EU Regulation 2022/2554

DORA Readiness — Evidence-Backed

EU Regulation 2022/2554 — Digital Operational Resilience Act. OneComply helps EU financial entities operationalize ICT risk, incident clocks, third-party oversight, resilience evidence, and board reporting in one governed workspace.

Apply to DP program View Pricing

What is DORA?

The Digital Operational Resilience Act (DORA) is an EU regulation that establishes a comprehensive framework for digital operational resilience in the financial sector. It requires financial entities to manage ICT risks, report incidents, test resilience, and oversee third-party providers.

DORA applies to over 20 types of financial entities including banks, insurance companies, investment firms, and their critical ICT service providers. It entered into force on 16 January 2023 and became applicable on 17 January 2025.

Non-compliance can result in supervisory measures, administrative penalties, and reputational damage from the European Supervisory Authorities.

Pillars

Articles

20+

Entity Types

Workflow acceleration examples

Before vs After — Operational Lift

Example improvements when DORA evidence, owners, vendors, and incident deadlines are managed in one workspace. Actual timelines depend on customer data quality and review process.

Workflow	Manual Process	With OneComply	Time Saved
Vendor Risk Register	3–5 days (Excel + meetings)	5 minutes (CSV import + auto-scoring)	99%
Contract Clause Review	2–4 hours per contract	Assisted clause gap check	Faster review
Register of Information Readiness	1–2 weeks (15 Excel tables)	Source-data checks + EBA ZIP generation	Lower rework
Control Mapping	3–5 days (manual article mapping)	Instant (118 pre-mapped controls)	100%
Policy Drafting	1–2 weeks per policy (legal review)	Template-based draft for review	Faster first draft
Incident Report Preparation	4–8 hours (manual form filling)	Draft package from incident data	Faster review
Vendor Questionnaires	1–2 days per vendor	Guided questionnaire draft	Faster outreach
Proportionality Assessment	2–3 days (legal analysis)	Instant (automated engine)	100%

What We Automate

DORA-first workflow coverage across the operational-resilience pillars with 118 mapped controls, evidence linkage, incident clocks, vendor oversight, and report-readiness guardrails.

Art. 5–16

ICT Risk Management

18 mapped controls

ICT risk register
Gap analysis dashboard
Risk scoring engine
Proportionality assessment

Art. 17–23

ICT Incident Management

14 mapped controls

NCA report preparation
Timeline tracking
Root cause analysis
Incident classification

Art. 24–27

Digital Resilience Testing

12 mapped controls

Test planning templates
TLPT management
Remediation tracking
Evidence collection

Art. 28–30

Third-Party Risk

16 mapped controls

Contract clause checker
ROI source-data readiness
Vendor questionnaires
Criticality assessment

Art. 45

Information Sharing

4 mapped controls

Threat intelligence logging
Information sharing agreements
Anonymisation controls
Reporting evidence

Articles 5–6

Governance & Oversight

18 mapped controls

Board reporting dashboard
Proportionality engine
Role assignment tracking
Training management

DORA Enforcement Framework

European Supervisory Authorities (ESAs) have broad enforcement powers under DORA.

Administrative Penalties

€1M+

For individuals. Entity penalties vary by member state transposition and entity type.

Supervisory Measures

ESA Powers

NCAs can require cessation of activities, mandate corrective measures, and issue public censure.

Periodic Penalties

Daily Fines

Ongoing daily penalties for continued non-compliance until corrective action is taken.

Start your DORA compliance journey

Run DORA operational-resilience evidence, vendors, incidents, and audit trail from one workspace.

Apply to DP program View Pricing