Case studyFortune 100: 80% less compliance workRead the Story
RiskWatch
Framework · DORA + ISO 22301 + NIS2 · Updated 2026-05-15

DORA-compliant in 90 days

DORA compliance software for EU-regulated financial entities and the ICT third parties that serve them. Covers all 5 pillars of Regulation (EU) 2022/2554: ICT risk management, the 4h/72h/1mo incident clock, basic resilience testing plus TLPT, the Register of Information, Article 30 contract clauses, and cyber threat intelligence sharing. Cross-mapped to ISO 27001:2022, ISO 22301:2019, NIS2, and EBA Guidelines so existing evidence carries forward.

  • ICT asset inventory + Articles 5-16 risk framework
  • Article 18 + 19 incident clock: 4 hours · 72 hours · 1 month
  • Article 28 Register of Information + Article 30 contract clauses
  • Articles 26-27 TLPT workspace, TIBER-EU aligned
  • Cross-mapped to ISO 27001 + ISO 22301 + NIS2 + EBA Guidelines
Book a demoSee the framework hub

Trusted by chief risk officers, CISOs, and ICT third-party risk leads at banks, insurers, investment firms, and the ICT providers that serve them

BAIDJP LLCGlacierNetAccessRSISecurity GaugeSecuvantSISAP
What it is

What is DORA compliance software?

DORA compliance software automates the obligations set by the Digital Operational Resilience Act, Regulation (EU) 2022/2554. RiskWatch covers the 5 pillars: ICT risk management (Articles 5-16), ICT-related incident management + reporting on the 4-hour / 72-hour / 1-month cadence (Articles 17-23), digital operational resilience testing including TLPT every 3 years for significant entities (Articles 24-27), ICT third-party risk management with the Register of Information and Article 30 contract clauses (Articles 28-44), and cyber threat information sharing (Article 45). Cross-mapped to ISO 27001:2022, ISO 22301:2019, NIS2 Directive, and EBA Guidelines.

0 Jan 2025
DORA fully in force
Regulation (EU) 2022/2554 applies to every EU financial entity + ICT third-party service provider
0 Mar 2026
Second RoI submission deadline
Reference date 31 December 2025; consolidated by national CAs and submitted to the ESAs
0.0%
Of firms passed the ESA RoI dry-run
Per ESA 2024 exercise on nearly 1,000 firms; missing LEIs + incomplete contracts + criticality errors top the failure list
Why DORA matters for CROs, CISOs, and ICT third-party risk leads

The pillars are clear. The Register of Information is what is breaking.

Financial entities face four recurring pains heading into the 31 March 2026 RoI submission and the next round of basic resilience testing. RoI data quality. Incident classification on the 4-hour clock. TLPT scoping for significant entities. And penalty math that scales with global turnover.

Pain #1

The Register of Information failed for 93% of firms in the ESA dry run.

Only 6.5 percent of nearly 1,000 firms passed all 116 data quality checks in the European Supervisory Authorities dry-run exercise. The most common failures: incomplete contract data, missing subcontractor information, invalid LEI codes, and incorrect criticality classifications. The RoI module collects Article 28 contractual fields once, validates LEI codes against GLEIF, and produces the ITS template every 31 March.

Pain #2

Major ICT incidents must be reported on a 4-hour, 72-hour, and 1-month cadence.

Article 19 plus the incident-reporting RTS require an initial notification within 4 hours of classification, an intermediate report within 72 hours, and a final report within one month. Teams without a classification engine cannot decide what is major versus significant cyber threat in time. RiskWatch ships the Article 18 classification criteria (clients affected, data losses, reputational impact, duration, geographical spread, criticality, economic impact) as a decision flow with the regulatory clock running.

Pain #3

Threat-led penetration testing every 3 years for significant entities.

Articles 26 and 27 oblige significant financial entities to run threat-led penetration tests (TLPT) at least every three years under the TIBER-EU framework. The scope, providers, threat intelligence, red team, and remediation evidence sit across four vendors and three internal teams. The Digital Operational Resilience Testing module ties scope, provider attestations, threat scenarios, and Article 24 remediation actions into one auditable record.

Pain #4

Penalty math reaches 2% of global turnover for critical third parties.

Critical ICT third-party service providers designated under Article 31 face periodic penalty payments of up to 1 percent of average daily worldwide turnover for each day of non-compliance, applied for up to six months. National competent authorities can fine entities under their domestic regimes (e.g. up to €5 million in Germany, €1 million for individuals). The Penalty Exposure dashboard converts gaps to euro-per-day per entity.

