← All posts

DORA GRC April 2026: Audit Package Builder, AI Contract Review, and What We Shipped This Quarter

The first wave of DORA inspections is underway. Finanstilsynet in Norway ran 21 ICT inspections in 2023-2024 and has ramped up further this year. The Danish FSA is running risk-based reviews of systemically important institutions. Finansinspektionen in Sweden sent out survey assessments to inform their 2026 on-site programme.

The question we kept hearing from compliance teams was the same everywhere: "When the auditor asks for documentation, how do I pull everything together without spending two weeks on it?"

That is the problem we set out to solve this quarter.

NCA Audit Package Builder

The new Audit Package module lets you assemble a structured documentation package for your NCA auditor in minutes instead of days.

You select which topics to include from a checklist of 48 items across all five DORA pillars — ICT risk management, incident reporting, resilience testing, third-party oversight, and cross-pillar governance. Each topic maps to specific DORA articles and RTS references, so you know exactly what regulatory requirement each document addresses.

The output is a ZIP file with a folder structure that mirrors what auditors expect to receive:

  • PDF reports for narrative and visual content — risk heatmaps, bowtie analyses, business impact assessments, major incident reports, BCP plans, TLPT documentation, exit plans, and the board executive summary
  • Excel workbooks for data the auditor wants to filter and cross-reference — risk registers, asset inventories, control libraries, provider registers, contract compliance matrices, and the full audit trail
  • Collected files from your document library — policies, evidence attachments, incident reports, and vendor questionnaires pulled directly from storage

Every PDF and Excel file follows a consistent format: confidentiality banner, entity branding, DORA article references, and standardised headers and footers. The cover page includes editable fields for entity name, auditor details, reference numbers, and period scope.

We built this based on what Nordic NCAs actually request during inspections. The topic list covers the 20 mandatory ICT policies required by the RTS, the EBA Register of Information format, Art. 30 contract clause analysis, and the incident reporting evidence trail that Finanstilsynet specifically checks.

AI-Assisted Contract Review

Reviewing ICT provider contracts against DORA Article 30 is tedious and error-prone when done manually. Each contract needs checking against 11 mandatory clauses — and for providers supporting critical or important functions, the requirements are stricter.

The AI Contract Review module uses a large language model to analyse your uploaded contract PDFs clause by clause. It identifies which of the 11 Article 30(2) requirements are present, adequate, weak, or missing, and generates a gap report with specific remediation suggestions.

The 6-step Contract Wizard walks through the analysis:

  • Upload the contract PDF
  • AI analyses clauses 1-3 (service description, subcontracting, data locations)
  • Clauses 4-6 (data protection, access/recovery, SLAs)
  • Clauses 7-9 (incident assistance, termination rights, training)
  • Clauses 10-11 (audit/inspection rights, exit strategy)
  • Summary with strength ratings and one-click task creation for identified gaps

Each clause gets a strength rating — strong, adequate, weak, or missing — so you can prioritise which contracts need renegotiation first.

AI-Assisted Incident Classification

When an ICT incident occurs, you have 4 hours from classification to file your initial notification with your NCA. The classification decision itself — major or minor — depends on seven criteria defined in DORA Article 18 and further specified in RTS 2024/1772.

The incident classification module now uses AI to suggest a classification based on the information you enter. As you work through the wizard steps describing the incident — clients affected, duration, geographic spread, data losses, service criticality, economic impact, and transactions affected — the system provides real-time AI suggestions for each criterion.

You remain in full control. The AI suggestions are exactly that — suggestions. You can accept or override each one, and the final classification decision is always yours. The system logs the AI suggestion alongside your actual decision for audit trail purposes.

What Else Shipped in Q1

Beyond the headline features, we shipped a number of improvements across the platform:

Resilience and testing. The BCP module now supports scenario-based testing with RTO/RPO achievement tracking, provider substitution testing, and data integrity verification. BCP findings link directly to remediation tasks. Board reporting. The executive board report PDF now includes a cover page with entity branding, six structured sections covering KPIs across all pillars, RoI submission status, and A4 print-optimised layout. This is the report your management body needs under Article 5(2). Gap analysis. The 50-question DORA readiness assessment now generates gap items automatically and links them to remediation tasks. Scores are broken down by pillar so you can see exactly where your programme is weakest. Vendor due diligence. The questionnaire module supports vendor self-assessment via a portal link, with knockout question tracking and aggregated risk scoring per provider. Register of Information. The RoI export now generates the full EBA ITS xBRL-CSV package with all 15 templates, filing indicators, and report metadata. This is the format your NCA requires for the annual submission.

What Is Coming Next

We are working on several items for Q2 2026:

  • Policy templates — pre-built templates for the 20 mandatory ICT policies required by the DORA RTS, ready to customise for your organisation
  • CSV import for bulk loading risk, asset, and provider data from existing spreadsheets
  • Jira integration for teams that manage remediation tasks in external project management tools

If you are preparing for your first NCA inspection or want to see how the audit package builder works with your data, you can request a demo or start a free trial.

Ready to simplify DORA compliance?

Purpose-built platform for EU financial entities. Start your free trial today.

Get Started →