DORA GRC Dashboard
// overview

Compliance Dashboard

Real-time status of your DORA Pillar 1 obligations — Governance & ICT Risk Management.

Compliance Score
Pillar 1 overall
Open Risks
Requires attention
ICT Assets
Registered
Control Gaps
No control assigned

DORA Article Compliance Status

Click an article to navigate to the relevant module.

Art. 5 Art. 6 Art. 8 Art. 9 Art. 10 Art. 12 Art. 16

Pillar 2 — Incident Status

IncidentSeverityStatusReport Stage
Core Banking Unavailability
INC-2026-001		 Major Contained ⏳ Intermediate due
Third-Party Data Feed Latency
INC-2026-003		 Reviewing Open Classifying

Pillar 4 — Third-Party Alerts

AlertProviderPriority
Contract missing 3 mandatory clauses IBM Core Banking Critical
CTPP designation — contracts to review Azure + IBM High
Exit plan missing IBM Core Banking High
Subcontractor approval pending IBM / Kyndryl (India) Medium

Recent Risks

Art. 9
RiskScoreStatus

No risks registered yet.

Framework Review Timeline

Art. 6 & 16
Annual ICT Risk Framework Review Due: 31 Dec 2025 · Not started
Board Report — ICT Risk Exposure Due: 30 Jun 2025 · Not started
DORA Applicability Assessment Completed: 17 Jan 2025
// Art. 5 · Management Body

Governance Register

Roles, responsibilities and accountability assignments for ICT risk governance — required under DORA Article 5.

Role & Responsibility Matrix

DORA Art. 5(2)(a–j)
RoleNameResponsibilityDORA ArticleReview DateStatus
CISO Sample: Anna Hansen Owns ICT Risk Management Framework, reports to Board Art. 5(4) 2025-12-31 ✓ Active
Board / Management Body Sample: Board of Directors Defines, approves and oversees ICT risk strategy and tolerance Art. 5(2) 2025-12-31 ✓ Active
// Art. 6 & RTS 2024/1774 · ICT Risk Management Framework

ICT Risk Framework

Three-level governance structure: Level 1 Policy sets strategic direction, Level 2 Guidelines provide domain-specific standards, and Level 3 ICT Routines define operational procedures — all mapped to RTS 2024/1774 requirements.

Level 1 — Policy Strategic direction, Board-approved
Level 2 — Guidelines Domain standards, Management-approved
Level 3 — ICT Routines Operational procedures & routines, Owner-approved
Overall Completeness
0 approved 0 gaps
0
Approved
0
In Progress
0
Gap
Level 1 · Policy
Level 2 · Guidelines
Level 3 · ICT Routines

Annual Review & Board Approval Tracker

Art. 6(5) & Art. 16
Review TypeTriggerLast CompletedNext DueStatusNotes
// Art. 3(22), Art. 8(1), Art. 8(4–5) · Critical or Important Functions

CIF Register

Identify and formally designate Critical or Important Functions (CIFs) — the foundation of proportional DORA compliance. CIF status determines asset classification, incident reporting thresholds, third-party oversight intensity, and resilience testing scope.

DORA Definition — Art. 3(22): A function is Critical or Important if its disruption, malfunction, or interruption would: (a) substantially impair the financial performance of the entity; (b) substantially affect the continuity of its services and activities; or (c) substantially affect the entity's compliance with regulatory obligations.
Functions Assessed
0
Designated Critical
0
Designated Important
0
Not CIF
0
Under Assessment
0
// Art. 8 · ICT Assets

ICT Asset Register

Inventory of ICT systems, applications, data, and third-party services with criticality classification.

ICT Asset Inventory

DORA Art. 8(1–2)
Asset NameTypeBusiness FunctionCriticalityOwnerThird Party
Core Banking System Application Payment Processing Critical CTO
Customer Data Warehouse Data Reporting & Analytics High CTO
Cloud Infrastructure (Azure) Infrastructure All Digital Services Critical CTO Microsoft Azure
// Art. 9 · ICT Risk Identification

Risk Register

All identified ICT risks with inherent scoring, treatment status, and owner accountability.

