DORA compliance,
actually manageable
Managing DORA across four pillars shouldn't require three different spreadsheets and a compliance consultant. We built a platform that covers all of it in one place: governance, risk, testing, and third-party oversight.
Compliance Score
OVERALL · Q1 2026
Most entities are managing DORA in Excel. That won't hold up.
Enforcement is here. Risk registers in spreadsheets, incidents tracked by email, and documents scattered across SharePoint won't satisfy a supervisory review.
Everything is somewhere else
Risk registers in Excel, controls in SharePoint, incidents in email. When an auditor wants a coherent picture, you're spending a week pulling it together.
134 requirements, tracked by hand
Tracking what's done, what's partially covered, and what's still missing across 134 DORA Articles and Level 2 measures by hand is a full-time job on its own.
Hard to prove when it matters
When the NCA comes asking, a folder of PDFs won't cut it. You need timestamps, version history, and traceable decisions. Not a folder of documents with no owner and no date.
Up and running in days, not months
No consultants, no implementation project. You can have your first register live the same day.
Sign up & configure
Create your account, set up governance roles, and start building your ICT asset inventory. All 134 DORA and RTS/ITS requirements are pre-loaded. Nothing to map or configure.
Assess & document
Run a gap analysis against each article, build your risk register, and document critical function dependencies. The CIF Register connects everything automatically.
Monitor & report
Track where you stand across all four pillars, respond to incidents with built-in deadline tracking, and export a full audit snapshot when you need it.
All four DORA pillars
in one platform.
Every article, every RTS, every ITS — mapped to actionable modules. Not another checklist. An operational compliance system.
ICT Risk Management
Define management body responsibilities, document your ICT risk framework, and maintain your Critical or Important Functions register — the register that drives obligations across everything else.
Incident Reporting
Classify, triage, and report ICT incidents with built-in ITS 2024/2956 templates. Track timelines and manage major incident workflows end-to-end.
Resilience Testing
Plan your annual testing programme against your CIF Register, track findings through to remediation, and manage the full TLPT lifecycle for entities in scope.
Third-Party Oversight
Register all ICT providers, track the eight mandatory contractual clauses per Art. 30, and monitor concentration risk before your supervisor flags it.
EU Cyber Resilience Act
Track product security obligations, manage vulnerabilities with ENISA deadline tracking, and maintain Annex I compliance checklists for products with digital elements.
EU AI Act Compliance
Register AI systems with automatic risk tier classification, track compliance across eight regulatory pillars, and manage incident reporting and oversight logs.
Built for DORA, not retrofitted
Every module maps to a DORA article. No generic GRC framework to configure, no consultants needed to make it relevant.
134-Requirement Compliance Tracker
Every requirement from DORA Articles and Level 2 RTS/ITS measures, pre-loaded with article references and gap analysis. L1–L5 maturity scoring across your entire regulatory surface.
- 134 requirements covering DORA Articles and RTS/ITS Level 2
- L1 Initial → L5 Optimised maturity scale per requirement
- One-click task creation from identified gaps
- Per-pillar and per-article progress breakdown
| Article | Requirement | Status |
|---|---|---|
| Art. 5 | Management body approval of ICT risk framework | Compliant |
| Art. 6 | Documented ICT risk management framework | Compliant |
| Art. 8 | CIF identification and classification | Partial |
| Art. 9 | ICT risk identification and assessment | Compliant |
| Art. 11 | Business continuity policy and BIA | Gap |
Bowtie Risk Visualization
Visualize risk causes, preventive controls, risk events, recovery controls, and consequences in the industry-standard Bowtie diagram — linked to your control library.
- SVG-rendered interactive Bowtie diagrams
- 5 threat categories and 5 consequence categories
- Barrier bars linked to Control Library entries
- Quick-launch from any risk register row
Risk Heat Map & Trend Analytics
5×5 risk heat map with configurable tolerance thresholds, automatic risk appetite decisions, and historical trend charts showing how your risk posture evolves.
- Inherent and residual risk scoring (1–5 scale)
- Auto-calculated Accept / Review / Escalate decisions
- Tolerance breach alerts on the dashboard
- Historical trend charts from risk snapshots
Task & Workflow Engine
Create remediation tasks from compliance gaps, risk treatments, incidents, and test findings. Track priority, assignees, due dates, and completion — all with full audit trail.
