DORA Readiness & Assurance for UK and EU Financial Entities
Pillar-by-pillar DORA evidence that survives supervisory scrutiny.
DORA in force since 17 January 2025. We help financial entities and ICT third-party providers build the pillar-by-pillar evidence pack: ICT risk management, incident reporting, digital operational resilience testing, third-party risk and information sharing.
02Typical triggers
When this service is on the desk.
- 01Regulator letter or DORA self-assessment due
- 02ICT third-party register needs rebuilding
- 03Threat-led penetration testing scope being defined
- 04Major incident notification process untested
- 05Article 28 contracts need rebuilding
03Typical outputs
Artefacts that earn the audit, the customer or the board.
- ·ICT risk management framework and policy set
- ·Third-party register and Article 28 contract clauses
- ·Major incident classification and notification timeline
- ·TLPT scoping and exercise programme
- ·Audit-committee narrative and board attestation
04Engagement shapes
Three ways the engagement is typically scoped.
SHAPE 01
Readiness sprint
6–10 weeks to baseline against the five pillars.
SHAPE 02
Pillar build-out
Targeted 4–6 week build on a single pillar (e.g. TPR).
SHAPE 03
Annual retainer
Testing programme support and supervisory submission preparation.
DELIVERED BY
Paul Jolliffe
FOUNDER · INFOSECAI · MBA · CISSP · ISO 27001:2022 LA / LI / IA · PRINCE2 Practitioner
Twenty years of senior security leadership across financial services, healthcare, government, telecoms and technology. Engagements are senior from day one: no subcontracted juniors, no introduce-and-exit.