Overview
Conduct a comprehensive gap assessment against all five pillars of the EU Digital Operational Resilience Act (Regulation (EU) 2022/2554): ICT risk management, ICT-related incident management, digital operational resilience testing, ICT third-party risk management, and information sharing arrangements. The skill walks you through entity profiling, pillar-by-pillar assessment, automated scoring, and produces a prioritized remediation roadmap with phased timelines.
What It Covers
- Pillar 1 – ICT Risk Management (Arts. 5-16): framework documentation, asset inventory, risk identification, protection measures (access control, encryption, network segmentation), detection, BCP/DRP, learning and evolving process
- Pillar 2 – ICT Incident Management (Arts. 17-23): incident classification per RTS 2024/1772, reporting timelines (initial 4h, intermediate 72h, final 1 month), root cause analysis, evidence preservation
- Pillar 3 – Resilience Testing (Arts. 24-27): risk-based testing program, all twelve test types required by Art. 25, threat-led penetration testing (TLPT) for significant entities
- Pillar 4 – ICT Third-Party Risk (Arts. 28-44): Information Register per ITS 2024/2956, contractual provisions (Art. 30), due diligence, concentration risk, exit strategies
- Pillar 5 – Information Sharing (Art. 45): participation in threat intelligence arrangements, data protection safeguards
- Cross-Cutting Governance (Art. 5): management body accountability, ICT budget, training, reporting lines, independent ICT risk function
- Framework Mapping: identifies where existing ISO 27001, NIS2, or EBA Guidelines controls already partially satisfy DORA requirements
Example Conversation
You: We’re a mid-size payment institution regulated by BaFin. We have ISO 27001 certification and follow the EBA outsourcing guidelines, but we haven’t started any DORA-specific work yet. Can you assess our compliance posture across all five pillars?
Agent: I’ll start by building your entity profile. You’re a payment institution under DORA Art. 2(1)(d), standard proportionality tier, with ISO 27001 and EBA/GL/2019/02 as existing frameworks, BaFin as competent authority. How many ICT third-party service providers do you work with, and are any designated as critical under Art. 31?
You: We have about 45 ICT providers. Our core banking platform and cloud infrastructure provider are the two we’d consider critical. None has been formally designated under Art. 31 yet.
Agent: Noted – two providers supporting critical functions. I’ll now walk through each pillar. Starting with Pillar 1: ICT Risk Management. Your ISO 27001 ISMS gives you a head start – it covers about 60% of Pillar 1 requirements. However, DORA adds several specific elements: a digital operational resilience strategy with explicit RTO/RPO objectives (Art. 6(8)), ICT asset dependency mapping to critical or important functions (Art. 8(2)-(3)), and mandatory management body accountability that goes beyond ISO 27001’s “leadership commitment.” Do you have a documented digital resilience strategy separate from your ISMS policy?
You: No, our ISMS policy covers general information security but doesn’t have a separate resilience strategy with RTO/RPO targets.
Agent: That’s a common gap – I’ll mark P1-04 (digital operational resilience strategy) as non-compliant with high priority. Let me continue through the remaining Pillar 1 requirements, then move to incident management. For Pillar 2, the key question is whether you have incident classification criteria aligned with RTS 2024/1772 and reporting templates ready per ITS 2025/302 – these are under highest supervisory scrutiny alongside the Information Register.
You: We have an incident management process but it follows our ISO 27001 procedure. We haven’t mapped it to the DORA-specific classification thresholds or reporting timelines.
Agent: I’ll mark the classification criteria and reporting templates as non-compliant – these are critical priority items. After completing all pillars, I’ll run
dora_gap_scoreron the assessment to compute your pillar-by-pillar compliance scores and overall readiness tier, then generate the full report with a phased remediation roadmap.
Sample Output Excerpt
Excerpt from a DORA gap assessment report for a payment institution.
