# DORA Gap Assessment

> Conduct a comprehensive gap assessment against all five DORA pillars: ICT risk management, incident management, resilience testing, third-party risk, and information sharing. Produces a scored compliance posture and prioritized remediation roadmap.



Tags: DORA, Gap Assessment, Compliance Assessment, EU Regulation, Financial Services, Remediation


## Example Prompts

- Conduct a DORA gap assessment for our investment firm
- Assess our compliance posture across all five DORA pillars
- Create a DORA remediation roadmap with priorities and timelines
- Prepare for the upcoming DORA supervisory examination

URL: https://rakenne.app/skills/dora-gap-assessment/index.md

Try this skill: https://rakenne.app/a/?skill=dora-gap-assessment



## Overview

Conduct a comprehensive gap assessment against all five pillars of the EU Digital Operational Resilience Act (Regulation (EU) 2022/2554): ICT risk management, ICT-related incident management, digital operational resilience testing, ICT third-party risk management, and information sharing arrangements. The skill walks you through entity profiling, pillar-by-pillar assessment, automated scoring, and produces a prioritized remediation roadmap with phased timelines.

## What It Covers

- **Pillar 1 -- ICT Risk Management** (Arts. 5-16): framework documentation, asset inventory, risk identification, protection measures (access control, encryption, network segmentation), detection, BCP/DRP, learning and evolving process
- **Pillar 2 -- ICT Incident Management** (Arts. 17-23): incident classification per RTS 2024/1772, reporting timelines (initial 4h, intermediate 72h, final 1 month), root cause analysis, evidence preservation
- **Pillar 3 -- Resilience Testing** (Arts. 24-27): risk-based testing program, all twelve test types required by Art. 25, threat-led penetration testing (TLPT) for significant entities
- **Pillar 4 -- ICT Third-Party Risk** (Arts. 28-44): Information Register per ITS 2024/2956, contractual provisions (Art. 30), due diligence, concentration risk, exit strategies
- **Pillar 5 -- Information Sharing** (Art. 45): participation in threat intelligence arrangements, data protection safeguards
- **Cross-Cutting Governance** (Art. 5): management body accountability, ICT budget, training, reporting lines, independent ICT risk function
- **Framework Mapping**: identifies where existing ISO 27001, NIS2, or EBA Guidelines controls already partially satisfy DORA requirements

## Example Conversation

> **You:** We're a mid-size payment institution regulated by BaFin. We have ISO 27001 certification and follow the EBA outsourcing guidelines, but we haven't started any DORA-specific work yet. Can you assess our compliance posture across all five pillars?
>
> **Agent:** I'll start by building your entity profile. You're a payment institution under DORA Art. 2(1)(d), standard proportionality tier, with ISO 27001 and EBA/GL/2019/02 as existing frameworks, BaFin as competent authority. How many ICT third-party service providers do you work with, and are any designated as critical under Art. 31?
>
> **You:** We have about 45 ICT providers. Our core banking platform and cloud infrastructure provider are the two we'd consider critical. None has been formally designated under Art. 31 yet.
>
> **Agent:** Noted -- two providers supporting critical functions. I'll now walk through each pillar. Starting with Pillar 1: ICT Risk Management. Your ISO 27001 ISMS gives you a head start -- it covers about 60% of Pillar 1 requirements. However, DORA adds several specific elements: a digital operational resilience strategy with explicit RTO/RPO objectives (Art. 6(8)), ICT asset dependency mapping to critical or important functions (Art. 8(2)-(3)), and mandatory management body accountability that goes beyond ISO 27001's "leadership commitment." Do you have a documented digital resilience strategy separate from your ISMS policy?
>
> **You:** No, our ISMS policy covers general information security but doesn't have a separate resilience strategy with RTO/RPO targets.
>
> **Agent:** That's a common gap -- I'll mark P1-04 (digital operational resilience strategy) as non-compliant with high priority. Let me continue through the remaining Pillar 1 requirements, then move to incident management. For Pillar 2, the key question is whether you have incident classification criteria aligned with RTS 2024/1772 and reporting templates ready per ITS 2025/302 -- these are under highest supervisory scrutiny alongside the Information Register.
>
> **You:** We have an incident management process but it follows our ISO 27001 procedure. We haven't mapped it to the DORA-specific classification thresholds or reporting timelines.
>
> **Agent:** I'll mark the classification criteria and reporting templates as non-compliant -- these are critical priority items. After completing all pillars, I'll run `dora_gap_scorer` on the assessment to compute your pillar-by-pillar compliance scores and overall readiness tier, then generate the full report with a phased remediation roadmap.