ICT Risk Inventory

DORA Art. 9 & 10
Risk IDRisk DescriptionCategoryLIScoreOwnerTreatment
R-001 Ransomware attack on core banking system Cyber 45 20 CISO Mitigate
R-002 Cloud provider outage affecting digital channels Availability 34 12 CTO Mitigate
R-003 Unauthorised access to customer PII Data 25 10 CISO Transfer
// Art. 9 · Risk Visualisation

Risk Heat Map

5×5 likelihood × impact matrix showing distribution of registered ICT risks.

ICT Risk Matrix

Art. 9
Likelihood (X) × Impact (Y)
Low (1–4)
Medium (5–9)
High (10–14)
Critical (15–25)
// Art. 9–10 · Protection & Prevention

Control Library

ICT controls mapped to DORA articles, with implementation status and evidence tracking.

Control Inventory

DORA Art. 9–10 & 12
Control IDControl NameDORA ArticleTypeOwnerStatusEvidence
C-001 Multi-factor authentication (MFA) Art. 10 Preventive CISO ✓ Implemented Policy v2.1
C-002 Continuous vulnerability scanning Art. 12 Detective CTO ⏳ Partial
C-003 Encrypted backups with tested restoration Art. 9 Corrective CTO ✗ Not Implemented
// Art. 5(2) · Management Body Reporting

Board Report

Executive summary of ICT risk exposure and DORA compliance posture for management body reporting.

Overall Score
Pillar 1 readiness
Critical Risks
1
Score ≥ 15
Control Gaps
Not implemented
Assets Mapped
In register

DORA Pillar 1 Compliance Overview

ArticleRequirementModuleReadinessGap Summary
Art. 5 Management body accountability for ICT risk Governance Register ⏳ Partial Roles defined; training log incomplete
Art. 6 ICT Risk Management Framework ICT Risk Framework ⏳ Partial BCP/DRP component missing
Art. 8 ICT asset identification and classification Asset Register ✓ Good Critical assets catalogued
Art. 9 ICT risk identification and treatment Risk Register ⏳ Partial 1 critical risk open, treatment in progress
Art. 10 ICT protection and prevention controls Control Library ✗ Gap C-003 backup control not implemented
Art. 16 Annual ICT Risk Framework review Framework Review ⏳ Scheduled Due Dec 2025 — not started

Recommended Actions

#ActionOwnerPriorityDeadline
1Implement C-003: Encrypted backup with tested restorationCTOCritical2025-03-31
2Complete BCP/DRP ICT component in FrameworkCISOHigh2025-04-30
3Finalize ICT Risk Tolerance Statement (Art. 6)CISOMedium2025-05-31
4Schedule and complete Board training on DORADORA ManagerMedium2025-06-30
// Art. 24–25 · DORA Pillar 3 · Digital Operational Resilience Testing

Testing Programme

All ICT systems supporting Critical or Important Functions must be tested at least annually. Scope is driven directly by the CIF Register — gaps are flagged automatically when a CIF function has no test record in the rolling 12-month window.

📋
DORA Art. 24–25 Requirement: Financial entities shall establish, maintain, and continuously improve a sound, comprehensive digital operational resilience testing programme. All ICT systems and applications supporting Critical or Important Functions must be subject to testing at least once a year. Tests must be conducted by independent internal or external parties.
Tests Registered
6
This programme cycle
Completed
4
Past 12 months
In Progress
1
Scheduled / active
Open Findings
3
Awaiting remediation
CIF Coverage
75%
Functions tested ≤12 mo

CIF Function Coverage Matrix

Art. 24(1) — annual testing obligation

Each row is a CIF function from the CIF Register. Columns show the 7 test types required under Art. 25. Tested ≤12mo Scheduled Gap

CIF Function Vuln Scan Source Code Network Sec Scenario Test Pen Test Gap Analysis Physical Sec Score

Test Register

Art. 25 — testing programme
Test ID Type CIF Function Tester Planned Completed Status Findings
// Art. 26–27 · RTS 2025/1190 · Threat-Led Penetration Testing

TLPT Tracker

Advanced operational resilience testing for significant entities. Mandatory every 3 years on live production systems supporting CIFs. RTS 2025/1190 in force 8 July 2025 — first TLPT deadline before 17 January 2028.

