Skip to content
secruna
Get a Demo
DORA applicable since 17 January 2025 — directly across the EU
DORA Regulation (EU) 2022/2554

EU financial entities — the operational resilience regulation, automated.

Secruna ships DORA as a live rule book: 33 IGPs covering the five pillars — ICT risk management framework (Art. 5-16), ICT-related incident management (Art. 17-23), digital operational resilience testing (Art. 24-27), ICT third-party risk (Art. 28-30) including the Article 28 register, and cyber threat intelligence sharing (Art. 45). The output is a one-PDF / one-CSV bundle structured per Pillar → Article → IGP — exactly how a competent-authority supervisor or the ESAs read the file. DORA is a Regulation, not a Directive: it applies directly across the EU with no national transposition step.

Book a 30-min DORA scope call
Why DORA is the regulation you must ship

Three pressures push DORA up the EU financial-services agenda — in this order.

DORA applies to every EU financial entity in scope of Article 2 — banks, payment institutions, e-money, investment firms, AIFMs, UCITS management companies, insurance and reinsurance, IORPs, central counterparties, trade repositories, credit rating agencies, crypto-asset service providers, central securities depositories, plus the ICT third-party providers serving them. National competent authorities + the ESAs supervise; for designated critical ICT providers, supplemental EU-level supervision kicks in.

Directly applicable EU-wide

Unlike NIS2 (Directive — Member-State transposition), DORA is a Regulation. It applies directly across the EU with no transposition step. The text on EUR-Lex is the authoritative obligation. National competent authorities supervise compliance + the ESAs jointly supervise ICT third-party arrangements under Art. 28+.

Art. 28 register — your AI inventory pre-fills it

Article 28(3) requires every financial entity to maintain a register of information of all contractual arrangements on the use of ICT services. The register lists ICT third-party service providers, the services, the supported business functions, criticality, location, sub-outsourcing chain. Secruna’s AI systems inventory is essentially a partial Art. 28 register — every AI vendor in your tenant is already there. (Non-AI ICT coverage is scaffolded under Plan 134.)

4h / 72h / 1-month incident clock

Art. 19 + Commission Delegated Regulation 2024/1772 set the major-incident reporting timeline: initial within 4 hours of classification (and no later than 24h of awareness), intermediate within 72 hours, final no later than one month. The harmonised RTS template applies to all three. Plan 135 will land the Art. 18 major-incident auto-classifier; for v1 the evidence pack surfaces the process state + the manual tagging.

The five-step path

What you have to do at supervision time, in order.

The same five gates apply to every framework Secruna covers, including DORA. Start at step one — the rest only make sense once the entity knows which critical / important functions are in scope and which ICT systems support them.

  1. 1

    Scope

    Confirm the entity is in DORA Article 2 scope and identify which functions are critical or important. The Art. 28(3) register must distinguish ICT services supporting critical / important functions from other ICT services — the distinction drives every supplemental obligation under Art. 28-30.

  2. 2

    Discover

    Connect cloud accounts, the identity provider, GitHub + the AI systems inventory. The discovery worker collects the cyber-posture signal once and reuses it across every cyber framework you subscribe to (DORA, NIS2, NCSC CAF). The first scan typically surfaces MFA gaps, untested backups, encryption drift + a half-populated supplier register.

  3. 3

    Map to DORA

    The rule-book matcher evaluates each of the 33 DORA IGPs against the latest posture artefact + the AI inventory and assigns a verdict — compliant, partial or non-compliant. Verdicts cite the connector signal / inventory entry that drove them so a supervisor traces the evidence from the IGP row back to the source.

  4. 4

    Close the gaps

    The §3 Gaps surface lists every non-compliant + partial IGP with the connector field that drove the verdict. Remediate at your own cadence; verdicts re-evaluate on every discovery run. The gap list is what the competent authority + the ESAs expect to see in the supervisory review.

  5. 5

    Generate + submit

    One click produces the evidence pack PDF and CSV. The audit trail captures the last 90 days of platform activity. Filename: secruna-dora-evidence-{tenant}-{date}.pdf. Hand to the national competent authority alongside the harmonised RTS template for major incidents (Art. 20). Submission flows through national channels; Secruna ships the evidence, the entity files it.

Pillar 1 — ICT risk management framework

Articles 5-16 — the governance + technical baseline.

What DORA asks. Pillar 1 covers governance (Art. 5), the written ICT risk management framework (Art. 6), ICT systems / protocols / tools (Art. 7), identification of assets including AI / ML (Art. 8), protection + prevention (Art. 9), detection (Art. 10), response + recovery (Art. 11), backup + recovery procedures (Art. 12), learning + evolving (Art. 13), communication (Art. 14), RTS harmonisation (Art. 15), simplified framework option for microenterprises (Art. 16).

What counts as compliant. A management-body-approved framework with documented policies, procedures and tools; a complete asset identification list (including AI / ML systems supporting business functions); operating detection + response + recovery capabilities; an annual review cycle plus extraordinary reviews on major changes; alignment with the Commission Delegated Regulation 2024/1774 RTS.

What Secruna ships for Pillar 1. 13 rules across Art. 5-16: board-approved governance, framework documented, asset identification reusing the Secruna inventory, secure configuration baseline, centralised audit logging, business-continuity testing, backup + restoration evidence, post-incident learning cycle, crisis communication plan, RTS-alignment audit, and the microenterprise classification check.

