Digital Operational Resilience Act

DORA Compliance Platform — Digital Operational Resilience for Financial Entities

EU digital resilience compliance made structured. ICT risk management, incident classification, TLPT tracking, third-party oversight, critical function mapping, and board-ready exports.

Contact sales See evidence checklist

GDPR compliant

EU-hosted (Frankfurt)

End-to-end encrypted

Integrates with

What is DORA Compliance?

DORA (Digital Operational Resilience Act) is the EU regulation requiring financial entities and their ICT third-party providers to manage ICT risk, ensure operational resilience, and report major ICT-related incidents. It applies to banks, insurers, investment firms, payment institutions, and critical ICT providers. DORA sets requirements for ICT risk management, incident reporting, digital operational resilience testing (including TLPT), and management of ICT third-party risk.

Who Must Report?

DORA applies to: (1) Financial entities — credit institutions, investment firms, insurance and reinsurance undertakings, payment institutions, e-money institutions, crypto-asset service providers, central counterparties, and others. (2) ICT third-party service providers designated as critical. Micro-enterprises may be exempt. The regulation entered into force January 2023; application from January 2025.

Deadlines

DORA entered into force January 16, 2023. Application starts January 17, 2025. RTS and ITS apply from later dates. Financial entities must have ICT risk management frameworks, incident reporting procedures, resilience testing (including TLPT where required), and third-party risk management in place.

DORA vs Other Standards

DORA vs NIS2: DORA targets the financial sector and ICT providers serving it; NIS2 covers a broader set of sectors. DORA emphasises ICT risk management, resilience testing (TLPT), critical function identification, and contractual/oversight requirements for third parties. Both require incident reporting; DORA has specific classification and notification rules for major ICT incidents.

Why DORA Reporting Software?

Manual DORA reporting takes 12-20 weeks. With Regtrue, teams complete it in 4-8 weeks.

Common DORA Mistakes

✕No ICT risk management framework — DORA requires documented policies and procedures
✕Missing incident classification — major ICT incidents must be identified and reported within tight timelines
✕TLPT not planned or tracked — threat-led penetration testing required for critical entities
✕Third-party and subcontractor inventory incomplete — mapping and oversight obligations
✕Critical functions not identified — needed for resilience testing and reporting
✕No audit trail — cannot demonstrate compliance to supervisors

How Regtrue Helps

✓Guided DORA questionnaire covering ICT risk, incidents, testing, and third-party requirements
✓Incident management with classification and reporting workflow
✓TLPT (Threat-Led Penetration Testing) tracker and planning
✓Critical function mapping and scenario analysis
✓Third-party and contract analysis for information sharing and oversight
✓Board pack and executive summary exports
✓Evidence linking — attach policies, test reports, contracts
✓Export in PDF, JSON, and audit pack for regulators

Contact sales

DORA Evidence Checklist

Evidence required for audit-ready DORA compliance. All can be linked to questionnaire answers in Regtrue.

1
ICT Risk Management Framework
ICT risk management policy, risk appetite, risk assessment methodology, asset inventory, risk register, risk treatment plans
2
Incident Management
Incident response plan, classification criteria, notification procedures, post-incident reviews, major incident reports
3
Resilience Testing
Testing policy, TLPT plan and results, scenario analysis, business continuity and disaster recovery tests
4
Third-Party Risk
Register of ICT third-party providers, criticality assessment, contractual requirements, subcontractor mapping, exit strategies
5
Critical Functions
Identification of critical or important functions, dependency mapping, impact analysis
6
Information Sharing
Information sharing agreements, contract clauses for cooperation with authorities
7
Management and Governance
Board oversight documentation, management body awareness, approval of key policies

Note: All evidence can be linked directly to questionnaire answers in Regtrue. Your export includes a complete evidence pack with traceability map showing which evidence supports which answer.

Contact sales

DORA Export Formats

Export your DORA report in any format auditors need. Each export includes full evidence traceability.

PDF

PDF Report

Human-readable DORA compliance report for management, board, and supervisory authorities.

JSON

JSON Data

Structured compliance data for integration with GRC and risk platforms.

ZIP

Audit Pack (ZIP)

Complete evidence bundle: questionnaire responses, linked policies, incident procedures, full audit trail.

DORA Reporting Pricing

Simple pricing. DORA module included in all plans. Contact sales for access.

Starter

€79/mo

1 user, 1 module

DORA module included
Evidence vault (100 files)
Audit trail

Contact sales

Pro

€199/mo

5 users, all modules

All compliance modules
Evidence vault (unlimited)
AI assistance
Priority support

Start trial

Business

€599/mo

20 users, white-label

White-label reports
Custom integrations (API)
Onboarding session
Invoice billing

Contact sales

Consultant Plan — €349/mo

Managing multiple clients? Unlimited client accounts, bulk operations, and cross-client analytics. See consultant pricing →

Frequently Asked Questions

Everything you need to know about DORA reporting with Regtrue.

