Catalogue / DORA

Digital Operational Resilience Act

Reg (EU) 2022/2554

DORA harmonises ICT risk management across the EU financial sector — one rulebook for ICT risk, incident reporting, resilience testing and third-party oversight, so a digital disruption can't quietly take down a financial entity or the system around it.

In practice that means a board-owned ICT risk-management framework, classifying and reporting major incidents on the regulator's clock, regular digital-operational-resilience testing, and a Register of Information plus contractual oversight of every critical ICT provider.

Who must comply: Banks, payment & e-money institutions, investment firms, crypto-asset service providers and insurers — and the critical ICT third parties that serve them. Microenterprises and certain small entities follow a lighter, simplified ICT-risk framework.

  • A board-owned ICT risk-management framework
  • Major-incident classification & reporting on the regulator’s clock
  • Digital operational resilience testing, incl. TLPT for the largest
  • Register of Information + oversight of critical ICT third parties
BEST VALUE
COMPLETE BUNDLE
All 11 DORA templates
229one-time409SAVE €180
All 11 editable DORA templates
START-HERE guide + inline “what to change” guidance in every file
The Currency Stamp — kept current as the rules move
30-day money-back guarantee
Buy now →
Pay once·30-day money-back·EU VAT handled
Just the essentials? Starter Kit — €119

Only 6.5% of the DORA Registers of Information analysed in the ESAs' dry run passed all data-quality checks — missing mandatory information was 86% of the errors. ~22,000 financial entities are in scope. This toolkit exists to fix exactly that.

Does this sound like your DORA project?

The Register fails the dry run

Only 6.5% of Registers of Information passed the ESAs' dry run — mostly missing mandatory fields. The raw template doesn't guide you.

Classifying incidents is hard

Article 18 spreads the criteria across multiple texts. Manual classification under time pressure is slow and error-prone.

Third-party risk never stops

Vendor monitoring, concentration analysis and contractual clauses are an ongoing burden, not a one-off exercise.

Fragmented policies & evidence

ICT-risk, incident, continuity and third-party policies live in different places — and audit-readiness suffers for it.

The shape of the regulation, in plain terms

Art. 5–16

ICT risk management

A board-owned ICT risk-management framework: governance, identification, protection, detection, response and recovery.

Art. 17–23

Incident reporting

Classify ICT-related incidents and report the major ones to your competent authority on a strict timeline.

Art. 24–27

Resilience testing

A risk-based testing programme, with threat-led penetration testing (TLPT) for the entities that need it.

Art. 28–30

Third-party risk

Manage and monitor ICT third-party risk, with the contractual provisions and the Register of Information regulators now expect.

Art. 45

Information sharing

Voluntary sharing of cyber-threat intelligence and indicators among financial entities.

11 professional tools, 4 policies, a free checklist

29

Incident Classification Calculator

Classify incidents against all seven CDR (EU) 2024/1772 criteria — the Art. 8 major-incident rule plus the recurring-incidents test. Dropdown-driven, auto-calculated, audit-ready.

EXCELView details
39

ICT Register of Information

The 15 ITS reporting templates (b_01.01–b_99.01) with coded columns, enumeration dropdowns, mandatory-field flags and data-quality checks that mirror the ESA dry-run failures.

EXCELView details
39

Third-Party Risk Assessment

Vendor risk questionnaire with scoring and a risk matrix, pre-mapped to DORA Article 28.

EXCELView details
39

Gap Analysis Tool

Structured gap analysis against all key DORA requirements, with a prioritised remediation roadmap.

EXCELView details
29

Business Impact Analysis

Identify critical functions, assess disruption impact, define RTOs/RPOs and prioritise resilience investments.

EXCELView details
39

Incident Response Playbook

Step-by-step response procedures, DORA notification timelines, escalation matrices and communication templates.

WORD + EXCELView details
39

Vendor Risk Monitoring

Ongoing vendor risk monitoring with risk trending, concentration analysis, contract tracking and SLA monitoring.

EXCELView details
49

Audit Preparation Kit

Evidence checklists, control documentation, an audit-response tracker and a findings remediation planner.

EXCELView details
39

ICT Contractual Clauses

DORA Article 30 contract addendum: 18 mandatory + 20 enhanced clauses, a compliance checklist and an implementation guide.

WORD + EXCELView details
39

TLPT Scoping & Test Plan

Threat-led penetration testing under Articles 26–27: scope determination, pooled provider testing, tester requirements and the closure record.

WORDView details
29

Exit Strategy Template

Article 28(8) exit strategies for critical ICT services — triggers, options, data portability, transition continuity and test records.

WORDView details
Policy pack — 4 board-review-ready Word templates
ICT Risk Management · Incident Management · Third-Party Risk · Business Continuity
DORA Readiness Checklist — free
Pricing

Buy the DORA kit

SINGLE TOOLS
29–49each
Best for
one specific gap — buy only what you need
Included
  • Any of the 11 tools individually
  • Mix and match as you go
Format
Editable Word / Excel
Updates
Re-buy when revised
Browse the tools
STARTER KITsave 36%
119one-time
Best for
getting started fast on the essentials
Included
  • The core starter templates
  • 4 policy templates
  • Readiness checklist
Format
Editable Word / Excel
Updates
Kept Current eligible
Buy now
COMPLETE TOOLKITsave 44%
229409one-time
Best for
full coverage & consultants serving several clients
Included
  • All 11 DORA templates
  • 4 policy templates
  • Readiness checklist
Format
Editable Word / Excel
Updates
Kept Current eligible
Buy now

Pay once · 30-day money-back · EU VAT handled at checkout. Practitioner-built templates for Reg (EU) 2022/2554, requiring your review — not legal advice. Scope and obligations depend on your entity and the current regulation text. Confirm with qualified counsel.