Skip to content
FortaRisks
All toolsEuropean Union · DORA

DORA readiness assessment

Gauge your digital operational resilience under DORA, and leave with your priorities.

≈ 5 minutes · no sign-up

DORA applies to EU financial entities and their critical ICT providers. Answer the 18 statements below: everything is computed in your browser, and no answer is stored.

Answer each statement based on your real situation. Your score and priorities appear instantly in your browser. Nothing is sent anywhere.

Progress0 / 18 answered

1.ICT risk-management framework

An ICT risk-management framework is established and overseen by the management body.

An ICT risk-management framework is established and overseen by the management body.

You identify and map your ICT assets, functions and dependencies.

You identify and map your ICT assets, functions and dependencies.

ICT protection and prevention measures are in place.

ICT protection and prevention measures are in place.

2.Incident management and reporting

You classify ICT-related incidents according to DORA criteria.

You classify ICT-related incidents according to DORA criteria.

You can report major incidents to the competent authorities within the deadlines.

You can report major incidents to the competent authorities within the deadlines.

You conduct root-cause analyses after incidents.

You conduct root-cause analyses after incidents.

3.Resilience testing

A digital operational resilience testing program exists.

A digital operational resilience testing program exists.

Significant entities perform threat-led penetration testing (TLPT).

Significant entities perform threat-led penetration testing (TLPT).

Test findings are remediated and tracked.

Test findings are remediated and tracked.

4.ICT third-party risk

You maintain a register of information for all ICT contracts.

You maintain a register of information for all ICT contracts.

Your ICT contracts include the mandatory clauses required by DORA.

Your ICT contracts include the mandatory clauses required by DORA.

You analyze concentration risk across your ICT providers.

You analyze concentration risk across your ICT providers.

5.Continuity and recovery

ICT business continuity plans are defined and tested.

ICT business continuity plans are defined and tested.

Backups and restoration are in place and verified.

Backups and restoration are in place and verified.

Your recovery objectives and capabilities are documented.

Your recovery objectives and capabilities are documented.

6.Governance and exit

The management body is accountable for the resilience framework and oversees it.

The management body is accountable for the resilience framework and oversees it.

You have exit strategies for your critical ICT providers.

You have exit strategies for your critical ICT providers.

You take part in cyber threat information sharing.

You take part in cyber threat information sharing.

Answer every statement to reveal your score.

FAQ

What is DORA?

DORA (the Digital Operational Resilience Act) is an EU regulation that harmonizes digital operational resilience for the financial sector and governs its critical ICT providers.

Who is subject to it?

EU financial entities (banks, insurers, investment firms and many more) and their critical ICT third-party providers, including non-financial vendors.

Since when does it apply?

DORA has applied since 17 January 2025.

What are the consequences?

Supervisors have sanctioning powers and remedial measures, and an EU oversight framework targets critical ICT providers. Management is accountable.

Does this assessment replace legal advice?

No. It is an indicative tool to gauge your maturity and prioritize your actions. It does not constitute legal or supervisory advice.