## Sample Output Excerpt

Excerpt from a DORA gap assessment report for a payment institution.

---

# DORA Gap Assessment Report

**Entity:** Meridian Payments GmbH
**Entity type:** Payment institution (Art. 2(1)(d))
**Proportionality tier:** Standard
**Assessment date:** 2026-03-15
**Competent authority:** BaFin

## Executive Summary

**Overall DORA readiness score:** 47%
**Readiness tier:** Major Gaps -- Remediation Required

| Pillar | Score | Status |
|--------|-------|--------|
| Governance (Art. 5) | 60% | Partially Compliant |
| Pillar 1: ICT Risk Management (Arts. 5-16) | 55% | Partially Compliant |
| Pillar 2: ICT Incident Management (Arts. 17-23) | 30% | Non-Compliant |
| Pillar 3: Resilience Testing (Arts. 24-27) | 40% | Partially Compliant |
| Pillar 4: Third-Party Risk (Arts. 28-44) | 35% | Non-Compliant |
| Pillar 5: Information Sharing (Art. 45) | 50% | Partially Compliant |

**Top critical gaps:**
1. Information Register not submission-ready -- Art. 28(3), ITS 2024/2956 -- Critical
2. Incident reporting templates and timelines not aligned to ITS 2025/302 -- Art. 19(4) -- Critical
3. Management body ICT risk training not evidenced -- Art. 5(4) -- Critical

**Supervisory priority alerts:**
- NON-COMPLIANT: Information Register (Art. 28(3)) -- highest supervisory scrutiny. Remediate immediately.
- NON-COMPLIANT: Incident Reporting (Arts. 19-20) -- reporting chain not functional. Remediate immediately.

## Remediation Roadmap

### Phase 1 -- Immediate (0-30 days)

| # | Action | Pillar | Article | Priority | Owner | Effort |
|---|--------|--------|---------|----------|-------|--------|
| 1 | Build Information Register per ITS 2024/2956 templates | P4 | Art. 28(3) | Critical | Compliance | High |
| 2 | Implement incident classification per RTS 2024/1772 | P2 | Art. 18(1) | Critical | CISO | Medium |
| 3 | Deploy ITS 2025/302 reporting templates and test chain | P2 | Art. 19(4) | Critical | CISO | Medium |
| 4 | Schedule management body ICT risk training | Gov | Art. 5(4) | Critical | GRC Lead | Low |

### Phase 2 -- Short-term (30-90 days)

| # | Action | Pillar | Article | Priority | Owner | Effort |
|---|--------|--------|---------|----------|-------|--------|
| 5 | Draft digital operational resilience strategy with RTO/RPO | P1 | Art. 6(8) | High | CTO | Medium |
| 6 | Complete ICT asset dependency mapping to critical functions | P1 | Art. 8(2)-(3) | High | IT Ops | High |
| 7 | Review all ICT contracts for Art. 30 mandatory clauses | P4 | Art. 30 | High | Legal | High |

## Existing Framework Coverage

| DORA Requirement | Existing Framework | Coverage | DORA-Specific Gap |
|------------------|--------------------|----------|-------------------|
| ICT risk framework (Art. 6) | ISO 27001 A.5 | Partial | Missing digital resilience strategy, management body accountability |
| Asset inventory (Art. 8) | ISO 27001 A.5.9 | Partial | Missing dependency mapping to critical functions |
| Incident reporting (Arts. 19-20) | ISO 27001 A.5.24-28 | Partial | DORA timelines, classification thresholds, and ITS templates required |
| Third-party risk (Arts. 28-44) | EBA/GL/2019/02 | Partial | ITS-compliant Information Register, Art. 30 contractual clauses |

<!-- /excerpt -->

## Extension Tools

The skill includes an extension tool that validates and scores the gap assessment.