See the Register of Information builder in a 20-minute demo
What is DORA

Regulation (EU) 2022/2554. In force since 17 January 2025.

DORA is the Digital Operational Resilience Act, a directly applicable EU regulation that harmonises digital operational resilience requirements across the EU financial sector. It covers banks, insurers, investment firms, payments, crypto-asset service providers under MiCA, market infrastructure, and the ICT third parties that serve them. See the consolidated text at EUR-Lex and supervisory guidance from EIOPA, EBA, and ESMA. Application is universal across in-scope entities from 17 January 2025, with the regulatory technical standards and implementing technical standards published in two batches in July and November 2024.

27 Dec 2022 Regulation (EU) 2022/2554 + Directive (EU) 2022/2556 published in the OJEU
16 Jan 2023 entered into force, 24-month transposition window opens
Jul + Nov 2024 RTS + ITS adopted (ICT risk + incident reporting + RoI + TLPT + subcontracting)
17 Jan 2025 DORA fully applies across all EU financial entities + ICT third parties in scope
31 Mar 2026 second Register of Information submission cycle deadline (reference date 31 Dec 2025)
Ongoing Articles 31-44 Oversight Framework for designated Critical ICT Third-Party Providers (CTPPs)
DORA application timeline + supervisory milestones
Dec 2022
Regulation (EU) 2022/2554 + Directive (EU) 2022/2556 published in OJEU
100%
Jan 2023
Entry into force 16 Jan 2023, 24-month transposition window opens
100%
Jul 2024
First batch of RTS + ITS adopted by Commission (ICT risk + incident reporting + RoI templates)
100%
Nov 2024
Second batch of RTS + ITS published (subcontracting + threat-led penetration testing)
100%
Jan 2025
DORA fully applies across all EU financial entities + ICT third-party service providers
100%
Apr 2025
First Register of Information submission cycle (reference date 31 Mar 2025)
100%
Mar 2026
Second Register of Information cycle (reference date 31 Dec 2025), stricter validation
85%
Art. 50
Administrative penalties enforced by national competent authorities
100%
Articles 1 + 2 scope + Article 50 penalties →RoI submission annual
The 5 pillars of DORA

Five pillars, one platform. Built around the management body.

DORA is risk-based and outcome-driven. The 5 pillars cover ICT risk management (Articles 5-16), incident management + reporting (Articles 17-23), digital operational resilience testing (Articles 24-27), ICT third-party risk management with the Register of Information at the centre (Articles 28-44), and information + intelligence sharing (Article 45). All of them roll up to the management body under Article 5, which approves the framework and reviews it at least annually.

Pillar 1 · ICT risk management

Articles 5-16

Scope: Articles 5-16. ICT risk management framework, governance + control, identification + protection + detection + response + recovery + learning + evolving + communication functions. Annual review by management body. Simplified regime for micro-enterprises under Article 16.

Obligation: Board-approved ICT risk framework, ICT business continuity policy, ICT response + recovery plans, backup + restoration testing, learning + evolution loop.

Pillar 2 · ICT-related incident management + reporting

Articles 17-23

Scope: Articles 17-23. Major ICT incident classification, initial notification within 4 hours of classification, intermediate report within 72 hours, final report within 1 month. Significant cyber threats notified on a voluntary basis. Payment-related incidents under Article 23.

Obligation: Incident management process, classification criteria per Article 18, ESA reporting template, root-cause analysis, lessons learned in the ICT risk framework.

Pillar 3 · Digital operational resilience testing

Articles 24-27

Scope: Articles 24-27. Basic testing for all entities: vulnerability assessments, scans, source-code reviews, scenario-based tests, performance + end-to-end tests. Advanced TLPT every 3 years for significant entities under the TIBER-EU framework.

Obligation: Annual test programme, independent testers, remediation tracking under Article 24, TLPT scope sign-off by competent authority, attestations for cross-border testing.

Pillar 4 · ICT third-party risk management

Articles 28-44

Scope: Articles 28-44. Register of Information (Article 28), criticality assessment (Article 29), pre-contractual due diligence (Article 28), contractual provisions (Article 30), Oversight Framework for Critical ICT Third-Party Providers (Articles 31-44) operated by Lead Overseer (one of EBA, ESMA, EIOPA).

