Regulatory Toolkit

EU Digital Operational Resilience Act (DORA)
Tabletop Exercise Toolkit

DORA (EU Regulation 2022/2554), effective January 17, 2025, mandates digital operational resilience testing for ~22,000 EU financial entities. Article 24-27 explicitly requires threat-scenario-based exercises. Skyhigh maps every exercise to DORA's five pillars — from ICT risk management through third-party resilience testing.

Start Your DORA Resilience Exercise → Download Buyer's Guide 🎯 Take the Free DORA Readiness Assessment →
⚠️ This toolkit is an educational resource for exercise program design. DORA compliance requires assessment by qualified legal and technical advisors familiar with EBA/EIOPA/ESMA regulatory technical standards. This is not legal or compliance advice.
~22,000
Financial Entities in Scope
Art. 24–27
Resilience Testing Mandate
Jan 17, 2025
DORA Effective Date
EU Financial Sector
Sector Coverage

DORA — Five Pillars of Digital Operational Resilience

DORA creates a comprehensive ICT risk management framework for the EU financial sector. Understanding the five pillars helps design an exercise program that satisfies every requirement.

🏦
Five Pillars of DORA
DORA organizes ICT resilience into five pillars: (1) ICT Risk Management (Art. 5–16), (2) ICT Incident Reporting (Art. 17–23), (3) Digital Operational Resilience Testing (Art. 24–27), (4) Third-Party ICT Risk (Art. 28–44), and (5) Information Sharing (Art. 45–46). Tabletop exercises directly satisfy Pillar 3 and generate evidence for Pillars 1, 2, and 4.
🔬
Article 25 — Basic Testing for ALL Entities
Every entity in DORA scope must conduct basic digital operational resilience testing under Article 25 — this includes scenario-based tabletop exercises testing ICT tools and systems. This is not optional. Even smaller entities not subject to TLPT must conduct and document annual resilience tests. Skyhigh exercises fulfill this requirement directly.
Article 26 — TLPT for Significant Entities
Significant financial entities must conduct Threat-Led Penetration Testing (TLPT) every 3 years. Preparatory tabletop exercises help scope TLPT engagements, brief red team operators on business context, validate blue team detection capabilities, and document the internal exercise evidence required by TLPT frameworks (TIBER-EU, iCAST).

Requirements Mapping

How Skyhigh tabletop exercises map to DORA Articles 5–46 across all five resilience pillars.

Article / Requirement Requirement Description Skyhigh Coverage Evidence Generated
Art. 5–7 — ICT Risk Management Framework Governance, ICT risk framework, risk appetite Supporting Board-level scenario testing validates governance; risk tolerance gaps surface in AAR
Art. 8–11 — ICT Risk Assessment & Protection Risk ID, protection measures, prevention Direct Threat scenario mapping validates risk assessment methodology; prevention gap analysis
Art. 12–13 — ICT Business Continuity & Backup BCP policies, backup/restore, crisis comm Direct BCP activation exercises; RTO/RPO validation; crisis communication flow testing
Art. 14–16 — Learning, Communication & Awareness Lessons learned, ICT security training Direct AI-generated AAR with lessons; training log evidence; improvement tracking
Art. 17–20 — ICT Incident Classification & Reporting Major incident criteria, internal escalation Core Incident classification tabletop; 4h/72h/1-month notification timeline drill
Art. 21–23 — Regulatory Notification to Authorities EBA/EIOPA/ESMA notification procedures Core Regulatory reporting timeline exercise; competent authority communication drill
Art. 24–25 — Basic Resilience Testing (ALL entities) Scenario-based exercises, tool testing Core Completed exercise = direct Article 25 compliance evidence; dated exercise record
Art. 28–34 — Third-Party ICT Risk Due diligence, contractual arrangements, critical TPPs Direct Vendor failure tabletop; third-party concentration risk scenario; supply chain exercise

How Skyhigh Supports DORA Compliance

Purpose-built features to satisfy DORA's Article 24-27 testing requirements and generate competent authority-ready evidence.