TLPT Applicability — Art. 26 & RTS 2025/1190: TLPT is mandatory for G-SIIs, O-SIIs and other entities designated by competent authorities based on systemic relevance, ICT maturity, and financial stability impact. Scope must cover live production systems supporting Critical or Important Functions. Third-party ICT providers supporting CIFs must contractually cooperate (Art. 30(3)(d)). ⏰ First TLPT deadline: before 17 January 2028
TLPT Readiness
60%
Self-assessment score
Days to Deadline
17 Jan 2028
CIF Systems in Scope
4
Production systems
3rd-Party Cooperation
2/4
Confirmed in contract

TLPT 8-Phase Lifecycle — TIBER-EU Framework

RTS 2025/1190 · Art. 26(3)

TLPT Scope — CIF-Linked Systems

Art. 26(2) — live production only
SystemCIF FunctionEnvIn Scope

3rd-Party Cooperation Tracker

Art. 30(3)(d) — contractual obligation
ProviderServiceContract ClauseStatus
// Art. 28–29 · DORA Pillar 4 · ICT Third-Party Risk Management

Provider Register

Master register of all ICT third-party service providers. Pre-seeded from CIF Register third-party links — no double entry. CIF-supporting providers are flagged for enhanced due diligence and mandatory contractual provisions under Art. 30.

📄
DORA Art. 28 — Third-Party Risk Strategy: Financial entities shall adopt and regularly review a strategy for ICT third-party risk. Providers supporting Critical or Important Functions require enhanced due diligence, mandatory contractual provisions (8 clauses per Art. 30), and a tested exit strategy. Concentration risk must be assessed at entity level and reported to the management body.
Total Providers
8
In register
CIF-Supporting
5
Enhanced obligations
CTPP Designated
1
ESA oversight list
Contract Gaps
2
Missing mandatory clauses
Exit Plans Ready
3
Of 5 CIF providers
Concentration Risk Alert: CloudCore AS supports 3 out of 4 Critical functions — single-point-of-failure risk. Multi-provider strategy or tested exit plan required per Art. 29. Board escalation recommended.

Provider Register

Art. 28(3) · ITS 2024/2956
Provider Country Type CIF Support CTPP Risk Rating Contract Exit Plan
// Art. 30 · RTS 2024/1773 · Contractual Arrangements

Contract Register

All ICT contractual arrangements with providers supporting Critical or Important Functions must contain 8 mandatory clauses per Art. 30. The compliance checker below scores each contract and flags gaps that must be remediated.

Total Contracts
7
Active arrangements
CIF-Supporting
5
Enhanced clause req.
Fully Compliant
3
All 8 clauses present
Gaps to Remediate
2
Missing ≥1 clause

Art. 30 — 8 Mandatory Contractual Clauses (CIF-Supporting Arrangements)

DORA Art. 30 · RTS 2024/1773
CLAUSE 1
Service description + SLAs
Precise scope, service levels, availability targets
CLAUSE 2
Security obligations
Data protection, access control, encryption standards
CLAUSE 3
Audit rights
Financial entity & regulator audit access rights
CLAUSE 4
Incident notification
Provider must notify FE promptly on ICT incidents
CLAUSE 5
Subcontracting controls
Approval process, chain visibility, Art. 30(3)(e)
CLAUSE 6
Data location & portability
EU data residency, export formats, escrow
CLAUSE 7
Exit provisions
Termination rights, transition support, continuity
CLAUSE 8
TLPT cooperation
Provider must participate in TLPT per Art. 30(3)(d)

Contract Compliance Checker

Art. 30 — mandatory provisions
Contract Provider CIF? C1 C2 C3 C4 C5 C6 C7 C8 Score Status
// Art. 28(3) · ITS 2024/2956 · Register of Information

Register of Information

Regulatory submission register of all ICT contractual arrangements with third-party providers. Submitted annually to the national competent authority (first deadline: 30 April 2025). Used by ESAs to designate Critical Third-Party Providers (CTPPs).