See this in your dashboard at: /inventory?framework=dora&pillar=P1 filtered to Pillar 1 IGPs, with per-Article verdict and connector-signal citation.

Pillar 2 — ICT-related incident management

Articles 17-23 — the 4h / 72h / 1-month clock.

What DORA asks. Pillar 2 covers the ICT incident management process (Art. 17), classification of major incidents against the Art. 18(1) + Delegated Regulation 2024/1772 thresholds (services affected, duration, geographic reach, clients affected, economic impact, reputational impact), reporting to the competent authority on the 4h initial / 72h intermediate / 1-month final timeline (Art. 19), harmonised RTS templates (Art. 20), payment-incident overlay (Art. 23).

What Secruna ships for Pillar 2. Five rules covering the documented incident process, the Art. 18 classification taxonomy (manual today, auto- classification scaffolded under Plan 135), the 4h initial report, the 72h + 1-month follow-ups, the harmonised RTS template adoption and the payment-incident overlay.

See this in your dashboard at: /incidents with the DORA timeline tracker per incident, and /inventory?framework=dora&pillar=P2 for the Pillar 2 rule-book view.

Pillar 3 — Digital operational resilience testing

Articles 24-27 — the testing surface, incl. TLPT.

What DORA asks. Pillar 3 covers the testing programme (Art. 24), the testing of ICT tools and systems including vulnerability assessments + scenario- based testing (Art. 25), threat-led penetration testing (TLPT — Art. 26) for entities designated by the competent authority, and the qualifications required of third-party testers (Art. 27). TLPT is required at least every three years for designated critical entities.

What Secruna ships for Pillar 3. Four rules. Art. 24 testing programme posture, Art. 25 vulnerability assessments + AI-system testing scope, Art. 26 TLPT scope check (tenant-attested in v1 — Secruna does not run pentests), Art. 27 third-party tester qualification evidence. The evidence pack surfaces the entity’s TLPT cycle so the supervisor sees what cadence is being maintained.

See this in your dashboard at: /inventory?framework=dora&pillar=P3 with the testing programme + TLPT cycle surfaced.

Pillar 4 — ICT third-party risk

Articles 28-30 — the Art. 28 register + Art. 30 clauses.

What DORA asks. Pillar 4 is the biggest new surface DORA introduces — and the biggest Secruna sales hook. Art. 28 mandates a register of all ICT third-party arrangements + preliminary due-diligence before contracts + exit strategies for critical functions. Art. 29 requires a concentration-risk assessment. Art. 30 lists the mandatory contractual provisions, with supplemental provisions required for ICT services supporting critical / important functions (KPIs, audit rights, TLPT participation, regulator access).

What Secruna ships for Pillar 4. Eight rules. The Art. 28(3) register reuses our AI systems inventory as a partial register (full ICT third-party coverage scaffolded under Plan 134); a third-party risk policy posture; pre-contract due-diligence template; exit strategy posture per critical-function arrangement; concentration-risk attestation; Art. 30 contract audit; Art. 30(3) supplemental-provisions audit for critical-function contracts; sub-outsourcing chain tracking; critical-provider designation awareness (ESAs list).

See this in your dashboard at: /inventory for the partial Art. 28 register +/inventory?framework=dora&pillar=P4 for the Pillar 4 rule-book view.

Pillar 5 — Information sharing arrangements

Article 45 — voluntary, but supervisor-friendly.

What DORA asks. Article 45 lets financial entities exchange amongst themselves cyber threat information + intelligence (IoCs, TTPs, cybersecurity alerts, configuration tools) within trusted communities of financial entities. Sharing is voluntary but must preserve confidentiality + comply with data-protection rules.

What Secruna ships for Pillar 5. One rule covering membership of a trusted financial-sector CTI community (FS-ISAC, sector CSIRT, regulatory CTI exchange) plus the data-flow posture. The information- sharing IGP feeds back into the Art. 13 learning + evolving cycle so the supervisor sees a closed loop.

EU + UK Cyber Pack

Three frameworks. One platform.

DORA is the tightest framework for EU financial entities; NIS2 is the EU-wide cyber gateway across every regulated sector; NCSC CAF is the UK equivalent for gov + CNI. Every cyber signal Secruna collects is shared across all three — adding another framework costs the rule-book matcher plus the framework-shaped evidence pack, nothing more.

DORA (this page)

EU financial entities only, applicable since 17 January 2025. 33 IGPs across five pillars. Art. 28 register reuses the Secruna AI inventory; full ICT third-party coverage scaffolded under Plan 134.

NIS2

EU cyber gateway across every essential / important sector (banks + critical infrastructure + public admin + many more). 22 IGPs. See NIS2 detail →

NCSC CAF + GovAssure

UK equivalent for gov departments + CNI operators. 31 IGPs. GovAssure-mandated since 2023. See NCSC CAF detail →

See where your DORA posture stands.
In 30 minutes.

A 30-minute scope call maps your tenant estate to the 33 DORA IGPs across five pillars, surfaces the Art. 28 register coverage you already have via the Secruna AI inventory, and identifies which IGPs you can evidence from existing signals today and which need a tenant-supplied attestation. You leave the call with a concrete gap list and a path to a competent-authority-ready evidence pack.

Book a 30-min DORA scope callSee the NIS2 page

Or call our EU lead — we’re on +48 22 000 0000. (Placeholder — see TODO at the top of this file; the real number lands once the founder confirms it.)