Obligation: RoI submission by 31 March each year, Article 30 contract clauses for all ICT services, exit strategies for critical or important functions, concentration risk monitoring, subcontracting chain mapping.

Pillar 5 · Information + intelligence sharing

Article 45

Scope: Article 45. Voluntary exchange of cyber threat information + intelligence among financial entities within trusted communities. ENISA and ESAs encouraged to facilitate. Compatible with confidentiality + competition + data-protection rules.

Obligation: Where the entity participates, document the framework, the participants, the kind of information shared, and how Article 45 § 3 conditions are met.

Who must comply

Six in-scope cohorts. Plus every ICT provider serving them.

Article 2 scopes DORA to 21 types of EU financial entity plus ICT third-party service providers. The Oversight Framework for Critical ICT Third-Party Providers (CTPPs) under Articles 31-44 brings cloud, software, data analytics, and data-centre providers into direct supervision when they reach significance thresholds set in the Commission's delegated acts.

Cohort 1 of 6

Credit institutions + banks

All credit institutions in Article 2 of Directive 2013/36/EU. The largest pillar by headcount and ICT spend. Significant institutions (SREP categories 1-2) face the full TLPT regime under Articles 26-27. Cross-mapped to EBA Guidelines on outsourcing arrangements + ICT and security risk management.

Cohort 2 of 6

Investment firms + market participants

Investment firms under MiFID II, central counterparties, central securities depositories, trading venues, trade repositories, securitisation repositories, alternative investment fund managers, UCITS management companies. Significant firms in scope for TLPT.

Cohort 3 of 6

Insurance + reinsurance undertakings

Insurance + reinsurance undertakings under Solvency II, insurance + reinsurance intermediaries, ancillary insurance intermediaries, institutions for occupational retirement provision (IORPs) above the size threshold. EIOPA acts as Lead Overseer for designated CTPPs in this segment.

Cohort 4 of 6

Payments + e-money + crypto

Payment institutions, electronic money institutions, account information service providers, crypto-asset service providers under MiCA, issuers of asset-referenced tokens. Article 23 payment-related incident reporting overlays for credit + payment + e-money institutions.

Cohort 5 of 6

Credit rating + ratings agencies + crowdfunding

Credit rating agencies, administrators of critical benchmarks, crowdfunding service providers, securitisation repositories. The DORA scope catches the data + ratings + benchmarks + crowdfunding plumbing alongside the regulated FS entities.

Cohort 6 of 6

ICT third-party service providers

Cloud computing services, software, data analytics services, data centres. Direct DORA exposure for entities designated Critical ICT Third-Party Providers under Article 31 by the ESAs (EBA + ESMA + EIOPA). Indirect exposure for every provider serving an FS customer because Article 30 contract clauses are non-negotiable.

How RiskWatch covers DORA

Every module a DORA programme needs, in one platform.

Sixteen modules sharing the ICT asset inventory, evidence vault, and audit trail. Built around the Articles 5-16 lifecycle so the Register of Information, the 4h/72h/1mo incident clock, the basic + advanced testing programme, and the Article 45 sharing record all read from the same source of truth.

DORA Dashboard

Pillar-by-pillar coverage at a glance

Per-entity ICT risk health, RoI submission readiness, open incidents on the 4h/72h/1mo clock, test coverage versus the 3-year cycle, penalty exposure totals in euros.

ICT Asset Inventory

Every asset, every dependency

Article 8 ICT-supported business function inventory. Information assets, ICT assets, data flows, dependencies on third parties tagged for Article 28 RoI feeding.

ICT Risk Framework

Articles 5-16 lifecycle

Risk identification, classification, protection + prevention, detection, response + recovery, learning + evolving, communication. Annual review workflow signed by the management body.

Incident Classification

Article 18 + RTS criteria engine

Decision flow across the seven Article 18 criteria: clients affected, reputational impact, duration, geographical spread, data losses, criticality, economic impact. Major / non-major / significant cyber threat output with audit trail.

Incident Reporting Clock

4 hours · 72 hours · 1 month

Article 19 reporting workflow. Initial notification within 4 hours of classification, intermediate report within 72 hours, final report within 1 month. Submission via national competent authority channel with ITS template.

DRT Test Programme

Article 24-25 basic testing

Vulnerability assessments, scans, source-code reviews, scenario-based tests, performance + end-to-end tests, physical security reviews. Annual programme, independent tester evidence, remediation under Article 24 § 5.