2025 Register Submitted — 28 April 2025
Submitted to Finanstilsynet (Norway) per ITS 2024/2956 template. 5 CIF-supporting arrangements included. Next submission due: 30 April 2026.
Next due
Entries in Register
0
CIF-supporting arrangements
CTPP Flagged
0
Designated by ESAs Nov 2025
Subcontractors
0
Disclosed in chain
Data Locations
EU countries mapped

ITS 2024/2956 — Register Template Structure

Commission Implementing Regulation (EU) 2024/2956
The ITS defines 9 reporting tables (RT.01–RT.09). Below shows the key fields from RT.02 (contractual arrangements) for each CIF-supporting entry.
RT Field Provider (LEI) Service CIF Function Data Location Subcontractors Est. Annual Cost CTPP

CTPP Watch List — ESA Designation Status

Art. 31 — first CTPP list: 18 November 2025
ProviderServices to FEESA Lead OverseerDesignation DateStatusAction Required
CloudCore AS IaaS / Cloud Infrastructure EBA 18 Nov 2025 ⚠ CTPP Designated Review contracts; update governance; board escalation
PolicySoft Ltd Core Policy Admin SaaS Not designated Monitor; include in next RoI submission
PayHub Nordic Payment processing gateway Not designated Monitor; TLPT clause gap must be resolved
DataVault GmbH Data warehouse / analytics ⏳ Under assessment ESA assessment ongoing — watch for designation
PILLAR 2 · ICT Incident Reporting · Art. 17–23 · RTS 2024/1772 · RTS 2025/301
// Art. 17 · Incident Management Process

Incident Register

Log, classify, and track ICT-related incidents. Major incidents trigger the 3-stage regulatory reporting obligation to the competent authority.

Open Major
1
Reporting obligation active
Under Review
2
Classification pending
Resolved YTD
Closed this year
MTTD Avg
4.2h
Mean time to detect
INC-2026-001 — Active major incident: Initial notification submitted. Intermediate report due in 48h. Assign incident owner and update classification wizard.

All Incidents

Art. 17–19 · RTS 2024/1772
ID Title Detected Severity Status CIF Function Source Report Stage Owner Actions
PILLAR 2 · Incident Classification · Art. 18 · RTS 2024/1772
// Art. 18 · Major Incident Classification

Classification Wizard

Assess an incident against the 7 mandatory criteria from RTS 2024/1772. The tool auto-determines major vs minor status and sets the reporting clock.

Incident Context

INC-2026-003
Classification logic (RTS 2024/1772): An incident is MAJOR if Criterion 1 (critical services affected) is TRUE AND either: (a) malicious data access occurred, OR (b) any 2 or more other criteria exceed their materiality thresholds.

Reporting Clock

Detection
14 Feb
09:02 CET
Initial Notify
4h / 24h
After classification
Intermediate
+72h
From initial
Final
+1 month
From intermediate

7-Criterion Assessment

RTS 2024/1772 Art. 5–9
1
Critical Services Affected PRIMARY GATE
Must be TRUE for major classification
ℹ Criterion 1 reads from the CIF Register. "Risk Monitoring & Reporting" is tagged as Important — this criterion is met.
2
Clients, Counterparts & Transactions
≥10% of clients OR ≥50,000 clients affected
3
Data Losses
Any malicious unauthorised access → auto-MAJOR with C1
4
Reputational Impact
Media coverage / regulatory enquiries
5
Duration & Service Downtime
RTO of affected CIF process exceeded
✓ 40 min downtime is within the 4-hour RTO. Criterion 5 threshold not met.
6
Geographical Spread
Impact in ≥2 EU Member States
7
Economic Impact
Costs & losses ≥ €100,000
Include: remediation, emergency IT, fines, client compensation, lost revenue. Exclude: reputational costs, stock value loss.

Classification: MINOR incident

Criterion 1 met (Important CIF function affected), but only 0 additional criteria exceed thresholds. Minimum of 2 additional criteria required for MAJOR. No regulatory reporting obligation triggered.

PILLAR 4 · ICT Third-Party Risk · Art. 28–44 · ITS 2024/2956 · RTS 2024/1773
// Art. 28(3) · Register of Information

Provider Register

All ICT third-party service providers. Providers supporting CIF functions are subject to enhanced due diligence and mandatory Register of Information reporting (ITS 2024/2956, deadline 30 Apr annually).

Total Providers
Registered
CIF-Supporting
Enhanced regime
CTPP Designated
ESA list 18 Nov 2025
Exit Plans Ready
Of CIF providers
2 providers designated as CTPPs by ESAs on 18 November 2025. Contracts with Microsoft Azure and IBM must be reviewed for enhanced mandatory clauses. Board escalation required per Art. 31.

