The complete DORA compliance toolkit for fintechs, financial services firms, and their ICT providers. 10 professional documents covering all 5 DORA pillars — structured, ready to use, and built by a certified financial services cybersecurity specialist.
Immediate download after purchase. Free updates for 12 months.
The Digital Operational Resilience Act isn't coming — it's already here. DORA became legally binding on 17 January 2025. Competent authorities across the EU and aligned jurisdictions are actively conducting assessments and asking hard questions about ICT risk management, incident reporting procedures, third-party provider registers, and resilience testing programmes.
The two biggest blockers we hear from financial services SMBs are consistent: not knowing where to start, and not having the documentation frameworks in place.
Most compliance teams have the intent. They don't always have the time to build structured documentation from scratch while managing everything else on their desk.
There is also a group of organisations that don't yet realise they're in scope at all. Third-party ICT providers — cloud vendors, SaaS platform providers, data centres, and managed service providers — are also subject to DORA oversight when they serve regulated financial entities. If your product or service is used by a bank, a fintech, or a payment institution, DORA compliance is increasingly a commercial requirement. Your regulated clients will ask for it. Some already are.
This toolkit closes the documentation gap. It won't replace your legal counsel or your compliance team — but it gives them a professional, structured starting point for every document DORA requires.
DORA applies to a broad range of financial entities and their ICT providers across the European Union — and to firms in aligned jurisdictions whose regulators have introduced equivalent requirements.
If you provide cloud computing, data analytics, software, or managed ICT services to any of the above, you may be subject to direct DORA oversight as a Critical Third-Party Provider (CTP) under Articles 31–44.
Even if not formally designated as a CTP, your financial services clients will require DORA-aligned contractual clauses and evidence of your own resilience posture.
A structured gap assessment covering all five DORA pillars with scoring across 25 control areas. Begin here. Identifies where you stand before you commit resource to remediation. Includes a pillar-by-pillar scoring mechanism and a ranked gap report template. The fastest way to produce a defensible baseline assessment for the management body.
A complete ICT risk management framework template covering DORA Articles 5–16. Includes the board-approved ICT risk tolerance statement, risk appetite documentation, risk owner assignment, asset classification, and the learning and evolving function required by Article 13(2). Aligned to ISO 27001:2022 clause 6.1 and built for direct use as a regulatory submission artefact.
The operational procedure your team will use when an incident occurs. Covers major incident classification using the DORA RTS criteria, the three-stage regulatory reporting timeline (4-hour initial notification / 72-hour intermediate report / 1-month final report with root cause analysis), notification templates for each stage, and the internal escalation chain. Designed to work under pressure.
Annual testing programme template covering all mandatory DORA test types: vulnerability assessments, network security testing, scenario-based exercises, end-to-end continuity testing, and gap analyses. Includes scope definition, testing schedule, management body reporting requirements, and a TLPT scoping section for significant financial institutions subject to Article 26.
The mandatory ICT third-party arrangements register required by DORA Article 28(3). Includes criticality tiering methodology (Critical / Important / Standard), the Article 30 mandatory contractual clause checklist, concentration risk assessment section, exit strategy documentation prompts, and a provider review schedule.
A DORA-aligned BCP/DR template covering Articles 11–12. Includes RTO/RPO documentation for critical ICT systems, crisis communication procedures, ICT continuity scenario planning, provider-side continuity assessment, and the formal linkage to the ICT risk management framework that DORA specifically requires.
Complete asset inventory covering hardware, software, cloud services, data assets, and network components. Structured for DORA compliance with asset classification (critical / important / supporting), owner assignment, third-party linkage, and vulnerability tracking fields. The foundation document for both risk management and resilience testing scope definition.
The quarterly management body ICT risk report required by DORA Article 5. Structured for board consumption: executive summary, compliance status by pillar, top 5 ICT risks, incident summary, testing programme status, third-party risk overview, and open remediation tracker. Creates the audit trail of board oversight that regulators will look for.
The essential reference document for ISO 27001-certified organisations. Maps all five DORA pillars to the relevant ISO 27001:2022 clauses and Annex A controls, then identifies precisely what DORA requires that ISO 27001 does not. Includes the seven specific actions every ISO-certified organisation must take to achieve DORA compliance.
