Last Updated on April 17, 2026 by Narendra Sahoo
DORA compliance isn’t optional for financial entities in the EU. The Digital Operational Resilience Act demands a systematic approach to identifying and closing ICT risk gaps, and the data shows most institutions are struggling.
If you’re responsible for DORA compliance, you need a clear roadmap. Let us walk you through exactly how to conduct a gap assessment that actually works. Failure to meet DORA compliance requirements can lead to regulatory penalties and operational disruptions.
1️⃣ What Is a DORA Gap Assessment?
A gap assessment compares your current ICT risk management against DORA’s requirements across five pillars: ICT risk management, incident reporting, digital resilience testing, third-party risk, and information sharing. The goal is simple: identify where you fall short and build a remediation roadmap. A structured DORA gap assessment helps financial entities identify compliance weaknesses before regulators do.
Most organizations think they can handle this internally without external help. That’s partially true, but here’s what you need: sufficient internal expertise in ICT risk frameworks, zero conflict of interest between assessors and system owners, and complete access to contracts, systems, and incident logs.
Your assessor needs to understand Article 6 risk frameworks, Article 25 testing requirements, and the intricate third-party oversight rules in Chapter V. If your internal team lacks this depth, consider bringing in external support for at least the initial assessment. After that, you can manage ongoing monitoring internally.
Case Study: The 4th-Party Concentration Trap
How VISTA InfoSec mapped “Nth-party” risk for an EU Bank.
An EU bank knew its direct vendors but had zero visibility into subcontractors. DORA demands oversight across the entire chain; we discovered three “competing” critical functions that relied on the same sub-processor. VISTA mapped these dependencies, resolving a massive systemic risk before the audit.
The Result: 100% supply chain transparency and a diversified resilience strategy. 🖊️ Whiteboard takeaway: Your resilience is only as strong as the vendor you forgot.
2️⃣ Step 1: Define Your Scope (Weeks 1-2)
Start by mapping every critical ICT asset. Sounds basic, many fail to complete this step during initial scoping exercises. The problem? Organizations forget legacy systems, shadow IT, and subcontracting chains.
Here’s your action list:
- Inventory all systems that support critical or important functions
- Document data flows between systems and third parties.
- Map subcontracting relationships (not just direct vendors)
- Identify business continuity dependencies.
If your cloud provider uses subcontractors for backup services, those are in scope too. If your payment processor relies on a network provider, that’s in scope. Map the entire chain.
3️⃣ Step 2: Inventory Third-Party Arrangements (Weeks 2-4)
Third-party risk is where most gap assessments find the biggest problems.
Build a complete register including:
- Contract terms and SLAs
- Service criticality classifications
- Exit strategies and substitutability
- Subcontracting arrangements
- Data processing locations
For each critical ICT third-party service provider, verify you have contractual clauses covering DORA’s requirements: audit rights, incident notification timelines, data access, and termination assistance.
4️⃣ Step 3: Assess Against DORA Requirements (Weeks 4-8)
Now comes the systematic comparison. Work through each DORA requirement and rate your compliance status. Use a simple scale: compliant, partially compliant, non-compliant, or not applicable.
Focus areas where gaps most commonly appear:
- ICT risk management frameworks: 75% still face gaps in governance, controls, and risk documentation.
- Incident response procedures: Just 48% of organizations report having ICT incident management protocols ready
- Resilience testing: Only 8% of organizations report full compliance with DORA resilience testing requirements
- Penetration testing: Many institutions still lack programs properly scoped to meet Article 25 resilience testing expectations.
For testing requirements, verify your program includes threat-led penetration testing at least every three years and after major changes. Most organizations have some testing in place but haven’t structured it to meet DORA’s specific scenarios and documentation requirements. Understanding DORA compliance requirements is the first step toward building operational resilience.
5️⃣ Step 4: Classify and Prioritize Gaps (Weeks 8-10)
Not all gaps are equal. High-risk findings demand immediate action, while lower-priority items can follow later. In 2025 assessments, high-risk gaps constituted 62% of total findings, suggesting most organizations face material compliance exposures.
Use this priority framework:
- Critical: Gaps creating immediate operational risk or severe regulatory exposure
- High: Significant gaps in core DORA pillars
- Medium: Partial compliance requiring enhancement
- Low: Documentation or minor process improvements
Consider both compliance with risk and operational impact. A missing incident response procedure is both a regulatory gap and a real operational vulnerability that could cost you €4.77 million on average in breach damages.
6️⃣ Step 5: Build Your Remediation Roadmap (Weeks 10-12)
Now translate findings into action. Remediation timelines averaged 18 months for critical gaps, so be realistic about timing and resource requirements.
Structure your roadmap in phases:
Phase 1 (Months 1-3): Quick Wins
- Document missing policies and procedures
- Update third-party contracts with DORA clauses.
- Establish incident classification procedures.
- Implement basic monitoring gaps.
Phase 2 (Months 4-9): Core Remediation
- Enhance the ICT risk management framework.
- Conduct required resilience testing.
- Build comprehensive third-party oversight.