📋
Article 25 Exercise Documentation
Every Skyhigh exercise generates a timestamped, AI-written After Action Report that serves as direct Article 25 basic testing documentation. Export PDF reports showing exercise date, participants, scenario scope, findings, and remediation commitments — exactly what DORA competent authorities expect to see.
Art. 25 Evidence Dated Record AI AAR PDF Export
⏱️
DORA Incident Reporting Timeline Drill
DORA's incident reporting requires 4-hour initial notification, 72-hour intermediate report, and 1-month final report to competent authorities. Skyhigh exercises simulate these timelines — teams practice classification, internal escalation, and authority notification under realistic time pressure, with decision points documented throughout.
4h Notification 72h Report Escalation Flow Timeline Evidence
🔗
Third-Party Concentration Risk Scenarios
DORA places heavy emphasis on ICT third-party risk (Art. 28–44). Skyhigh's cloud provider outage, critical vendor failure, and ICT concentration risk scenarios test your contingency plans for critical service providers — and generate the documented evidence of third-party resilience testing that DORA requires.
Art. 28-34 Vendor Failure Concentration Risk Contingency Testing

DORA — Scenario Library

Exercises designed to generate compliance evidence in a single session.

PAYMENTS · ART. 12-13
Core Banking Payment System Cascade Failure
Critical payment processing infrastructure experiences ICT failure, triggering cascading cross-border payment disruptions across correspondent banks. Tests BCP activation (Art. 12), crisis communication, and major incident classification (Art. 17).
Art. 12 Art. 17 Art. 21
CLOUD · ART. 28-34
Critical Cloud Provider Multi-Tenant Outage
A Tier-1 hyperscaler incident simultaneously impacts multiple EU financial entities using shared infrastructure. Tests third-party contingency plans (Art. 28), concentration risk response, and regulatory notification when multiple entities are affected.
Art. 28 Art. 31 Art. 17
TRADING · ART. 24-25
Trading Platform Ransomware — Market Hours
Encryption of core trading systems during peak market hours. Teams practice incident classification (Art. 17 major vs. non-major criteria), regulatory notification timeline (4h → 72h → 1 month), and crisis communication to regulators and market participants.
Art. 17 Art. 21 Art. 25
PAYMENTS · ART. 8-11
SWIFT Payment Message Fraud — Fraudulent Instructions
Adversary injects fraudulent payment instructions via compromised financial messaging infrastructure. Tests detection capabilities, payment reversal procedures, correspondent bank notification, and DORA incident classification thresholds for financial loss.
Art. 8 Art. 17 Art. 23
CRYPTO · ART. 17-20
Crypto-Asset Custody Breach — Client Funds at Risk
A crypto-asset service provider suffers a custody breach placing client digital assets at risk. Tests DORA incident classification (financial loss thresholds), client notification obligations, regulatory reporting to competent authority, and operational recovery.
Art. 17 Art. 20 Art. 25
SYSTEMIC · ART. 45-46
ICT Concentration Risk — Common Vendor Compromise
A shared ICT service provider (managed service, market data, core banking vendor) is compromised, creating systemic risk across multiple interconnected EU financial institutions. Tests information sharing obligations (Art. 45-46), coordinated response, and systemic incident handling.
Art. 31 Art. 45 Art. 46

Evidence Artifacts Generated

Every exercise produces documented artifacts for regulatory submissions.

📄
Art. 25 Testing Record
Dated exercise completion certificate — direct Article 25 basic resilience testing evidence
⏱️
Incident Notification Timeline
4h / 72h / 1-month regulatory reporting timeline exercise record
🔗
Third-Party Resilience Evidence
Vendor contingency testing documentation — Art. 28-34 compliance evidence
📈
Business Continuity Record
BCP/DRP activation exercise log with RTO/RPO validation — Art. 12-13 evidence

Explore the Full Regulatory Toolkit Library

Skyhigh exercise evidence maps to multiple frameworks simultaneously. One exercise program — complete regulatory coverage.

🏛️ CISA CTEP ⚡ NERC CIP 🇪🇺 NIS2 Directive 🇺🇸 NIST CSF 2.0 ⚙️ IEC 62443 🏭 NIST SP 800-82 🏦 DORA ✈️ TSA Directives 🏥 HIPAA / HC3 🛡️ CMMC 2.0 🌐 ISO 27001 🔴 CISA CPG

Start Building Your DORA Resilience Exercise Program

Article 25 requires documented resilience testing for every EU financial entity in DORA scope. Start with a free exercise today.

Start Free Today → View Pricing Contact Sales