TLPT Workspace

Article 26-27 threat-led pen testing

TIBER-EU aligned. Threat intelligence provider, red team, blue team coordination, scope sign-off by competent authority, attestations under Article 27 § 6 for cross-border tests. Run at least every 3 years for significant entities.

Register of Information

Article 28 RoI builder + GLEIF validation

All ICT third-party contractual arrangements captured once. ITS template fields populated, LEI codes validated against GLEIF, criticality flags applied, subcontractor chain mapped, 31 March submission generated as CSV + XBRL.

Third-Party Due Diligence

Article 28-29 pre-contractual diligence

Vendor questionnaires, criticality scoring, concentration risk indicators, ESG + sub-outsourcing chain capture, gap-to-DORA contract clauses identified before signature.

Contract Clause Manager

Article 30 mandatory provisions

Article 30 § 2 clauses for all ICT services and § 3 additional clauses for critical or important functions. Termination rights, exit strategy, audit + access rights, location of data + processing, subcontracting + change management, security + business continuity.

Exit Strategy Builder

Article 28 § 8 exit plans

For critical or important functions: exit triggers, transition plan, alternative provider readiness, data-portability testing, severability + reversibility milestones reviewed annually.

CTPP Oversight Tracker

Articles 31-44 Lead Overseer evidence

When a third party is designated a Critical ICT Third-Party Provider, surface oversight recommendations, follow-up actions, and Article 42 enforcement signals. Useful both for FS entities consuming CTPPs and for ICT providers preparing for designation.

Concentration Risk Map

Article 29 portfolio view

Visualise concentration of critical or important functions on a single provider or a small set, factor sub-outsourcing chains, geographic concentration, single-point-of-failure flags. Feeds Article 28 § 9 strategy on ICT third-party risk.

Cross-Framework Mapping

ISO 22301 + ISO 27001 + NIS2 + EBA Outsourcing

DORA Article 5 ↔ ISO 27001 A.5.1 + ISO 22301 Cl 5 + NIS2 Article 21 § 2(a). Score one control, satisfy four regimes for financial entities already under ISO 27001 + ISO 22301.

Resilience Scoreboard

Business-function recovery objectives

RTO + RPO + impact tolerance per ICT-supported business function. Aligns to Bank of England + PRA SS1/21 Operational Resilience expectations for UK groups and the FSB Cyber Lexicon.

Audit Trail

Who changed what, answered instantly

Timestamped log of every RoI field edit, incident reclassification, test scope change, contract clause update. Admissible to national competent authorities and Lead Overseers.

Key Articles deep-dive

From Article 5 governance to Article 45 sharing, the spine of DORA.

DORA articles cluster cleanly by pillar. Articles 5-16 carry the ICT risk management framework with the management body in Article 5. Articles 17-23 carry incident management + reporting plus the payment-related overlay. Articles 24-27 carry basic testing and the TLPT regime aligned to TIBER-EU. Articles 28-44 carry third-party risk: the Register of Information (Article 28), contract clauses (Article 30), the Oversight Framework (Articles 31-44). Article 45 carries information sharing. Each Article links to RTS or ITS adopted in 2024 that operationalise the language.

Articles 5-16 ICT risk management: governance, identification, protection, detection, response, recovery, learning, evolving, communication, simplified regime
Articles 17-23 incident management: process (Art 17), classification criteria (Art 18), reporting timelines + ITS template (Art 19), payment-related overlay (Art 23)
Articles 24-27 testing: basic annual programme (Art 24-25), advanced TLPT every 3 years under TIBER-EU for significant entities (Art 26-27)
Articles 28-44 ICT third-party risk: RoI + key principles (Art 28), criticality + concentration (Art 29), contract clauses (Art 30), CTPP designation + oversight (Art 31-44)
Article 45 information sharing: voluntary cyber threat intelligence exchange among financial entities in trusted communities
DORA Articles by pillar
Art. 5
Management body accountability
95%
Art. 8
ICT asset + function inventory
90%
Art. 11
Response + recovery + BCP
88%
Art. 17
Incident management process
92%
Art. 18
Major-incident classification criteria
90%
Art. 19
4h / 72h / 1mo reporting clock
94%
Art. 24-25
Basic resilience testing programme
87%
Art. 26-27
TLPT under TIBER-EU every 3 yrs
80%
Art. 28
Register of Information builder
92%
Art. 30
Contract clause § 2 + § 3 library
90%
Art. 31-44
CTPP oversight evidence
85%
Art. 45
Threat intelligence sharing record
78%
12 Article clusters + Article 50 penalties →Annual review by management body
DORA + NIS2 + ISO 22301 + ISO 27001 crosswalk

Score one control. Satisfy four regimes.

