DORA Readiness Assessment

Is Your Organisation DORA Ready?

Evaluate your digital operational resilience posture against the EU DORA framework in under 10 minutes.

~10 min 5 DORA Pillars Instant Report Free
EU Reg 2022/2554 Jan 2025 Deadline
Pillar 1 of 5 0% complete
1
2
3
4
5
ICT Risk
Incidents
Testing
3rd Party
Intel
🏦
Art. 5–16
ICT Risk Management
Governance, risk frameworks, asset inventory, and business continuity integration per Art. 5–16.
Q1 · Pillar 1
A formally documented ICT Risk Management Framework exists and is approved at board level?
Not Implemented
0 pts
Planned ≤12m
1 pt
Partial
2 pts
Fully Implemented
3 pts
Q2 · Pillar 1
A board-approved ICT risk appetite statement is defined and reviewed at least annually?
Not Implemented
0 pts
Planned ≤12m
1 pt
Partial
2 pts
Fully Implemented
3 pts
Q3 · Pillar 1
Business Continuity Management (BCM) is integrated with your ICT resilience strategy?
Not Implemented
0 pts
Planned ≤12m
1 pt
Partial
2 pts
Fully Implemented
3 pts
Q4 · Pillar 1
A comprehensive ICT asset inventory with criticality ratings is maintained?
Not Implemented
0 pts
Planned ≤12m
1 pt
Partial
2 pts
Fully Implemented
3 pts
Q5 · Pillar 1
An annual ICT risk assessment covering threat identification and impact analysis is conducted?
Not Implemented
0 pts
Planned ≤12m
1 pt
Partial
2 pts
Fully Implemented
3 pts
🚨
Art. 17–23
ICT Incident Management
Detection, classification, reporting timelines, and post-incident review per Art. 17–23.
Q1 · Pillar 2
Incident classification criteria aligned to DORA Art. 18 severity thresholds are formally defined?
Not Implemented
0 pts
Planned ≤12m
1 pt
Partial
2 pts
Fully Implemented
3 pts
Q2 · Pillar 2
24/7 ICT incident detection and monitoring capabilities are in place?
Not Implemented
0 pts
Planned ≤12m
1 pt
Partial
2 pts
Fully Implemented
3 pts
Q3 · Pillar 2
Incident reporting SLAs meet DORA timelines (4h initial / 72h intermediate / 1 month final)?
Not Implemented
0 pts
Planned ≤12m
1 pt
Partial
2 pts
Fully Implemented
3 pts
Q4 · Pillar 2
A formal post-incident review process producing lessons-learned reports exists?
Not Implemented
0 pts
Planned ≤12m
1 pt
Partial
2 pts
Fully Implemented
3 pts
Q5 · Pillar 2
DORA-aligned severity classification has been applied to all recent ICT incidents?
Not Implemented
0 pts
Planned ≤12m
1 pt
Partial
2 pts
Fully Implemented
3 pts
🔬
Art. 24–27
Resilience Testing (TLPT)
Annual testing programme, TLPT scope, DAST/SAST, and test-to-risk feedback per Art. 24–27.
Q1 · Pillar 3
An annual Digital Operational Resilience Testing programme covering Art. 24 basic testing exists?
Not Implemented
0 pts
Planned ≤12m
1 pt
Partial
2 pts
Fully Implemented
3 pts
Q2 · Pillar 3
The scope of Threat-Led Penetration Testing (TLPT) for critical functions is formally defined?
Not Implemented
0 pts
Planned ≤12m
1 pt
Partial
2 pts
Fully Implemented
3 pts
Q3 · Pillar 3
Internal audit of resilience controls against the DORA testing requirements is conducted?
Not Implemented
0 pts
Planned ≤12m
1 pt
Partial
2 pts
Fully Implemented
3 pts
Q4 · Pillar 3
DAST/SAST security testing is integrated into the software development lifecycle?
Not Implemented
0 pts
Planned ≤12m
1 pt
Partial
2 pts
Fully Implemented
3 pts
Q5 · Pillar 3
Resilience test results are systematically fed back into the ICT risk management framework?
Not Implemented
0 pts
Planned ≤12m
1 pt
Partial
2 pts
Fully Implemented
3 pts
🔗
Art. 28–44
Third-Party Risk
TPP register, concentration risk, Art. 30 contractual clauses, and exit strategies per Art. 28–44.
Q1 · Pillar 4
A register of all critical and important ICT third-party providers (TPPs) is maintained?
Not Implemented
0 pts
Planned ≤12m
1 pt
Partial
2 pts
Fully Implemented
3 pts
Q2 · Pillar 4
ICT TPP concentration risk (single points of failure) is formally assessed?
Not Implemented
0 pts
Planned ≤12m
1 pt
Partial
2 pts
Fully Implemented
3 pts
Q3 · Pillar 4
Exit strategies and transition plans for critical ICT TPPs are documented?
Not Implemented
0 pts
Planned ≤12m
1 pt
Partial
2 pts
Fully Implemented
3 pts
Q4 · Pillar 4
All ICT outsourcing contracts include the mandatory Art. 30 contractual clauses?
Not Implemented
0 pts
Planned ≤12m
1 pt
Partial
2 pts
Fully Implemented
3 pts
Q5 · Pillar 4
Sub-outsourcing arrangements of critical TPPs are monitored and approved?
Not Implemented
0 pts
Planned ≤12m
1 pt
Partial
2 pts
Fully Implemented
3 pts
📡
Art. 45–49
Intelligence Sharing
ISAC membership, TLP-aligned dissemination, and intelligence integration per Art. 45–49.
Q1 · Pillar 5
Formal cyber threat intelligence sharing arrangements with sector peers/ISACs are established?
Not Implemented
0 pts
Planned ≤12m
1 pt
Partial
2 pts
Fully Implemented
3 pts
Q2 · Pillar 5
Your organisation is a member of a relevant sector ISAC or threat sharing community?
Not Implemented
0 pts
Planned ≤12m
1 pt
Partial
2 pts
Fully Implemented
3 pts
Q3 · Pillar 5
TLP-compliant processes for receiving and disseminating threat intelligence are implemented?
Not Implemented
0 pts
Planned ≤12m
1 pt
Partial
2 pts
Fully Implemented
3 pts
Q4 · Pillar 5
Threat intelligence is systematically integrated into the ICT risk assessment process?
Not Implemented
0 pts
Planned ≤12m
1 pt
Partial
2 pts
Fully Implemented
3 pts
Q5 · Pillar 5
Voluntary reporting of significant cyber threats to the competent authority has been considered?
Not Implemented
0 pts
Planned ≤12m
1 pt
Partial
2 pts
Fully Implemented
3 pts
Please answer all questions to continue.

DORA Readiness Assessment — Skyhigh Cybersecurity

Generated: · platform.skyhighcybersecurity.com

0%
0 / 75 pts
DORA READINESS SCORE
🔴 Critical Risk

Significant DORA gaps identified. Immediate remediation is required — DORA applies from January 2025 for most financial entities.

Score by DORA Pillar
Priority Recommendations
More Free Assessments
NIS2 Readiness → CMMC 2.0 → ISO 27001 → HIPAA →
DORA Toolkit → Start Free Tabletop Exercises →

This assessment is self-reported and indicative only. It does not constitute legal or regulatory advice. For formal DORA compliance evaluation, consult your national competent authority.