DORA Gap Assessment Report
Entity: Meridian Payments GmbH Entity type: Payment institution (Art. 2(1)(d)) Proportionality tier: Standard Assessment date: 2026-03-15 Competent authority: BaFin
Executive Summary
Overall DORA readiness score: 47% Readiness tier: Major Gaps – Remediation Required
| Pillar | Score | Status |
|---|---|---|
| Governance (Art. 5) | 60% | Partially Compliant |
| Pillar 1: ICT Risk Management (Arts. 5-16) | 55% | Partially Compliant |
| Pillar 2: ICT Incident Management (Arts. 17-23) | 30% | Non-Compliant |
| Pillar 3: Resilience Testing (Arts. 24-27) | 40% | Partially Compliant |
| Pillar 4: Third-Party Risk (Arts. 28-44) | 35% | Non-Compliant |
| Pillar 5: Information Sharing (Art. 45) | 50% | Partially Compliant |
Top critical gaps:
- Information Register not submission-ready – Art. 28(3), ITS 2024/2956 – Critical
- Incident reporting templates and timelines not aligned to ITS 2025/302 – Art. 19(4) – Critical
- Management body ICT risk training not evidenced – Art. 5(4) – Critical
Supervisory priority alerts:
- NON-COMPLIANT: Information Register (Art. 28(3)) – highest supervisory scrutiny. Remediate immediately.
- NON-COMPLIANT: Incident Reporting (Arts. 19-20) – reporting chain not functional. Remediate immediately.
Remediation Roadmap
Phase 1 – Immediate (0-30 days)
| # | Action | Pillar | Article | Priority | Owner | Effort |
|---|---|---|---|---|---|---|
| 1 | Build Information Register per ITS 2024/2956 templates | P4 | Art. 28(3) | Critical | Compliance | High |
| 2 | Implement incident classification per RTS 2024/1772 | P2 | Art. 18(1) | Critical | CISO | Medium |
| 3 | Deploy ITS 2025/302 reporting templates and test chain | P2 | Art. 19(4) | Critical | CISO | Medium |
| 4 | Schedule management body ICT risk training | Gov | Art. 5(4) | Critical | GRC Lead | Low |
Phase 2 – Short-term (30-90 days)
| # | Action | Pillar | Article | Priority | Owner | Effort |
|---|---|---|---|---|---|---|
| 5 | Draft digital operational resilience strategy with RTO/RPO | P1 | Art. 6(8) | High | CTO | Medium |
| 6 | Complete ICT asset dependency mapping to critical functions | P1 | Art. 8(2)-(3) | High | IT Ops | High |
| 7 | Review all ICT contracts for Art. 30 mandatory clauses | P4 | Art. 30 | High | Legal | High |
Existing Framework Coverage
| DORA Requirement | Existing Framework | Coverage | DORA-Specific Gap |
|---|---|---|---|
| ICT risk framework (Art. 6) | ISO 27001 A.5 | Partial | Missing digital resilience strategy, management body accountability |
| Asset inventory (Art. 8) | ISO 27001 A.5.9 | Partial | Missing dependency mapping to critical functions |
| Incident reporting (Arts. 19-20) | ISO 27001 A.5.24-28 | Partial | DORA timelines, classification thresholds, and ITS templates required |
| Third-party risk (Arts. 28-44) | EBA/GL/2019/02 | Partial | ITS-compliant Information Register, Art. 30 contractual clauses |
Extension Tools
The skill includes an extension tool that validates and scores the gap assessment.
dora_gap_scorer
Takes the structured gap assessment JSON and produces a comprehensive compliance analysis.