EU financial entities running ISO/IEC 27001:2022 + ISO 22301:2019 already cover roughly 70-80 percent of DORA Articles 5-16. Add NIS2 (Directive (EU) 2022/2555) for shared infrastructure and EBA Guidelines for outsourcing, and the same control answer satisfies four regimes. RiskWatch maps every DORA Article to the ISO clause, the ISO 27001 Annex A control, and the NIS2 Article 21 + 23 obligation.

DORADutyISO 22301:2019ISO/IEC 27001:2022NIS2 Directive
Articles 5-6ICT risk management framework + governanceClause 5 Leadership + Clause 6 PlanningClause 5 Leadership + Annex A 5.1 Policies + 5.2 RolesArticle 20 § 1 management body accountability
Article 8Identification of ICT-supported business functions + assetsClause 8.2.2 Business impact analysisAnnex A 5.9 Inventory of information + assetsArticle 21 § 2(a) risk analysis + information system security
Articles 9-10Protection + prevention + detection of ICT incidentsClause 8.4 Business continuity strategiesAnnex A 8.7 Protection against malware + 8.16 MonitoringArticle 21 § 2(b) incident handling + (d) supply chain security
Article 11Response + recovery + ICT business continuity policyClause 8.4.4 Recovery + Clause 8.5 Exercise + testingAnnex A 5.29 + 5.30 ICT readiness for business continuityArticle 21 § 2(c) business continuity + crisis management
Article 12Backup policies + restoration + recovery proceduresClause 8.4.4 Recovery + Annex A.17Annex A 8.13 Information backupArticle 21 § 2(c) backup management + disaster recovery
Articles 17-18ICT-related incident management process + classificationClause 8.4.3 Incident response structureAnnex A 5.24-5.27 Incident management + lessons learnedArticle 23 incident reporting (similar 24h / 72h / 1mo cadence)
Article 19Reporting major incidents: 4h initial / 72h intermediate / 1mo finalClause 8.4.3 CommunicationAnnex A 5.5 Contact with authoritiesArticle 23 § 4: early warning 24h, incident notification 72h, final report 1mo
Articles 24-25Basic digital operational resilience testing programmeClause 8.5 Exercise programmeAnnex A 8.29 Security testing + 8.34 Audit testingArticle 21 § 2(f) testing the effectiveness of measures
Articles 26-27Threat-led penetration testing every 3 years for significant entitiesNot directly coveredAnnex A 8.29 Security testing of development + acceptanceNot directly required (NIS2 references resilience tests in general)
Article 28Register of Information + Article 30 contract clausesClause 8.3.2 Supply chain continuityAnnex A 5.19-5.22 Supplier relationshipsArticle 21 § 2(d) supply chain security + Article 22 EU-coordinated risk assessments
Article 45Voluntary cyber threat information + intelligence sharingClause 7.4 CommunicationAnnex A 5.6 Threat intelligence + 5.7 SharingArticle 29 cyber threat intelligence sharing arrangements

Sources: ISO/IEC 27001:2022 + ISO 22301:2019 standards, NIS2 Directive (EU) 2022/2555, EBA/GL/2019/02 + EBA/GL/2019/04 Guidelines, EIOPA Guidelines on ICT security + governance (EIOPA-BoS-20/600), ENISA NIS2 implementation guidance.

Map your ISO 27001 + ISO 22301 controls onto DORA in 20 minutes
Cross-framework mapping

Answer once. Satisfy DORA + NIS2 + ISO 22301 + ISO 27001.

EU financial entities typically run four regimes in parallel: DORA for digital operational resilience, NIS2 for shared infrastructure, ISO 27001:2022 for information security management, and ISO 22301:2019 for business continuity management. RiskWatch maps the Article 5 governance, Article 11 BCP, Article 17-19 incident pipeline, and Article 28 third-party register to their ISO + NIS2 counterparts so a single evidence set satisfies all four. Customers running the four in parallel reduce combined audit prep by 55-65 percent.