- Auto-generated TSK-NNN IDs with audit trail
- Cross-page creation from gaps, risks, incidents, tests
- Priority levels: Critical / High / Medium / Low
- Overdue tracking and dashboard integration
| Task | Source | Priority | Status |
|---|---|---|---|
| TSK-001 | Art. 11 gap | Critical | In Progress |
| TSK-002 | Risk R-003 | High | Open |
| TSK-003 | INC-2026-001 | Critical | Done |
| TSK-004 | Test findings | High | Open |
Everything else you need
ICT Risk Framework
Three-level document hierarchy: policies, standards, and procedures. Version history, approval tracking, and gap analysis showing what's missing per article.
CIF Dependency Map
See which critical functions rely on which ICT assets and third parties. Useful when scoping tests or assessing whether your exit strategies are realistic.
Business Impact Analysis
Step-by-step BIA covering MTPD, RTO, and RPO. Criticality scoring across four impact dimensions, auto-tiered so you don't have to do the maths manually.
Incident Classification
Walk through classification against the ITS reporting criteria. Severity assessment and regulatory reporting stages are built in, so nothing gets missed when an incident is unfolding.
Full Audit Trail
Every action logged with timestamp and user. Searchable, filterable, and exportable as JSON. Exactly what you need when a regulator asks for evidence.
Role-Based Access
Three access levels: admin, analyst, viewer. Session-based auth, password policies, and full activity attribution on every record.
EU Cyber Resilience Act
Product security register, vulnerability tracker with ENISA 24h/72h/14d deadline chips, Annex I compliance checklist, and SBOM management per product.
EU AI Act Compliance
AI system register with automatic risk tier classification, 8-pillar compliance dashboard, structured risk assessment wizard, and incident logging.
Document Archive
R2-backed evidence repository for reports, assessments, and attachments. Linked to every entity in the platform with full version history.
Simple, transparent pricing
No per-user fees. No implementation consultants. One platform, one price.
- Up to 5 users
- All 4 DORA pillars
- 134-requirement compliance tracker
- Risk register & heat map
- Threat register
- Incident register
- CSV export on all registers
- Audit trail & JSON export
- Up to 20 users
- Everything in Starter
- Bowtie risk visualization
- Business Impact Analysis
- Task & Workflow engine
- Risk trend analytics
- TLPT phase management
- Priority email support
- EU CRA product tracking
- EU AI Act system register
- Document archive
- Unlimited users
- Everything in Professional
- Multi-framework mapping
- Custom report templates
- Dedicated instance
- SSO / SAML integration
- Onboarding & training
- SLA with named support
- EU CRA full module
- EU AI Act full module
Frequently asked questions
DORA (EU 2022/2554) is the EU regulation that requires financial entities to demonstrate digital operational resilience across five areas: ICT risk management, incident reporting, resilience testing, third-party risk oversight, and information sharing. It's been in force since January 2025 and applies to banks, insurers, investment firms, payment institutions, crypto-asset service providers, and their critical ICT providers.
Pretty much every regulated financial entity in the EU. Credit institutions, insurance undertakings, investment firms, payment institutions, electronic money institutions, crypto-asset service providers, and the ICT providers designated as critical (CTPPs). The regulation applies to over 22,000 entities across the EU.
The platform arrives pre-loaded with all 134 DORA and RTS/ITS requirements. Most teams have their first registers populated within a week or two. No consultants or implementation partners needed. How long the overall compliance programme takes depends on your starting point, not on setup time.
Data is stored in Cloudflare D1 and encrypted in transit with TLS 1.3. Session tokens use PBKDF2 with 100,000 iterations. Access is role-based, every action is logged, and sessions expire automatically. We don't share data with third parties.
Yes. The audit export produces a timestamped JSON snapshot of every register: governance roles, risks, controls, incidents, tests, providers, contracts, and tasks. User attribution on every entry. The audit log is separately exportable with full search and filtering.
The platform is built specifically for DORA. Multi-framework mapping to ISO 27001 and NIS2 is on the roadmap. The risk methodology follows ISO 27005 and ISO 31000, so the work you do here will translate when you get there.
Talk to us
Evaluating the platform, or just have a question about DORA? Drop us a message.
How can we help?
Whether you want a walkthrough, have a specific DORA question, or just want to see the platform before committing, send us a message and we'll get back to you.
Send a message
Not sure where you stand with DORA?
25 questions. 3 minutes. Instant maturity score across all five DORA pillars. No account needed.
Take the Free Assessment →Still managing DORA in Excel?
Free trial. No credit card, no setup fees, no consultants.