify compliance gaps, and develop a prioritised roadmap ahead of enforcement.

Built-in snapshot and comparison functionality allows you to save point-in-time results and track readiness improvements over time — making it straightforward to report progress to the board, regulators, and senior leadership.

DORA Enforcement Timeline

January 2023

Regulation in force

DORA entered into force. The two-year implementation period for financial entities began.

January 2025

Full application — now enforced

All DORA requirements fully applicable. Financial entities must comply now. Competent authorities actively supervising.

Ongoing

Critical TPSP oversight

ESAs designating critical ICT third-party service providers subject to the EU Oversight Framework under Article 31.

Role-Based Assessments

DORA places different obligations on different entity types. This assessment adapts accordingly:

Financial Entity — approximately 60 questions across 7 domains. The comprehensive assessment covering all DORA pillars: ICT risk management framework, ICT protection and prevention, ICT incident management and reporting, digital operational resilience testing, ICT third-party risk management, information and intelligence sharing, and operational resilience and continuity.
ICT Third-Party Service Provider — approximately 35 questions. Focused on service governance, ICT risk management obligations, security and access controls, data protection and confidentiality, supply chain and sub-outsourcing management, incident management and client notification, and oversight cooperation with designated competent authorities.

Who It's For

This assessment is designed for:

Banks, credit institutions, and investment firms subject to DORA
Insurance and reinsurance undertakings and intermediaries
Payment institutions and e-money institutions
Crypto-asset service providers and issuers
Pension funds and central counterparties
ICT third-party service providers (cloud providers, software vendors, data centres) serving EU financial entities
GRC and operational risk teams assessing DORA compliance posture
Technology and cyber risk functions preparing for regulatory examination
Boards and senior leadership seeking visibility of DORA readiness

Typical Outcomes

Organisations using this assessment typically gain:

Clear understanding of current DORA readiness across all applicable pillars and domains
Identification of compliance gaps mapped to specific DORA articles and RTS requirements
Prioritised remediation roadmap for achieving and maintaining DORA compliance
Board-ready reporting on ICT risk and digital operational resilience posture
Evidence of proactive compliance effort for regulatory supervisors
Structured basis for ongoing DORA compliance monitoring and re-assessment
Snapshot comparison capability to track and demonstrate improvements over time

Assessment Coverage — Financial Entity

The financial entity assessment evaluates DORA readiness across 7 domains aligned to the regulation's five pillars:

ICT Risk Management — Management body accountability, ICT risk management framework, risk identification and classification, protection and prevention controls, detection capabilities, response and recovery procedures, backup and restoration, ICT continuity management, and digital operational resilience strategy
ICT Protection & Prevention — Asset management, system hardening, access controls, network segmentation, patch management, encryption, and physical security of ICT infrastructure
ICT Incident Management & Reporting — Incident classification, major incident criteria, regulatory reporting to competent authorities within mandated timeframes, client and counterparty notification, and post-incident review processes
Digital Operational Resilience Testing — Basic testing programme, advanced threat-led penetration testing (TLPT) for significant entities, test coverage and frequency, remediation of identified vulnerabilities, and testing of critical systems
ICT Third-Party Risk Management — Pre-contractual due diligence, contract requirements under Article 30, monitoring of critical third-party arrangements, concentration risk management, and exit strategy planning
Information & Intelligence Sharing — Participation in threat intelligence sharing arrangements, information sharing agreements, and cyber threat information exchange with competent authorities
Operational Resilience & Continuity — Business impact analysis, recovery time and recovery point objectives, crisis communication, operational continuity plans for critical functions, and scenario testing

Assessment Coverage — ICT Third-Party Service Provider

The ICT TPSP assessment covers obligations under DORA Articles 28–30 and the EU Oversight Framework:

Service Governance & ICT Risk Management — Internal ICT risk framework, governance structure, senior management accountability, and alignment with financial entity client requirements
Security & Access Controls — Access management, privileged access controls, network security, vulnerability management, and security monitoring for services provided to financial entities
Data Protection & Confidentiality — Data classification, encryption at rest and in transit, data segregation between financial entity clients, and confidentiality obligations
Supply Chain & Sub-outsourcing — Sub-outsourcing arrangements, contractual flow-down of DORA requirements, fourth-party risk management, and sub-outsourcer notification obligations
Incident Management & Client Notification — ICT incident detection and response, client notification obligations, major incident reporting chains, and post-incident review
Oversight, Audit & Regulatory Cooperation — Cooperation with ESA Lead Overseers for critical TPSPs, audit rights, inspection access, and regulatory information requests under Article 31

What You Receive

Executive Summary Report

Board-ready overview with readiness scores by DORA domain and pillar, exportable to Word format.

Detailed Gap Register

Comprehensive findings mapped to specific DORA articles and RTS requirements with risk ratings, exportable to Excel.

Readiness Visualisations

Charts showing domain-by-domain DORA readiness for board and stakeholder presentations.

Prioritised Remediation Roadmap

Actionable recommendations ranked by risk to guide your path to DORA compliance.

Snapshot Comparison Reports

Save point-in-time snapshots and compare against previous assessments to track and demonstrate readiness improvements over time.

Assess Your DORA Readiness

Get in touch to see the EU Digital Operational Resilience Act Readiness Assessment in action.

Contact for Demo

EU Digital Operational Resilience Act (DORA) — Readiness Assessment