- Establish threat intelligence capabilities.
Phase 3 (Months 10-18): Maturity Building
- Integrate continuous monitoring
- Mature testing programs
- Optimize vendor management
- Build information sharing capabilities.
7️⃣ Step 6: Implement Continuous Monitoring (Ongoing)
Here’s where most organizations fail: only 29% implemented continuous monitoring after gap closure. DORA compliance isn’t a one-time project. New systems, vendors, and threats create new gaps constantly.
Establish quarterly check-ins reviewing:
- New third-party arrangements
- System changes affecting critical functions
- Incident trends and lessons learned
- Testing results and findings
- Regulatory guidance updates
Build compliance into your operational rhythm rather than treating it as an annual audit exercise. Throughout implementation of DORA, weak third-party risk management DORA controls remain one of the most common compliance gaps.
Case Study: Fixing the 24-Hour Reporting Panic
How VISTA InfoSec unified incident response for a regional FinTech.
Fragmented teams meant the client couldn’t meet DORA’s strict 24-hour notification windows. VISTA implemented a “Unified Incident Command” dashboard to automate classification and internal handoffs. We replaced manual chaos with a repeatable, high-speed reporting workflow that satisfied regulators.
The Result: Reporting lead time dropped by 80%, ensuring total DORA compliance. 🖊️ Whiteboard takeaway: In a crisis, your process must be a rail, not a riddle.
8️⃣ The Maturity Journey
Regulators covering DORA know what most organizations who lead as examples of proactive industry leading resilience do – continuous improvement is the only way to get there, and progress ranks above perfection.
|
Level |
DORA Compliance Maturity |
|
Level 1 |
Unaware of gaps, reactive approach |
|
Level 2 |
Initial assessment completed, remediation starting |
|
Level 3 |
Core requirements met, testing established |
|
Level 4 |
Integrated resilience program, continuous improvement |
| Level 5 |
Industry-leading resilience, proactive risk management |
Progress matters more than perfection. 90% of entities completed initial gap analysis by late 2024, and 94% engaged actively with requirements. The challenge now is moving from assessment to implementation.
9️⃣ Key Takeaways
Only 6.5% of organizations passed all 116 DORA data quality checks on first attempt, proving this is complex work requiring careful attention to detail. But with 46% of European finance incidents targeting credit institutions, operational resilience isn’t just regulatory compliance—it’s survival.
Start your assessment now. Map your assets, inventory your vendors, and identify your gaps systematically. The January 2025 deadline has passed, but supervisors understand this is an ongoing journey. What matters is demonstrating clear progress and a credible path to full compliance.
Your gap assessment is the foundation. Execute it thoroughly, and you’ll build a resilience program that protects both compliance and operations.
🔟 FAQs
Q1. What is a DORA Gap Assessment and why does my organisation need one?
Gap Assessment evaluates your current ICT controls against the Digital Operational Resilience Act’s requirements to identify where you fall short. Without it, you risk non-compliance penalties and avoidable operational vulnerabilities. It’s essentially your compliance starting point.
Q2. Who within a financial entity is responsible for leading a DORA Gap Assessment?
Typically, it’s a joint effort between your CISO, Chief Risk Officer, and IT leadership — but accountability sits at board level under DORA. Many organisations also bring in a qualified external assessor to ensure objectivity and regulatory credibility.
Q3. How long does a DORA Gap Assessment typically take to complete?
For most mid-sized financial entities, a thorough gap assessment takes anywhere between four to eight weeks. The timeline largely depends on the complexity of your ICT environment, number of third-party providers, and how well your existing documentation is organised.
Q4. Does a DORA Gap Assessment cover third-party and outsourced ICT providers too?
Yes — and this is one area many organisations underestimate. DORA places significant obligations around third-party ICT risk under Article 28, so your gap assessment must evaluate vendor contracts, concentration risk, and sub-outsourcing arrangements as well.
Q5. Can we conduct a DORA Gap Assessment internally, or do we need an external firm?
You can run an internal assessment, but it often lacks the independent perspective regulators expect. An external firm brings specialist knowledge, benchmarking data from similar entities, and an unbiased view that carries far more weight during supervisory reviews or audits.
Narendra Sahoo (PCI QPA, PCI QSA, PCI SSF ASSESSOR, CISSP, CISA, CRISC, 27001 LA) is the Founder and Director of VISTA InfoSec, a global Information Security Consulting firm, based in the US, Singapore & India. Mr. Sahoo holds more than 25 years of experience in the IT Industry, with expertise in Information Risk Consulting, Assessment, & Compliance services. VISTA InfoSec specializes in Information Security audit, consulting and certification services which include GDPR, HIPAA, CCPA, NESA, MAS-TRM, PCI DSS Compliance & Audit, PCI PIN, SOC2 Compliance & Audit, PDPA, PDPB to name a few. The company has for years (since 2004) worked with organizations across the globe to address the Regulatory and Information Security challenges in their industry. VISTA InfoSec has been instrumental in helping top multinational companies achieve compliance and secure their IT infrastructure.
