DORA

DORA readiness for financial entities running on cloud

DORA has been in force since January 2025 and supervision is active. I map your cloud estate to its ICT-risk requirements, build the register of information, and prepare resilience-testing and incident-reporting readiness. The legal assessment itself stays with your counsel.

  • ICT risk
  • Register of information
  • Resilience testing
  • Art. 28/30

Engagement snapshot

From €2,500

assessment

1 wk

to findings

Fixed

price · no lock-in

What you get

  • An ICT-risk framework mapping that reflects your actual cloud estate
  • A register of information covering your cloud and third-party ICT providers
  • Resilience-testing preparation and incident-reporting runbooks with owners and deadlines

The problem - and what changes.

The problem

Financial entities running on cloud carry DORA obligations their platform was never mapped against: an ICT-risk framework that must cover the real estate, a register of information listing every third-party ICT provider, resilience testing, and incident reporting with hard deadlines. Most teams have fragments of this in contracts and wikis: nothing an examiner could follow.

What you get

  • An ICT-risk framework mapping that reflects your actual cloud estate
  • A register of information covering your cloud and third-party ICT providers
  • Resilience-testing preparation and incident-reporting runbooks with owners and deadlines
  • Contractual provisions (DORA Art. 30; register per Art. 28) flagged per provider, ready for legal sign-off

Who it's for - and how long it takes.

Ideal for

  • Financial entities in DORA scope: banks, insurers, payment and crypto firms, and their critical ICT providers
  • Teams that must present a register of information and ICT-risk framework to BaFin or their NCA
  • Cloud platforms built before DORA that now need the evidence trail retrofitted

Typical timeline

One-week assessment for the DORA gap map, then a typically 4–8 week readiness phase scoped to the findings.

What's included

Inside the engagement.

ICT-risk framework mapping

Your cloud accounts, workloads and dependencies mapped to DORA's ICT-risk management requirements, with gaps ranked by risk and effort.

Register of information

The third-party ICT register built from your actual estate - cloud providers, SaaS, sub-processors - in a structure your NCA can consume.

Resilience & incident readiness

Digital-operational-resilience testing preparation and incident-classification and reporting runbooks matched to DORA's deadlines.

Contract & outsourcing review prep

Provider contracts checked against DORA Art. 30 provisions and BaFin outsourcing expectations.

What lands - and how it runs.

Deliverables

  • DORA gap map across the five pillars, prioritised with owners
  • Register of information for your cloud and ICT third parties
  • Incident-reporting runbook with classification and deadline matrix
  • Resilience-testing plan and evidence structure
  • Contract-provision checklist per provider for legal sign-off

How it runs

  1. 01

    Map

    Your cloud estate and third-party ICT dependencies are mapped against DORA's requirements. You leave with a ranked gap list.

  2. 02

    Build

    Register of information, incident runbooks and resilience-testing preparation are built from the real estate, as maintainable artefacts.

  3. 03

    Rehearse

    Incident reporting and evidence retrieval are rehearsed so an examiner request is routine, not a scramble.

Pricing

Fixed-price assessment, then scoped readiness work

Most engagements start with the one-week Quick Assessment focused on DORA scope, then a fixed-price readiness phase.

Assessment

From €2,500

Project work

€800–1,400 / day

Scope

Fixed-price available

FAQ

Is DORA still relevant in 2026?

Yes. DORA has applied since 17 January 2025, and supervision is active: NCAs collect registers of information and examine ICT-risk frameworks. The question is no longer preparation but whether your evidence stands up to a request.

Are we in DORA scope?

DORA covers most EU financial entities - banks, insurers, investment and payment firms, crypto-asset providers - and reaches their critical ICT third parties. Whether a specific entity or service is in scope is a legal determination; I work from your counsel's scoping decision.

Can you produce the register of information?

Yes. I build it from your actual cloud and vendor estate in a structure aligned to the ESA templates, and set up the process that keeps it current. Your compliance function owns the submission.

How does this relate to BaFin's outsourcing rules?

DORA supersedes much of the prior outsourcing guidance but BaFin expectations still shape reviews in Germany. The contract and exit-strategy preparation covers both angles; final wording is your counsel's call.

Do you do the legal assessment?

No. I do the engineering and documentation side: mapping, registers, runbooks, evidence. Interpretation of legal scope and contract wording stays with your legal counsel; I hand them what they need in their language.

Start with one week.

The Quick Assessment covers this area and costs from €2,500.