A week-by-week implementation plan from programme launch to first compliance self-assessment. For each of the 12 weeks: detailed tasks, responsible owner by role title, measurable success criteria, and dependencies on other toolkit documents. Includes a post-90-day ongoing obligations summary and a milestone tracker.
Best for firms that want to assess their position and establish the critical operational procedures before committing to the full programme.
The fastest path from uncertainty to a credible DORA starting position.
Best for firms that need the complete documentation set to run the DORA programme end to end.
Compare to £5,000–£20,000 for a compliance consultant to produce the same documentation from scratch.
Best for firms that want the documentation and a structured expert review of their specific compliance position.
Limited availability — Michael works with a small number of clients directly each month.
If your organisation is regulated as a credit institution, payment institution, e-money institution, investment firm, insurance undertaking, crypto-asset service provider, or data reporting service provider in any EU member state, you are in scope for DORA. Entities regulated by the Central Bank of Ireland, the Banque de France, the BaFin, or any other EU national competent authority are directly subject to DORA's requirements.
If you are an ICT third-party provider — a cloud platform, SaaS provider, data centre, or managed service provider — you may be subject to direct DORA oversight as a Critical Third-Party Provider (CTP). Even if not formally designated, your regulated financial services clients will require DORA-aligned operational resilience and Article 30 contractual clauses.
For UK, Singapore, and Canadian firms: DORA is an EU regulation and does not apply directly. However, the FCA, MAS, and OSFI have each developed operational resilience frameworks that closely align with DORA's requirements. If you serve EU-regulated entities, DORA's Article 30 obligations will flow downstream through your clients' supply chain compliance requirements.
More than most ISO-certified organisations expect, but less than starting from scratch. ISO 27001:2022 provides strong coverage of information security controls that map to several DORA pillars. However, DORA imposes seven specific requirements that ISO 27001 does not address.
The most significant gaps are: mandatory external incident reporting to the competent authority (4h/72h/1-month timelines — ISO has no external reporting requirement); formal ICT risk tolerance and appetite documentation approved by the management body; annual resilience testing programme with management body oversight; ICT third-party register with criticality tiers and Article 30 contractual clauses; exit strategies for critical ICT providers; and concentration risk analysis.
Document 09 in this toolkit maps every DORA pillar to the relevant ISO 27001:2022 controls and identifies precisely where the gaps are. It is the most efficient starting point for ISO-certified organisations.
DORA Article 50 establishes that competent authorities may impose administrative penalties. For financial entities, fines can reach €10 million or 5% of total annual worldwide turnover — whichever is higher. For individuals (including senior managers), personal fines can reach €5 million.
For Critical Third-Party Providers under direct regulatory oversight (Articles 31–44), periodic penalty payments for ongoing non-compliance can reach 1% of average daily worldwide turnover for each day of non-compliance, for a maximum of six months.
Beyond financial penalties, competent authorities can require a financial entity to suspend or terminate the use of an ICT service from a non-compliant provider — the operational impact of which could be significant.
DORA is an EU regulation and does not directly apply to UK firms following Brexit. However, there are two important considerations.
First, the FCA has published its own operational resilience framework and is actively consulting on requirements for critical third parties. UK-regulated firms are subject to operational resilience requirements that align closely with DORA in several areas.
Second, if your UK firm serves EU-regulated financial entities — as a technology provider, cloud vendor, or managed service supplier — DORA's Article 30 contractual requirements will flow to you through your clients' supply chain compliance obligations. EU financial entities cannot use ICT providers whose contracts do not meet DORA's minimum requirements. In practice, DORA has become a de facto requirement for any technology firm selling into EU financial services, regardless of the firm's own jurisdiction.
They have already started. DORA became applicable on 17 January 2025. National competent authorities across the EU — including the Central Bank of Ireland, the Autorité de Contrôle Prudentiel et de Résolution in France, and BaFin in Germany — have been conducting DORA readiness assessments since Q1 2025.
If you have not yet begun your DORA compliance programme, you are behind. The question is no longer whether supervisors will ask — it is when they will ask, and whether you will have a credible answer.
10 professional documents. All 5 DORA pillars. Built by a certified specialist who has implemented compliance frameworks for financial services organisations across the UK, Ireland, and beyond.
We're happy to discuss your specific situation and confirm which documents are most relevant for your entity type and jurisdiction.
Founder, Pyralink Innovation Ltd
Certified financial services cybersecurity specialist