Paid · DORA

How DORA-ready
is your organisation?

Answer 20 questions across 5 ICT resilience pillars. Get an instant AI-powered gap analysis with your top priorities — delivered to your inbox.

20 questions
~5 minutes
AI gap analysis
Free report by email
🛡️ Sensitive information notice: This assessment may ask about your ICT systems, testing results, and third-party dependencies. Do not share specific system names, vendor contracts, test findings, or technical details that could expose your operational infrastructure. Answer at a policy and process level only.

Based on: Regulation (EU) 2022/2554 — DORA ↗

🏦
Paid Assessment

DORA ICT Risk Assessment

Get a full AI-powered gap analysis across 5 DORA pillars — with DORA article references and recommended next steps based on your entity type.

Get access →

Questions? Contact us

Organisation profile Step 1 of 6
Step 1 of 6 — Organisation Profile

Tell us about your organisation

DORA applies exclusively to financial sector entities as defined in Article 2. This helps us confirm your scope and tailor the assessment to your entity type.

Step 2 of 6 — ICT Risk Management

ICT risk management framework

DORA Chapter II requires financial entities to maintain a robust ICT risk management framework as part of their overall risk management system.

Does your organisation have a documented ICT risk management framework approved by the management body?
DORA Art. 5–6: The management body must approve, oversee, and be accountable for the ICT risk management framework.
Do you maintain a continuously updated ICT asset inventory covering all systems supporting critical or important functions?
DORA Art. 8: Financial entities must identify all assets and map interdependencies to understand their attack surface.
Do you have documented business continuity and ICT disaster recovery plans that are tested at least annually?
DORA Art. 11: BCPs and ICT DRPs must address recovery time objectives (RTOs) and recovery point objectives (RPOs).
Does your organisation conduct regular ICT risk assessments and update your risk treatment measures accordingly?
DORA Art. 7–10: Risk assessment must cover all elements of the ICT infrastructure and be reviewed at least annually.
Step 3 of 6 — ICT Incident Management

ICT incident classification & reporting

DORA Chapter III establishes strict requirements for detecting, classifying, and reporting major ICT-related incidents to competent authorities within tight deadlines.

Do you have a defined process for detecting, classifying, and escalating ICT incidents based on DORA's materiality criteria?
DORA Art. 17–18: Incidents must be classified using DORA's criteria (clients affected, data loss, duration, geographic spread, criticality of services).
Are you able to submit an initial notification to your competent authority within 4 hours of classifying a major incident?
DORA Art. 19: Initial report within 4 hours (max 24h after awareness); intermediate report within 72 hours; final report within 1 month.
Do you have a process for notifying clients affected by major ICT incidents that impact their financial interests?
DORA Art. 19(4): Financial entities must inform clients about major incidents and cyber threats that may affect their financial interests without undue delay.
Do you maintain records of all ICT-related incidents and conduct post-incident reviews for major incidents?
DORA Art. 17: All incidents must be recorded. Lessons learned from major incidents must feed back into risk management and prevention measures.
Step 4 of 6 — Resilience Testing

Digital operational resilience testing

DORA Chapter IV mandates a comprehensive testing programme including basic tests annually and threat-led penetration testing (TLPT) every three years for significant entities.

Does your organisation conduct at least annual ICT resilience testing including vulnerability assessments and scenario-based tests?
DORA Art. 25–26: Basic testing programme includes vulnerability scans, network security assessments, gap analyses, and scenario-based tests as appropriate.
Has your organisation assessed whether it is required to conduct Threat-Led Penetration Testing (TLPT) under DORA?
DORA Art. 26: TLPT is mandatory every 3 years for significant financial entities as identified by competent authorities. It must cover live production systems.
Are remediation actions from testing results tracked and resolved within defined timelines?
DORA Art. 27: Entities must address identified vulnerabilities and weaknesses after testing, with full remediation confirmed and reported to the management body.
Step 5 of 6 — Third-Party ICT Risk

Third-party ICT dependency management

DORA Chapter V introduces detailed requirements for managing ICT third-party risk, including mandatory contractual provisions and oversight of critical ICT providers by EU supervisors.

Do you maintain a complete register of all ICT third-party service providers, distinguishing those supporting critical or important functions?
DORA Art. 28: A full register of ICT third-party arrangements must be maintained and reported to competent authorities annually.
Do your ICT provider contracts include the mandatory provisions required by DORA (exit strategies, audit rights, incident reporting, SLAs)?
DORA Art. 30: Contracts must include security requirements, incident notification obligations, audit access rights, exit plans, and data portability clauses.
Do you perform due diligence before onboarding ICT third-party providers and conduct ongoing monitoring of their performance?
DORA Art. 28–29: Pre-contractual risk assessment required. Ongoing oversight must cover security standards, service quality, and sub-outsourcing chains.
Do you have documented exit strategies that ensure service continuity if a critical ICT provider fails or is withdrawn?
DORA Art. 28(8): Exit strategies must address termination rights, transition periods, data migration, and operational continuity without impacting regulated activities.
Has your organisation assessed whether any of its ICT providers may be designated as a Critical Third-Party Provider (CTPP) subject to direct EU oversight?
DORA Art. 31: The ESAs (EBA, ESMA, EIOPA) can designate CTPPs. Financial entities using CTPPs face additional oversight obligations and must cooperate with Lead Overseers.
Step 6 of 6 — Your Report

Where should we send your results?

Analysing your DORA readiness…

Our AI is reviewing your 20 answers across 5 DORA pillars.

Reviewing ICT risk management framework
Analysing incident reporting readiness
Evaluating resilience testing programme
Assessing third-party ICT dependency risks
Preparing your prioritised report
DORA Readiness Score
out of 100
AI-generated — not legal advice. This assessment is generated using AI (Claude by Anthropic) and is indicative only. It does not constitute a formal compliance determination. For regulatory compliance, consult a qualified legal or compliance professional. See our Privacy Policy for details on data handling.

Informational use only. This tool is provided for awareness purposes to help businesses understand their current situation regarding EU regulations. It does not constitute legal, regulatory, or professional advice. Results are indicative only and should not be relied upon as a substitute for qualified legal counsel. Verdaio accepts no liability for decisions made based on this tool’s output. Your inputs are processed ephemerally and are not stored or used for model training.