DORA
From DORA scoping to a resilience programme the supervisor can read in ten minutes, fitted to your tier and dependencies.
DORA reads like a checklist and runs like an enterprise transformation. I lead the GRC architecture work where the supervisor expects a coherent story across Chapter II, incident reporting, and third-party risk. Here is the shape of a programme that delivers that story without turning your operations team into auditors.
What we deliver
-
DORA scopingWhich class of financial entity you are, which articles apply, and which proportionality carve-outs are available to your tier.
- ICT risk management framework
Chapter II in practice, from board role and policy stack down to controls, continuity, and recovery.
- Incident management and reporting
Major ICT-related incident classification under Article 19, notification timelines to the supervisor, and templates that hold up during a real incident.
- Digital operational resilience testing
A testing programme aligned to Article 26. Aikido AI Pentest covers continuous application security. Where Article 26(2) triggers threat-led penetration testing for in-scope entities, we scope the engagement and coordinate a qualified red-team provider.
- ICT third-party risk and register of information
The provider register under Article 28, contract clauses, concentration risk, and dependency on critical third parties.
- Board oversight and ownership
DORA gives the board an explicit role. We build the decision cadence, the documentation, and the reporting that let the board own the risk in practice.
How we deliver this service
- In a project
A DORA readiness assessment, gap report, and prioritised remediation plan, typically four to eight weeks.
- In a role at the customer
DORA programme owner inside the organisation for a bounded period, until the board has a real framework to report against.
- As part of a service
Included in Secured by FM CyberSecurity for in-scope financial entities under the threshold, alongside ISO 27001 and NIS2.
Recent insights on DORA
- What the EU Cyber Resilience Act is, and who it covers
The CRA is an EU law that ties cybersecurity rules to CE marking, so a product with digital elements cannot enter the EU market without it.
- What ISO 27001 Lead Implementer certification means for your project
An ISO 27001 Lead Implementer builds your ISMS; a Lead Auditor checks it. Hire the wrong role and your certification project stalls.
- From compliance burden to competitive advantage
How leadership teams move from compliance uncertainty to documented control, evidence that holds up under investor, customer, or regulatory due diligence.