Skip to content
finconduit
Tool · DORA Compliance Score

How DORA-compliant
are you, pillar by pillar?

Twenty questions across DORA's five pillars — ICT risk management, incident reporting, operational-resilience testing, third-party risk, information sharing. Pick a status for each; live overall score + per-pillar bands + the top five gaps to close. Effective 17 January 2025.

ICT Risk Management

Critical gap · 0

Governance, asset register, BIA, BCP, awareness

Board-approved ICT risk management framework documented and reviewed annuallyArticle 5–6

DORA Article 5 — management body owns ICT risk; framework reviewed at least annually.

ICT asset inventory complete and maintainedArticle 8

DORA Article 8 — comprehensive register of all ICT assets supporting business functions, classified by criticality.

Business-impact analysis identifies all critical / important functionsArticle 11

DORA Article 11 — BIA documented and updated at material change.

ICT business-continuity policy + recovery plans tested in last 12 monthsArticle 11–12

DORA Articles 11–12 — BCP, ICT response and recovery plans, recovery-time objectives, recovery-point objectives.

Cybersecurity awareness programme covers all staff annuallyArticle 13

DORA Article 13 — staff training on ICT operational risk and cybersecurity.

Incident Reporting

Critical gap · 0

Classification, 4h/72h/1mo timelines, threat reporting

ICT incident classification matrix in place per RTS criteriaArticle 18

DORA Article 18 + RTS — classify by clients affected, data losses, duration, geographic spread, economic impact.

Incident-reporting workflow can hit 4-hour initial / 72-hour intermediate / 1-month final timelinesArticle 19

DORA Article 19 — initial notification within 4 hours of classification, intermediate within 72 hours, final within 1 month.

Significant cyber-threat reporting tested at least onceArticle 19(2)

DORA Article 19(2) — voluntary reporting of significant cyber-threats with the same timelines.

Customer-facing notification process documented for client-affecting incidentsArticle 19(3)

DORA Article 19(3) — clients informed of impact and remediation steps.

Operational Resilience Testing

Critical gap · 0

Vulnerability scans, pen tests, TLPT, remediation

Annual digital operational-resilience testing programme documentedArticle 24

DORA Article 24 — comprehensive programme based on risk profile.

Vulnerability scans + penetration tests executed in last 12 monthsArticle 25

DORA Article 25 — scope must include external interfaces and ICT systems supporting critical functions.

Threat-Led Penetration Testing (TLPT) — required for "significant" entitiesArticle 26

DORA Article 26 + RTS on TLPT — every 3 years if in scope.

Test-finding remediation tracked and closed against SLAArticle 24(6)

DORA Article 24(6) — remediation effectively addressed.

Third-Party Risk Management

Critical gap · 0

Register, DD, contract clauses, concentration, sub-outsourcing

Register of information for ICT third-party arrangements completeArticle 28

DORA Article 28(3) — structured, continuously updated; submitted to NCA on request.

Pre-engagement due diligence on ICT third-parties supporting critical / important functionsArticle 28(2)

DORA Article 28(2) — risk-based assessment before contracting.

Mandatory contract clauses present (Article 30(2) for critical/important functions)Article 30

DORA Article 30 — service descriptions, data protection, audit rights, exit strategies, security incident reporting.

Concentration risk assessed at portfolio level + multi-vendor / exit strategyArticle 28(8)

DORA Article 28(8) — concentration-risk identification; documented exit strategy.

Sub-outsourcing chains mapped and monitoredArticle 30(2)(a)

DORA Article 30(2)(a) — sub-contracting locations and sub-outsourcer access controls.

Information Sharing

Critical gap · 0

Voluntary cyber threat-intel arrangements

Decision documented on participation in cyber threat-information-sharing arrangementsArticle 45

DORA Article 45 — voluntary; document the choice + rationale.

Information-sharing communications align with applicable confidentiality + GDPR requirementsArticle 45(2)

DORA Article 45(2) — limited to threat indicators, anonymised where necessary.

Dataset version 2026-05-06. No data is sent or stored. Computation runs locally.

Critical gap
0
/ 100 overall
Per pillar
ICT0
Incident0
Operational0
Third-Party0
Information0
Top 5 gaps to close

Ordered by combined pillar weight + status weakness. Closing these in this order produces the largest score uplift per hour of remediation effort.

01
Register of information for ICT third-party arrangements complete
Third-Party Risk Management · Article 28
02
Mandatory contract clauses present (Article 30(2) for critical/important functions)
Third-Party Risk Management · Article 30
03
Board-approved ICT risk management framework documented and reviewed annually
ICT Risk Management · Article 5–6
04
ICT incident classification matrix in place per RTS criteria
Incident Reporting · Article 18
05
Incident-reporting workflow can hit 4-hour initial / 72-hour intermediate / 1-month final timelines
Incident Reporting · Article 19
Per-pillar weakest items
ICT Risk Management0 / 100
  • Board-approved ICT risk management framework documented and reviewed annually · Article 5–6
  • ICT asset inventory complete and maintained · Article 8
  • Business-impact analysis identifies all critical / important functions · Article 11
Incident Reporting0 / 100
  • ICT incident classification matrix in place per RTS criteria · Article 18
  • Incident-reporting workflow can hit 4-hour initial / 72-hour intermediate / 1-month final timelines · Article 19
  • Significant cyber-threat reporting tested at least once · Article 19(2)
Operational Resilience Testing0 / 100
  • Annual digital operational-resilience testing programme documented · Article 24
  • Vulnerability scans + penetration tests executed in last 12 months · Article 25
  • Threat-Led Penetration Testing (TLPT) — required for "significant" entities · Article 26
Third-Party Risk Management0 / 100
  • Register of information for ICT third-party arrangements complete · Article 28
  • Pre-engagement due diligence on ICT third-parties supporting critical / important functions · Article 28(2)
  • Mandatory contract clauses present (Article 30(2) for critical/important functions) · Article 30
Information Sharing0 / 100
  • Decision documented on participation in cyber threat-information-sharing arrangements · Article 45
  • Information-sharing communications align with applicable confidentiality + GDPR requirements · Article 45(2)

For orientation only — not financial, legal, regulatory, or investment advice. Outputs are directional and based on generalised inputs. Decisions should be taken only after consultation with a qualified adviser on your specific facts — book the full assessment before acting on anything you read here.

Numbers shown exclude finconduit fees and any third-party costs (legal, audit, regulator-mandated experts, banking-relationship fees, document-translation, ongoing supervisory levies, or local agent / service-provider charges). Real-world authorisation budgets typically exceed the headline regulator-side numbers by a meaningful multiple.