DORA is the EU regulation on digital operational resilience for the financial sector. It applies to financial entities (banks, insurers, investment firms, payment institutions, etc.) and to ICT third-party service providers designated as critical. It requires ICT risk management, incident reporting, resilience testing (including TLPT where applicable), and third-party risk management.

Start Your DORA Report Today

Evidence linking, audit trail, and export packs included. AI suggests, you decide.

Contact sales Request demo

Enterprise access

GDPR compliant

EU-hosted

What is DORA Compliance?

Who Must Report?

Deadlines

DORA vs Other Standards

Why DORA Reporting Software?

Manual DORA reporting takes 12-20 weeks. With Regtrue, teams complete it in 4-8 weeks.

Common DORA Mistakes

✕No ICT risk management framework — DORA requires documented policies and procedures
✕Missing incident classification — major ICT incidents must be identified and reported within tight timelines
✕TLPT not planned or tracked — threat-led penetration testing required for critical entities
✕Third-party and subcontractor inventory incomplete — mapping and oversight obligations
✕Critical functions not identified — needed for resilience testing and reporting
✕No audit trail — cannot demonstrate compliance to supervisors

How Regtrue Helps

✓Guided DORA questionnaire covering ICT risk, incidents, testing, and third-party requirements
✓Incident management with classification and reporting workflow
✓TLPT (Threat-Led Penetration Testing) tracker and planning
✓Critical function mapping and scenario analysis
✓Third-party and contract analysis for information sharing and oversight
✓Board pack and executive summary exports
✓Evidence linking — attach policies, test reports, contracts
✓Export in PDF, JSON, and audit pack for regulators

DORA Evidence Checklist

Evidence required for audit-ready DORA compliance. All can be linked to questionnaire answers in Regtrue.

1
ICT Risk Management Framework
ICT risk management policy, risk appetite, risk assessment methodology, asset inventory, risk register, risk treatment plans
2
Incident Management
Incident response plan, classification criteria, notification procedures, post-incident reviews, major incident reports
3
Resilience Testing
Testing policy, TLPT plan and results, scenario analysis, business continuity and disaster recovery tests
4
Third-Party Risk
Register of ICT third-party providers, criticality assessment, contractual requirements, subcontractor mapping, exit strategies
5
Critical Functions
Identification of critical or important functions, dependency mapping, impact analysis
6
Information Sharing
Information sharing agreements, contract clauses for cooperation with authorities
7
Management and Governance
Board oversight documentation, management body awareness, approval of key policies

Note: All evidence can be linked directly to questionnaire answers in Regtrue. Your export includes a complete evidence pack with traceability map showing which evidence supports which answer.

DORA Export Formats

Export your DORA report in any format auditors need. Each export includes full evidence traceability.

PDF

PDF Report

Human-readable DORA compliance report for management, board, and supervisory authorities.

JSON

JSON Data

Structured compliance data for integration with GRC and risk platforms.

ZIP

Audit Pack (ZIP)

Complete evidence bundle: questionnaire responses, linked policies, incident procedures, full audit trail.

DORA Reporting Pricing

Simple pricing. DORA module included in all plans. Contact sales for access.

Starter

€79/mo

1 user, 1 module

DORA module included
Evidence vault (100 files)
Audit trail

Contact sales

Pro

€199/mo

5 users, all modules

All compliance modules
Evidence vault (unlimited)
AI assistance
Priority support

Start trial

Business

€599/mo

20 users, white-label

White-label reports
Custom integrations (API)
Onboarding session
Invoice billing

Contact sales

Consultant Plan — €349/mo

Managing multiple clients? Unlimited client accounts, bulk operations, and cross-client analytics. See consultant pricing →

Frequently Asked Questions

Everything you need to know about DORA reporting with Regtrue.

DORA Compliance Platform — Digital Operational Resilience for Financial Entities

What is DORA Compliance?

Who Must Report?

Deadlines

DORA vs Other Standards

Why DORA Reporting Software?

Common DORA Mistakes

How Regtrue Helps

DORA Evidence Checklist

ICT Risk Management Framework

Incident Management

Resilience Testing

Third-Party Risk

Critical Functions

Information Sharing

Management and Governance

DORA Export Formats

PDF Report

JSON Data

Audit Pack (ZIP)

DORA Reporting Pricing

Starter

Pro

Business

Consultant Plan — €349/mo

Frequently Asked Questions

Start Your DORA Report Today

DORA Compliance Platform — Digital Operational Resilience for Financial Entities

What is DORA Compliance?

Who Must Report?

Deadlines

DORA vs Other Standards

Why DORA Reporting Software?

Common DORA Mistakes

How Regtrue Helps

DORA Evidence Checklist

ICT Risk Management Framework

Incident Management

Resilience Testing

Third-Party Risk

Critical Functions

Information Sharing

Management and Governance

DORA Export Formats

PDF Report

JSON Data

Audit Pack (ZIP)

DORA Reporting Pricing

Starter

Pro

Business

Consultant Plan — €349/mo

Frequently Asked Questions

Start Your DORA Report Today