Elevate

DORA Readiness & Compliance Services

Operationalize digital operational resilience across ICT risk management, incident reporting, resilience testing, and third-party oversight, so you can meet DORA requirements with audit-ready evidence.

ICT risk management + governance mapped to DORA requirements, built as measurable controls and proof-ready routines   

Major incident reporting readiness with workflows, templates, and time-bound reporting runbooks   

Resilience testing + TLPT support for entities required to perform threat-led penetration testing on live systems   

Book a Fit Call
Get a DORA Readiness Roadmap

What DORA is (and what it changes)

DORA (Regulation (EU) 2022/2554) is the EU-wide operational resilience regulation for the financial sector. It strengthens ICT security and resilience by setting uniform requirements for ICT risk management, incident reporting, resilience testing, and ICT third-party risk management/oversight.

The core shift: digital resilience becomes a regulatory and procurement expectation—not a best-effort IT program. Firms must show they can withstand, respond to, and recover from ICT disruptions with documented governance and evidence.

DORA timeline (dates you can plan to)

DORA is already live.

Entered into force: 16 January 2023   

Applies from: 17 January 2025   

What this means right now (2026)  

If you are in scope, 2026 is about operational proof: incident reporting execution, evidence cadence for ICT controls, resilience testing results, and third-party governance that holds up under supervisory review. Many supervisors treat incident reporting as an active obligation since DORA became applicable in 2025.

Who DORA applies to  

DORA applies to a broad set of financial entities (e.g., banks, insurers, investment firms and others in the regulation’s scope) and introduces an EU oversight regime for critical ICT third-party service providers supporting the financial sector.

What “DORA-ready” means in practice

1) ICT risk management framework (governance + controls + evidence)

You need a documented, maintained ICT risk management framework (strategies, policies, procedures, tools) that protects ICT/information assets and is reviewed at least annually and improved based on lessons learned and testing/audits.

2) Major ICT incident reporting (built to execute under deadlines)

DORA requires reporting major ICT-related incidents to competent authorities, using standardized forms/templates and procedures. Reporting time limits are specified in the RTS on content and timelines for incident reporting (e.g., initial notification tied to classification and awareness, intermediate reporting, and final reporting).

3) Digital operational resilience testing (including TLPT where required)

DORA requires a resilience testing program, and certain entities must perform advanced testing via Threat-Led Penetration Testing (TLPT) at least every 3 years (subject to supervisory adjustment), covering critical/important functions and performed on live production systems.

4) ICT third-party risk management + Register of Information

You must manage ICT third-party risk within your ICT risk framework and maintain a Register of Information for contractual arrangements with ICT third-party providers (using EU standard templates).

5) Contractual requirements for ICT services (especially critical/important functions)

DORA sets minimum contract elements for ICT services, with additional requirements for services supporting critical or important functions (including oversight, access/audit rights, exit/termination planning, etc.).

How Elevate Consult supports DORA readiness

  • Confirm scope and key obligation areas (incident reporting, testing, third-party, governance)   
  • Map your current state to DORA requirements and produce an execution roadmap with evidence owners and milestones   

We turn “policy” into auditable controls 

  • governance routines (review cadence, reporting to management body, KPIs)  
  • asset/service inventories and risk assessments  
  • response & recovery plans, testing evidence, and continuous improvement loops 
  • Classification + decision tree (“is it major?”)  
  • Reporting workflow aligned to RTS timelines and authority submission process  
  • Template completion support using EU standard forms   
  • Resilience testing program design and evidence capture  
  • TLPT readiness for in-scope entities (scope, methodology, remediation closure) aligned to the TLPT RTS   
  • Third-party strategy, critical/important function identification, exit planning  
  • Register of Information build using the EU standard templates and governance model for maintenance
  • DORA Requirements Matrix + Gap Assessment (by pillar, with owners and proof plan)   
  • ICT Risk Management Evidence Library Blueprint (what to collect, where, cadence)   
  • Major Incident Reporting Pack (decision tree + runbooks + EU templates support)   
  • Resilience Testing Pack (testing program + results + remediation tracking)   
  • TLPT Readiness Pack (if applicable) aligned to the TLPT RTS   
  • Register of Information Pack (templates + governance + maintenance process)   
  • ICT Contracting & Exit Playbook for critical/important functions   
  • DORA Readiness Sprint (2–4 weeks): scope, gap assessment, roadmap, quick-start evidence structure  
  • Implementation Support (co-sourced): close gaps and operationalize reporting/testing/third-party governance  
  • Continuous Assurance: ongoing evidence cadence, testing support, reporting readiness, audit support  

Why Elevate Consult for DORA

Regulator-ready evidence (not “policy theater”): We build the artifacts supervisors and enterprise risk teams validate—controls + proof + operating cadence.   
Incident reporting you can execute: Runbooks, templates, and escalation paths aligned to EU reporting standards and timelines. 
Third-party oversight at scale: Register of Information + contract/exit governance that stands up under supervisory requests.  
Testing that proves resilience: Resilience testing design and TLPT readiness where required, with remediation closure that is traceable.

FAQ

1) What is DORA?  

DORA is the EU regulation on digital operational resilience for the financial sector. It sets requirements for ICT risk management, incident reporting, resilience testing, and ICT third-party risk management/oversight.

6) What is TLPT under DORA?  

Threat-Led Penetration Testing (TLPT) is advanced testing required for certain financial entities, performed on live production systems to validate resilience across critical/important functions.   

2) When did DORA start to apply?  

DORA entered into force on 16 January 2023 and applies from 17 January 2025.   

7) How often is TLPT required?    

For in-scope entities identified by the criteria, TLPT is required at least every 3 years, with the competent authority able to adjust frequency based on risk profile and circumstances.   

3) What incidents must be reported under DORA?  

Financial entities must report major ICT-related incidents to competent authorities and may also notify significant cyber threats using EU standard templates and procedures.   

8) What does DORA require for ICT outsourcing and third-party contracts?  

DORA requires minimum contract provisions for ICT services and additional requirements when the services support critical or important functions (including oversight and exit planning expectations).   

4) What are the DORA incident reporting stages and timelines?    

DORA’s RTS specify staged reporting (initial notification, intermediate report, final report) with defined time limits intended to ensure rapid supervisory visibility while the incident is still evolving

9) Is DORA just an IT security program?  

No—DORA is an operational resilience regime. It requires governance, ongoing testing, reporting execution, and third-party oversight with evidence that can be reviewed by supervisors.   

5) What is the Register of Information in DORA?  

It’s a structured register of all contractual arrangements for ICT services provided by ICT third-party service providers, maintained using EU standard templates to support supervision and third-party risk oversight.   

Ready to Build a DORA Program Regulators and Buyers Trust?

Whether you’re tightening an existing resilience program or scaling across multiple entities, we’ll assess your DORA gaps, operationalize incident reporting, testing, and third-party oversight, and build an evidence library that stays audit-ready year-round.
Book a DORA Readiness Assessment