| Check | Description |
|---|---|
| Entity profile validation | Warns if entity type or proportionality tier is missing |
| Pillar completeness | Flags any pillar with zero requirements assessed |
| Per-pillar scoring | Computes compliance percentage for each of the six assessment areas (governance + five pillars) |
| Weighted overall score | Calculates DORA readiness using supervisory-priority weighting: Pillar 1 and Pillar 4 at 25% each, Governance and Pillar 2 at 15% each, Pillar 3 and Pillar 5 at 10% each |
| Readiness tier | Classifies overall posture: Substantially Ready (80-100%), Partially Ready (60-79%), Major Gaps (40-59%), Not Ready (0-39%) |
| Top 5 critical gaps | Identifies the five most urgent gaps sorted by priority and severity |
| Supervisory priority alerts | Flags non-compliance in Information Register (Art. 28(3)) or Incident Reporting (Arts. 19-20) – the two areas under highest supervisory scrutiny |
| Remediation summary | Counts gaps by priority level (critical, high, medium, low) with timeline recommendations |
Example validation output
========================================================================
DORA Gap Assessment -- Compliance Score
========================================================================
--- SUPERVISORY PRIORITY ALERTS ---
[ALERT] NON-COMPLIANT: Information Register (Art. 28(3)) --
"Information Register complete" (Art. 28(3)). This area is
under highest supervisory scrutiny. Remediate immediately.
[ALERT] NON-COMPLIANT: Incident Reporting (Arts. 19-20) --
"ITS-compliant reporting templates" (ITS 2025/302). This area
is under highest supervisory scrutiny. Remediate immediately.
--- Overall DORA Readiness ---
Score: 47%
Tier: Major Gaps -- Remediation Required
--- Pillar Scores ---
| Pillar | Score | Compliant | Partial | Non-Compliant |
|-------------------------------------|-------|-----------|---------|---------------|
| Cross-Cutting Governance (Art. 5) | 60% | 4 | 4 | 2 |
| Pillar 1: ICT Risk Management | 55% | 8 | 7 | 7 |
| Pillar 2: ICT Incident Management | 30% | 1 | 4 | 5 |
| Pillar 3: Resilience Testing | 40% | 4 | 5 | 9 |
| Pillar 4: Third-Party Risk | 35% | 3 | 5 | 9 |
| Pillar 5: Information Sharing | 50% | 1 | 2 | 1 |
--- Top 5 Critical Gaps ---
1. [CRITICAL] Information Register complete (Art. 28(3))
2. [CRITICAL] ITS-compliant reporting templates (ITS 2025/302)
3. [CRITICAL] Management body ICT risk training (Art. 5(4))
4. [HIGH] Digital operational resilience strategy (Art. 6(8))
5. [HIGH] Dependency mapping to critical functions (Art. 8(2)-(3))
--- Remediation Summary ---
Total gaps found: 38
Critical priority: 5
High priority: 12
Medium priority: 14
Low priority: 7
RECOMMENDATION: Address all critical-priority gaps within the first
30 days. Information Register and Incident Reporting deficiencies
should be the immediate focus as supervisory authorities may request
evidence at any time.
========================================================================
Run dora_gap_scorer after completing the assessment and before producing the final report.
Getting Started
Activate the DORA Gap Assessment skill and tell the agent about your entity. Have this information ready:
- Entity type under DORA Art. 2(1): credit institution, payment institution, investment firm, insurance undertaking, crypto-asset service provider, or another covered entity type
- Entity size: whether you qualify for the simplified ICT risk management framework (Art. 16) – applies only to microenterprises and small non-interconnected investment firms
- Existing frameworks: any compliance frameworks already in place (ISO 27001, NIS2, EBA Guidelines on ICT, EBA Guidelines on outsourcing, national supervisory guidance)
- Competent authority: your regulatory supervisor (e.g., ECB/SSM, BaFin, ACPR, AMF, FCA, CSSF)
- ICT third-party providers: approximate count and which ones support critical or important functions
- Group structure: parent entity, subsidiaries, and branches across jurisdictions if applicable
If the Organization Profile skill has already been completed, the agent will reference it automatically for entity details and regulatory context.
The skill produces a scored gap assessment report covering all five DORA pillars, a findings register, a phased remediation roadmap (immediate / 3-month / 6-month / 12-month), and a framework mapping showing where existing controls already partially satisfy DORA requirements.