ISO 22301 Clause 8.4.4 + ISO 27001 A.5.29-5.30 ↔ DORA Article 11 ICT business continuity
ISO 27001 A.5.24-5.27 ↔ DORA Articles 17-19 incident management + reporting
ISO 27001 A.5.19-5.22 ↔ DORA Articles 28 + 30 third-party + contract clauses
NIS2 Article 21 § 2 catalogue + Article 23 reporting ↔ DORA Articles 5-16 + 17-19
EBA Guidelines on outsourcing arrangements ↔ DORA Article 28-30 third-party programme
One assessment
Control library
ISO 27001
SOC 2
HIPAA
NIST CSF
PCI DSS
GDPR
8-step compliance roadmap

From ICT asset inventory to Article 45 sharing, in eight ordered steps.

The order matters. Asset inventory before risk framework, framework before RoI, RoI before contract re-papering, contracts before the incident clock, incident clock before basic testing, basic testing before TLPT, TLPT before the annual management body review. RiskWatch enforces the order so nothing skips ahead and nothing gets left behind.

01

Inventory ICT-supported business functions + assets

Article 8 information + ICT asset inventory. Map functions to applications, infrastructure, data flows, third parties. Identify critical or important functions early because the Article 28 + Article 30 + Article 11 obligations track them.

02

Stand up the Article 5-16 ICT risk management framework

Board-approved policy, identification + protection + detection + response + recovery + learning + evolving + communication functions, annual review by the management body. Pull from your existing ISO 27001 + ISO 22301 base where present.

03

Build the Register of Information (Article 28)

Every ICT third-party contractual arrangement, LEI codes validated, criticality flags applied, subcontractors mapped. Reference date 31 December, submission to national competent authority by 31 March each year.

04

Update contracts to Article 30 § 2 + § 3 clauses

Termination + exit, audit + access rights, location of data, security + business continuity, change + subcontracting management, service-level + recovery objectives. Re-paper or risk loss of access to critical providers.

05

Wire the incident classification + reporting clock

Article 18 + RTS criteria operationalised as a decision flow. Initial 4 hours, intermediate 72 hours, final 1 month. Connect to the national competent authority reporting channel and the ITS template format.

06

Run the Articles 24-25 basic testing programme

Annual vulnerability scans, source-code reviews, scenario tests, performance tests, physical security reviews. Track remediation under Article 24 § 5. Independent tester evidence retained for the supervisor.

07

Scope + run TLPT every 3 years (significant entities)

Article 26-27. TIBER-EU framework, scope sign-off by competent authority, accredited threat intelligence + red team providers, attestation under Article 27 § 6. Output feeds Article 24 § 5 remediation.

08

Operate Article 45 information sharing + annual review

Voluntary participation in trusted communities for cyber threat intelligence. Annual ICT risk framework review by the management body. Lessons-learned loop closes back into Articles 5-16.

Article 50 penalties + CTPP enforcement

Up to 2% of worldwide turnover or €10M for entities, €1M for individuals.

DORA Article 50 obliges Member States to lay down effective, proportionate, and dissuasive administrative penalties. National regimes are now in place across the EU. For Critical ICT Third-Party Providers under Article 35, the Lead Overseer can impose periodic penalty payments up to 1 percent of the average daily worldwide turnover, applied for up to six months. Practical exposure scales with global turnover, not EU revenue.

2% / 6 months
CTPP · periodic penalty

Article 35. Designated Critical ICT Third-Party Providers face periodic penalty payments of up to 1 percent of average daily worldwide turnover, applied per day, for up to six months. Cumulatively reaches close to 2 percent of annual worldwide turnover.

Up to €10M
Entities · national regimes

Member-state ceilings vary. Ireland: the larger of €10 million or 10 percent of total annual turnover. Germany: up to €5 million. Italy: up to 10 percent of total annual turnover. Always check the national competent authority enforcement decision register.

Up to €1M
Individuals · senior accountable

Several Member States make senior individuals personally liable for serious DORA breaches under domestic financial services law. Germany sets a €1 million ceiling for individuals; Ireland and the Netherlands apply similar individual-accountability provisions tied to fit-and-proper testing.

Source: Article 35 + Article 50 of Regulation (EU) 2022/2554 plus national transposition acts in Germany (FinmadiG), Ireland (Central Bank Act), Italy (Legislative Decree 23/2024), and other Member States.