ICT Third-Party Service Providers

Art. 28(3) · ITS 2024/2956
Provider Type Country CIF Support CIF Functions CTPP Risk Tier RoI Status DD Due Actions
PILLAR 4 · Contractual Arrangements · Art. 30 · RTS 2024/1773 · RTS 2025/532
// Art. 30 · Mandatory Contractual Provisions

Contract Register

All contracts with ICT third-party service providers. CIF-supporting contracts must satisfy 8 mandatory clauses per Art. 30. Incomplete contracts are flagged for renegotiation.

Total Contracts
Active arrangements
Non-Compliant
Missing mandatory clauses
CIF Contracts
Enhanced obligations
Fully Compliant
All 8 clauses present
🔴
IBM Core Banking contract is missing 3 mandatory clauses (TLPT cooperation, exit provisions, data portability). Renegotiation required — CIF-supporting contract cannot have gaps under Art. 30.

Contract Compliance — Mandatory Clause Checker

Art. 30(2) · 8 mandatory clauses
Clauses: Service desc + SLAs   Security obligations   Audit rights   Incident notification   Subcontracting controls   Data location/portability   Exit provisions   TLPT cooperation
Contract Provider CIF? Type Value p.a. Clause Compliance Score Renewal Actions

Subcontracting Chain — CIF Services

RTS 2025/532 · Art. 30(5)
Only subcontracting of CIF-supporting services requires approval and chain disclosure per RTS 2025/532. First-tier subcontractors must be identified. In force 17 April 2025.
Prime ProviderCIF FunctionSubcontractorCountryService SubcontractedApprovedThird Country?
Microsoft AzureSettlement Processing Equinix (data centres)🇳🇱 NL, 🇸🇪 SE Physical data centre hosting ✓ Approved No — EU
IBM (Core Banking)Core Banking Infra Kyndryl🇮🇳 IN Application managed services ⏳ Pending ⚠ Third Country
Bloomberg LPRisk Monitoring AWS (data processing)🇮🇪 IE Market data processing infrastructure ✓ Approved No — EU
PILLAR 4 · Concentration Risk · Art. 29 · Art. 6(8)(h)
// Art. 29 · ICT Concentration Risk Assessment

Concentration Risk

Identifies single-provider dependencies across the CIF portfolio. Where one provider supports multiple Critical or Important Functions, concentration risk is elevated and must be documented and reported to the board.

High Concentration
2
Providers — 2+ CIFs each
Single Points of Failure
2
No identified alternative
Exit Plans in Place
3/5
CIF-supporting providers
Board Report Due
Mar 26
Q1 concentration review

CIF × Provider Dependency Matrix

Art. 29 · ITS 2024/2956
Cell = dependency count  |  No link 1 Low 2 Medium 3 High 4+ Critical CTPP
CIF Function Microsoft Azure
★ CTPP		 IBM Core Banking
★ CTPP		 Bloomberg LP Temenos T24 Cisco AWS
(sub)		 Provider Score
Settlement Processing Critical 1 ⚠ 2 CTPP
Core Banking Infrastructure Critical 1 ⚠ 2 CTPP
Risk Monitoring & Reporting Important 1 1 ⚠ 1 CTPP
Customer Onboarding Important 1 1 ✓ Low
Regulatory Reporting Important ⚠ 1 CTPP
CIF COUNT PER PROVIDER 5 CIFs ⚠ 2 CIFs ⚠ 1 CIF 1 CIF 2 CIFs 1 CIF

Concentration Risk Findings

🔴
Microsoft Azure (CTPP) supports all 5 CIF functions. Represents extreme single-provider concentration. Exit plan exists but untested. Board must set explicit risk appetite for this dependency.
IBM Core Banking (CTPP) supports 2 Critical CIFs jointly with Azure. Combined CTPP concentration means a coordinated failure would disable core operations. Substitutability score: 2/5 (low).
Bloomberg LP is sole provider for market data used in Risk Monitoring. No contractual alternative identified. Medium concentration — not CTPP designated but substitutability is limited (score: 3/5).

Exit Plans — CIF Providers

Art. 28(8)
ProviderAlternativeTime-to-CutoverExit PlanLast Tested
Microsoft Azure AWS (partial) 90 days ⏳ Draft Never
IBM Core Banking None identified 18 months ✗ Missing Never
Bloomberg LP Refinitiv (scoped) 30 days ✓ Active 2025-10-14
Temenos T24 Finastra (identified) 60 days ✓ Active 2025-08-22
Cisco Systems N/A (non-CIF) Not required