® 
Know exactly where you stand with DORA.
DORA imposes strict requirements on the digital resilience of financial institutions. Applicable since January 2025.
What is a DORA Readiness Assessment?
A DORA Readiness Assessment tests your organisation against the requirements of the Digital Operational Resilience Act and shows where you stand. You receive a gap analysis per DORA domain, a maturity score and a prioritised roadmap. DORA covers ICT risk management, incident reporting, resilience testing and third-party risk. Applicable since January 17, 2025.
DORA sets strict requirements for financial institutions
DORA (Digital Operational Resilience Act) imposes stringent requirements on the digital resilience of financial institutions. ICT risk management, incident reporting, resilience testing and third-party risk management: DORA touches the full spectrum of your digital operation.
The team combines knowledge of the financial sector with deep security expertise, ensuring the assessment is not only compliant but also practical. DORA is not a checkbox exercise. It requires demonstrable resilience: not only policy but also tested procedures and validated recovery capabilities.
The assessment evaluates not only whether you have documents but whether your measures actually work. The output is a concrete action plan that your organisation can directly implement.
You know DORA compliance cannot wait
DORA has been in force since January 2025. Financial institutions that are not compliant face supervisory scrutiny, sanctions and reputational damage.
- ICT risk management, incident reporting and resilience testing each have specific DORA requirements that differ from existing frameworks, creating unexpected gaps.
- Third-party ICT risk management under DORA is extensive: every critical ICT provider must be assessed and contractually secured according to specific requirements.
- Without a prioritised roadmap the compliance programme becomes a costly and time-consuming effort without clear milestones or measurable progress.
What the assessment covers
- ICT risk management framework
- ICT-related incident reporting
- Digital Operational Resilience Testing (including TLPT)
- ICT Third-Party Risk Management
- Information sharing
- Governance and organisation
- Business continuity and recovery
How DEFION conducts a DORA assessment
Applicability assessment
Classification and scope determination within DORA. Which entity type are you and which requirements apply?
Current state assessment
Assessment of existing measures against DORA requirements across all five pillars.
Gap analysis
Identification of missing measures per DORA domain with risk classification and compliance maturity scoring.
Third-party risk review
Assessment of your critical ICT providers against DORA third-party risk requirements.
Roadmap development
Implementation plan with timeline, quick wins and resource requirements per DORA domain.
Board presentation
Presentation of results and recommendations to management and board with executive summary.
Deliverables
- DORA gap analysis report per domain
- Compliance maturity score per DORA pillar
- Prioritised implementation roadmap
- Third-party risk assessment results
- Executive summary for management and board
- Optional: implementation support
Suitable for
- Banks, insurers, investment firms and other financial entities
- ICT service providers to the financial sector (critical ICT third-party providers)
- Pension administrators
- Payment institutions and e-money institutions
FAQ
When does DORA apply?
How does DORA relate to NIS2?
Does DORA require penetration tests?
What are the consequences of non-compliance?
Do you help with Third-Party Risk Management?
Ready to map your DORA position?
Tell us what you need. We scope the right approach and start within days.