ICT-risk framework mapping
Your cloud accounts, workloads and dependencies mapped to DORA's ICT-risk management requirements, with gaps ranked by risk and effort.
DORA
DORA has been in force since January 2025 and supervision is active. I map your cloud estate to its ICT-risk requirements, build the register of information, and prepare resilience-testing and incident-reporting readiness. The legal assessment itself stays with your counsel.
Engagement snapshot
From €2,500
assessment
1 wk
to findings
Fixed
price · no lock-in
What you get
The problem
Financial entities running on cloud carry DORA obligations their platform was never mapped against: an ICT-risk framework that must cover the real estate, a register of information listing every third-party ICT provider, resilience testing, and incident reporting with hard deadlines. Most teams have fragments of this in contracts and wikis: nothing an examiner could follow.
What you get
Ideal for
Typical timeline
One-week assessment for the DORA gap map, then a typically 4–8 week readiness phase scoped to the findings.
What's included
Your cloud accounts, workloads and dependencies mapped to DORA's ICT-risk management requirements, with gaps ranked by risk and effort.
The third-party ICT register built from your actual estate - cloud providers, SaaS, sub-processors - in a structure your NCA can consume.
Digital-operational-resilience testing preparation and incident-classification and reporting runbooks matched to DORA's deadlines.
Provider contracts checked against DORA Art. 30 provisions and BaFin outsourcing expectations.
Deliverables
How it runs
Your cloud estate and third-party ICT dependencies are mapped against DORA's requirements. You leave with a ranked gap list.
Register of information, incident runbooks and resilience-testing preparation are built from the real estate, as maintainable artefacts.
Incident reporting and evidence retrieval are rehearsed so an examiner request is routine, not a scramble.
Pricing
Most engagements start with the one-week Quick Assessment focused on DORA scope, then a fixed-price readiness phase.
Assessment
From €2,500
Project work
€800–1,400 / day
Scope
Fixed-price available
FAQ
Yes. DORA has applied since 17 January 2025, and supervision is active: NCAs collect registers of information and examine ICT-risk frameworks. The question is no longer preparation but whether your evidence stands up to a request.
DORA covers most EU financial entities - banks, insurers, investment and payment firms, crypto-asset providers - and reaches their critical ICT third parties. Whether a specific entity or service is in scope is a legal determination; I work from your counsel's scoping decision.
Yes. I build it from your actual cloud and vendor estate in a structure aligned to the ESA templates, and set up the process that keeps it current. Your compliance function owns the submission.
DORA supersedes much of the prior outsourcing guidance but BaFin expectations still shape reviews in Germany. The contract and exit-strategy preparation covers both angles; final wording is your counsel's call.
No. I do the engineering and documentation side: mapping, registers, runbooks, evidence. Interpretation of legal scope and contract wording stays with your legal counsel; I hand them what they need in their language.
The Quick Assessment covers this area and costs from €2,500.