DORA has been in force since January 2025. Now what?
Most financial entities spent the better part of 2024 preparing for DORA — gap analyses, policy drafts, workshops with legal. Now that the regulation actually applies, the question has shifted from are we ready to can we prove it.
That's a different problem, and spreadsheets don't solve it well.
DORA GRC is a platform built specifically for this. It covers all four pillars of the regulation, maps every register and record to the relevant article, and gives your compliance team and management body a live view of where you stand. No installations, no complex onboarding — your first register can be live the same day.
Pillar 1 — Governance and ICT Risk Framework
DORA places direct responsibility on the management body for ICT risk. Article 5 is explicit: the board approves the ICT strategy, reviews it regularly, and is personally accountable. That requires actual documentation — not a PDF filed away somewhere, but a working record that stays current.
The platform gives you a Governance Register that structures roles and responsibilities against Art. 5(2)(a–j), an ICT Framework Register for your policies and procedures, and an Asset Register with classification and ownership.
The most important module here is the CIF Register — Critical or Important Functions. This is the register that drives everything else in DORA. When you identify a function as CIF, the platform automatically surfaces the downstream obligations: which assets support it, which third parties are involved, and whether testing coverage is current. Change something in the CIF Register and the gaps appear immediately across testing and vendor management.
There's also a Board Report that pulls from live data across all registers — useful when your CISO needs to present to the management body without spending a day compiling slides.
Pillar 2 — Risk Management and Incident Reporting
The risk module is built around a guided Risk Assessment Wizard — six steps aligned to ISO 27005 and NIST SP 800-30, with inherent and residual scoring, heat map visualisation, and trend tracking over time. It's designed to be usable by your risk officers without needing a consultant in the room.
Controls sit alongside risks in a linked register, each mapped to the DORA articles they address. When an auditor asks which controls are compensating for a given risk, the answer is a few clicks away rather than a cross-referencing exercise across multiple files.
Incident management covers the full DORA lifecycle. Log an incident, classify it against Art. 18 criteria, and the platform tracks the regulatory notification deadlines automatically — four hours for initial notification, 72 hours for the intermediate report, one month for the final. Incidents that may qualify as Major ICT Incidents are flagged before you miss a deadline.
Pillar 3 — Resilience Testing
Annual testing of all ICT systems supporting CIF functions is mandatory under Art. 24–25. The harder part isn't running the tests — it's keeping track of which systems are in scope, which have been tested in the last 12 months, and which are overdue.
The Testing Programme in DORA GRC solves this by pulling scope directly from the CIF Register. If a CIF function has no test record in the rolling 12-month window, it's flagged automatically. You don't have to cross-reference manually.
For entities subject to TLPT (Threat-Led Penetration Testing under the TIBER-EU framework), there's a dedicated TLPT Tracker that manages the full lifecycle — scoping, red team engagement, purple teaming, and authority sign-off — in one place. Test results link back to the risk and controls registers so remediation actions are tracked to closure.
Pillar 4 — Third-Party Risk
Third-party concentration risk is arguably where supervisory scrutiny is highest right now. Art. 28–30 sets out a long list of obligations for providers supporting CIF functions: enhanced due diligence, eight mandatory contractual clauses, exit strategies, and concentration risk assessment at entity level.
The Provider Register is pre-populated from CIF links, so there's no double entry. Providers supporting CIF functions are flagged automatically for enhanced obligations. The Contract Register tracks all eight Art. 30 clauses per contract and highlights gaps. Concentration risk — by provider, geography, and function criticality — is visualised in the platform so you can see where your dependencies are clustering before your supervisor does.
All four pillars, one place
| DORA Pillar | Key Articles | DORA GRC Module |
|---|---|---|
| ICT Governance | Art. 5–10 | Governance Register, CIF Register, Asset Register, Framework, Board Report |
| Risk & Incidents | Art. 9–20 | Risk Register, Controls Register, Incident Register |
| Resilience Testing | Art. 24–25 | Testing Programme, TLPT Tracker |
| Third-Party Risk | Art. 28–30 | Provider Register, Contract Register, Concentration Risk |
Practical to use, built for EU data requirements
The platform runs in the browser with nothing to install. Data is stored in the EU, which matters if your entity has data residency obligations. Access is role-based — your CISO, risk officers, and external auditors each see what's relevant to them.
If you're still managing DORA across spreadsheets and shared folders, now is a reasonable time to change that. Supervisory assessments are happening, and the gap between "we have a policy" and "we can demonstrate continuous compliance" is where most entities are struggling.
Get in touch if you'd like to see the platform or discuss your specific situation.