DORA: The 12-Month Reality Check

Pillar-by-pillar self-check for UK and EU financial entities.

Twelve months on from DORA entering into force on 17 January 2025, this paper is a pillar-by-pillar self-check: ICT risk management, incident reporting, digital operational resilience testing, third-party risk and information sharing. Includes a critical-vendor matrix and the four-hour major-incident notification clock.

Download the paper · PDF · 10 pp Related service · Operational Resilience & Business Continuity

02Use this paper when

Scenarios where this paper earns its place on the desk.

01Approaching a regulator engagement on DORA evidence
02Building or refreshing the ICT third-party register
03Scoping the next round of threat-led penetration testing
04Preparing an audit committee paper on operational resilience
05Reviewing readiness for major incident notification under Article 19

03What you'll find inside

Artefacts and templates included with the paper.

ARTEFACT
DORA pillar self-check
ARTEFACT
Third-party criticality matrix
ARTEFACT
Major incident notification timeline
ARTEFACT
TLPT scoping template
ARTEFACT
Article 28 contract clauses

04If this is on your desk

RELATED SERVICE

AUTHOR

Paul Jolliffe

FOUNDER · INFOSECAI · MBA · CISSP · ISO 27001:2022 LA / LI / IA · PRINCE2 Practitioner

Twenty years of senior security leadership across financial services, healthcare, government, telecoms and technology. Independent UK practice founded 2025. Author of the InfoSecAI insights library.

Book a 30-minute working consultation About the practice

DORA: The 12-Month Reality Check

Scenarios where this paper earns its place on the desk.

Artefacts and templates included with the paper.

Operational Resilience & Business Continuity

DORA Toolkit

The FCA First Thirty Minutes

Paul Jolliffe

Get The Brief: practitioner notes on what is changing.