DORA Compliance Dashboard

Digital Operational Resilience Act

Jurisdiction: European Union | Effective: January 17, 2025 | Domain: AI/Digital

Overview

The Digital Operational Resilience Act (DORA) establishes a comprehensive framework for ICT risk management in the financial sector, covering risk management, incident reporting, resilience testing, and third-party risk management.

Controls

DORA-C001: ICT Risk Management

• Requirement: Comprehensive ICT risk management framework
• Automated: Yes
• Evidence: Risk framework documentation, risk register

DORA-C002: Incident Reporting

• Requirement: ICT-related incident classification and reporting
• Automated: Yes
• Evidence: Incident reports, classification logs

DORA-C003: Digital Resilience Testing

• Requirement: Regular testing of ICT systems and tools
• Automated: Yes
• Evidence: Test reports, TLPT results

DORA-C004: Third-Party Risk Management

• Requirement: Monitoring of ICT third-party service providers
• Automated: No
• Evidence: Vendor assessments, contract provisions

Compliance Gates

Gate	Control Ref	Requirement	Status
DORA-G001	DORA-C001	ICT risk framework documented and approved
DORA-G002	DORA-C002	Incident classification scheme operational
DORA-G003	DORA-C003	Annual resilience testing completed

Metrics

Metric	Target	Source	Trend
ICT risk coverage	100%	risk_framework	Improving
Incident reporting timeliness	100% within SLA	incident_system	Stable
Third-party assessment coverage	95%	vendor_management	Improving

Recommended Actions

1. Complete ICT risk management framework review
2. Conduct threat-led penetration testing (TLPT)
3. Assess critical ICT third-party providers