### `dora_gap_scorer`

Takes the structured gap assessment JSON and produces a comprehensive compliance analysis.

| Check | Description |
|-------|-------------|
| **Entity profile validation** | Warns if entity type or proportionality tier is missing |
| **Pillar completeness** | Flags any pillar with zero requirements assessed |
| **Per-pillar scoring** | Computes compliance percentage for each of the six assessment areas (governance + five pillars) |
| **Weighted overall score** | Calculates DORA readiness using supervisory-priority weighting: Pillar 1 and Pillar 4 at 25% each, Governance and Pillar 2 at 15% each, Pillar 3 and Pillar 5 at 10% each |
| **Readiness tier** | Classifies overall posture: Substantially Ready (80-100%), Partially Ready (60-79%), Major Gaps (40-59%), Not Ready (0-39%) |
| **Top 5 critical gaps** | Identifies the five most urgent gaps sorted by priority and severity |
| **Supervisory priority alerts** | Flags non-compliance in Information Register (Art. 28(3)) or Incident Reporting (Arts. 19-20) -- the two areas under highest supervisory scrutiny |
| **Remediation summary** | Counts gaps by priority level (critical, high, medium, low) with timeline recommendations |

### Example validation output

```
========================================================================
DORA Gap Assessment -- Compliance Score
========================================================================

--- SUPERVISORY PRIORITY ALERTS ---
  [ALERT] NON-COMPLIANT: Information Register (Art. 28(3)) --
          "Information Register complete" (Art. 28(3)). This area is
          under highest supervisory scrutiny. Remediate immediately.
  [ALERT] NON-COMPLIANT: Incident Reporting (Arts. 19-20) --
          "ITS-compliant reporting templates" (ITS 2025/302). This area
          is under highest supervisory scrutiny. Remediate immediately.

--- Overall DORA Readiness ---
  Score: 47%
  Tier:  Major Gaps -- Remediation Required

--- Pillar Scores ---
| Pillar                              | Score | Compliant | Partial | Non-Compliant |
|-------------------------------------|-------|-----------|---------|---------------|
| Cross-Cutting Governance (Art. 5)   |  60%  |     4     |    4    |       2       |
| Pillar 1: ICT Risk Management      |  55%  |     8     |    7    |       7       |
| Pillar 2: ICT Incident Management   |  30%  |     1     |    4    |       5       |
| Pillar 3: Resilience Testing        |  40%  |     4     |    5    |       9       |
| Pillar 4: Third-Party Risk          |  35%  |     3     |    5    |       9       |
| Pillar 5: Information Sharing       |  50%  |     1     |    2    |       1       |

--- Top 5 Critical Gaps ---
  1. [CRITICAL] Information Register complete (Art. 28(3))
  2. [CRITICAL] ITS-compliant reporting templates (ITS 2025/302)
  3. [CRITICAL] Management body ICT risk training (Art. 5(4))
  4. [HIGH] Digital operational resilience strategy (Art. 6(8))
  5. [HIGH] Dependency mapping to critical functions (Art. 8(2)-(3))

--- Remediation Summary ---
  Total gaps found: 38
  Critical priority: 5
  High priority:     12
  Medium priority:   14
  Low priority:      7

  RECOMMENDATION: Address all critical-priority gaps within the first
  30 days. Information Register and Incident Reporting deficiencies
  should be the immediate focus as supervisory authorities may request
  evidence at any time.
========================================================================
```

Run `dora_gap_scorer` after completing the assessment and before producing the final report.

## Getting Started

Activate the *DORA Gap Assessment* skill and tell the agent about your entity. Have this information ready:

- **Entity type** under DORA Art. 2(1): credit institution, payment institution, investment firm, insurance undertaking, crypto-asset service provider, or another covered entity type
- **Entity size**: whether you qualify for the simplified ICT risk management framework (Art. 16) -- applies only to microenterprises and small non-interconnected investment firms
- **Existing frameworks**: any compliance frameworks already in place (ISO 27001, NIS2, EBA Guidelines on ICT, EBA Guidelines on outsourcing, national supervisory guidance)
- **Competent authority**: your regulatory supervisor (e.g., ECB/SSM, BaFin, ACPR, AMF, FCA, CSSF)
- **ICT third-party providers**: approximate count and which ones support critical or important functions
- **Group structure**: parent entity, subsidiaries, and branches across jurisdictions if applicable

If the **Organization Profile** skill has already been completed, the agent will reference it automatically for entity details and regulatory context.

The skill produces a scored gap assessment report covering all five DORA pillars, a findings register, a phased remediation roadmap (immediate / 3-month / 6-month / 12-month), and a framework mapping showing where existing controls already partially satisfy DORA requirements.



---

Back to [Skill Library](https://rakenne.app/skills/index.md)