RiskWatch vs alternatives

How RiskWatch compares to Drata, Vanta, and Panorays

Public feature comparison drawn from each vendor's own DORA product pages (audited 2026-05-15) plus aggregated G2 and Capterra commentary. DORA software covers three different jobs: GRC compliance automation (Drata + Vanta), third-party risk specialist (Panorays + ProcessUnity), and integrated FS operational resilience (RiskWatch). Many EU financial entities need more than one. The right buying decision usually starts with identifying who owns the Register of Information.

CapabilityRiskWatchDrataVantaPanorays
Article 28 Register of Information builder + ITS XBRL outputYes, native, GLEIF LEI validation + 31 March submission generatorPartial, DORA framework library, manual RoI assemblyPartial, DORA framework library, manual RoI assemblyPartial, focus is vendor questionnaire + risk score
Article 18 incident classification engine (7 criteria)Yes, decision flow with audit trail per incidentPartial, evidence collection onlyPartial, evidence collection onlyNo
Article 19 reporting clock (4h / 72h / 1mo) with ITS templateYes, timer-driven workflow + ITS-aligned exportManualManualNo
Article 26-27 TLPT workspace (TIBER-EU)Yes, scope + threat intel + red team + remediation trackingNo native TLPT moduleNo native TLPT moduleNo
Article 30 contract clause managerYes, § 2 + § 3 clause library, re-paper workflowTemplate repositoryTemplate repositoryPartial, captured via questionnaire
Article 28 § 8 exit strategy builderYes, dedicated, with severability + portability milestonesTemplateTemplateNo
DORA + NIS2 + ISO 22301 + ISO 27001 cross-mappingYes, configurable, score-once-satisfy-fourYes, 30+ framework Common ControlsYes, framework libraryYes, third-party-only scope
CTPP oversight evidence (Articles 31-44)Yes, Lead Overseer recommendation + Article 42 follow-up trackingNoNoPartial, vendor-side risk view
Cyber threat intelligence sharing (Article 45)Yes, structured community + ISAC integration recordNoNoNo
Pricing transparencyQuote per scope + framework count, no surprise renewal jumpsQuote-only, scales with org sizeQuote-only, criticised for renewal jumpsQuote-only
ROI + outcomes

DORA programmes that survive the supervisor

Real CROs, CISOs, and ICT third-party risk leads running DORA on top of ISO 27001 + ISO 22301. Composite benchmarks from RiskWatch deployments. The biggest single ROI lever: turning the Register of Information from an annual scramble into a continuous record.

93%
Of firms failed the ESA RoI dry-run on data quality
Only 6.5 percent of nearly 1,000 firms passed all 116 quality checks; the most common failures were incomplete contracts + missing subcontractor data + invalid LEI codes
8 weeks
ICT asset inventory to first RoI dry-submission
Composite from RiskWatch deployments running DORA on top of an existing ISO 27001 + ISO 22301 base
2%
Article 50 enforcement reach for CTPPs
Periodic penalty payments up to 1 percent of average daily worldwide turnover, applied for up to 6 months; national CA fines layer on top per Member State regime
The RoI builder picked up subcontractor gaps in our own data within minutes. The 4-hour / 72-hour / 1-month reporting clock is now a workflow, not a Teams thread.
LP
Luca P.
Head of ICT Risk · EU bank · 6,200 employees · SREP category 2
We sell SaaS into EU banks. The Article 30 contract clause manager and the exit-strategy module are why we kept three top-five accounts through procurement re-papering.
EM
Erika M.
VP Trust · ICT third-party · 480 employees · CTPP candidate
Cross-mapping DORA to our ISO 27001 + ISO 22301 + NIS2 evidence cut prep time on the second RoI submission by more than half. One control score, four regimes.
JK
Jana K.
Director of Compliance · Insurer · 2,800 employees · EU + UK regulated
Who uses RiskWatch for DORA

Six ICPs running DORA on the same platform.

Bank, insurer, investment firm, ICT provider. EU domicile, UK group with EU branches, US or APAC parent with EU subsidiaries. The pillars are universal; the management body, the criticality classification, and the test scope set the work.

ICP 1 of 6

CROs + CISOs at EU-regulated financial entities

Banks, investment firms, insurers, payments. Primary buying centre. Reports to management body under Article 5. Owns the ICT risk framework, the 4h/72h/1mo incident clock, and the test programme. Cross-maps to EBA Guidelines on ICT + security risk management + Solvency II + MiFID II.

ICP 2 of 6

ICT third-party risk leads

Owns the Register of Information, Article 30 contract programme, exit strategies, concentration risk reporting. The single most resource-consuming workstream in DORA: 46 percent of institutions named the RoI as the most challenging requirement per Deloitte 2025.

ICP 3 of 6

ICT third-party service providers serving FS

Cloud, software, data analytics, data centres. Indirect exposure today via Article 30 contract clauses imposed by FS customers. Direct exposure if designated a Critical ICT Third-Party Provider under Article 31 by EBA / ESMA / EIOPA Lead Overseers.

ICP 4 of 6

UK groups operating in the EU under SS1/21

UK PRA-regulated firms running EU subsidiaries face DORA in the EU branch and PRA Operational Resilience SS1/21 + Bank of England + FCA expectations in the UK. RiskWatch maps the impact-tolerance + important-business-services language to DORA pillars.

ICP 5 of 6

EU branches of US + APAC financial groups

Goldman, JPM, Morgan Stanley, Mizuho, Sumitomo, MUFG EU subsidiaries are in scope. Headquarters group standards (NIST CSF 2.0 + FFIEC CAT + APRA CPS 230) cross-map. RoI submission still happens in the EU subsidiary jurisdiction.

ICP 6 of 6

Crypto-asset service providers + MiCA scope

Crypto-asset service providers authorised under MiCA fall under DORA. The 5 pillars apply alongside MiCA + AML + CRR. Particularly acute for the RoI submission because most CASPs run a heavy SaaS + exchange stack.

Map RiskWatch to your DORA role in a 20-minute demo
Frameworks alongside DORA

Plus every framework you run with DORA, cross-mapped.

Score one ICT risk control. Satisfy ISO 27001:2022, ISO 22301:2019, NIS2 Directive, and EBA Guidelines on outsourcing simultaneously.

NIS2 Directive (EU) 2022/2555
Sister regulation, non-FS sectors
ISO/IEC 27001:2022
Information security management
ISO 22301:2019
Business continuity management
ISO/IEC 27035-1:2023
Incident management principles
ISO/IEC 20000-1:2018
IT service management
ISO 31000:2018
Risk management guidelines
EBA Outsourcing GL
EBA/GL/2019/02
EBA ICT + Security GL
EBA/GL/2019/04
EIOPA ICT Security GL
EIOPA-BoS-20/600
ESMA Outsourcing CCP GL
ESMA70-151-2906
PRA SS1/21 + SS2/21
UK Operational Resilience
TIBER-EU
Threat-led penetration testing
FSB Cyber Lexicon
G20 reference taxonomy
NIST CSF 2.0
Voluntary, cross-mapped
Compliance management hubRisk management softwareRisk software for banksRisk software for financial servicesISO 27001 compliance softwareVendor risk managementEU AI Act compliance softwarePolicy management software
Free download

DORA Compliance Roadmap (5 Pillars + Register of Information)

A 40-page PDF walking the eight-step compliance roadmap, the Register of Information field-by-field template, the Article 18 incident-classification decision flow, and the ISO 27001 + ISO 22301 + NIS2 cross-mapping reference. Updated with the 2024 RTS + ITS and the March 2026 RoI submission specifications.

  • 5-pillar obligation checklist with Articles 5-45 references
  • Register of Information ITS template with field-by-field guidance
  • Article 18 + 19 incident classification + 4h/72h/1mo workflow
  • Article 30 § 2 + § 3 contract clause library + exit-strategy template
  • DORA + NIS2 + ISO 27001 + ISO 22301 cross-mapping reference table
We'll never spam. Unsubscribe anytime.

No credit card · Updated for 2026 · Instant download

DORA FAQ

What CROs and ICT third-party risk leads ask before they buy

About Regulation (EU) 2022/2554, the 5 pillars, the Register of Information, the 4h/72h/1mo incident clock, TLPT under TIBER-EU, ISO 22301 + ISO 27001 + NIS2 cross-mapping, Article 50 penalties, and how RiskWatch covers all of them.

Ready to ship DORA compliance?

Build your Register of Information this week

Start a 30-day free trial. Full ICT asset inventory, Articles 5-16 risk framework, Article 18 + 19 incident classification + reporting clock, Articles 24-25 basic testing programme, Articles 26-27 TLPT workspace, Article 28 Register of Information builder, Article 30 contract clause manager, Article 28 § 8 exit-strategy module, and cross-mapping to ISO 27001 + ISO 22301 + NIS2 + EBA Guidelines. No credit card.

Book a demoStart free trial

No credit card required · 30-day free trial · Cancel anytime

Request a Demo