Hael
Sign inBook a demo
FRAMEWORK

DORA

The EU's Digital Operational Resilience Act (Regulation 2022/2554). In force since 17 January 2025, with no transition period. Harmonised ICT risk rules for ~22,000 financial entities.

Coverage updated2 min ago
Coverage · DORA
Framework coverage
84%
Coverage
5 pillars
Obligations mapped
+4% wk
6
Files on record
Live · synced 2 min ago · 7-day trend
Recent activity
Annex IV v4Approved
FRIA v2Approved
Monitoring plan v1Draft
THE OBLIGATION

Five pillars of ICT resilience, mandatory from day one.

DORA gives the EU financial sector a single ICT-resilience rulebook, replacing fragmented requirements across PSD2, MiFID II and Solvency II. It rests on five pillars: ICT risk management, incident management and reporting, digital operational resilience testing, third-party risk management, and cyber threat-information sharing.

It applies to roughly 22,000 financial entities — banks, insurers, investment firms, payment and e-money institutions, and crypto-asset service providers — with no transition period. Critical ICT providers like the major cloud platforms are under direct EU oversight.

At a glance
Applies toEU financial entities and their critical ICT third-party providers
Your likely roleFinancial entity (and in-scope ICT providers)
Key deadlineIn force since 17 January 2025 — no transition period
Penalty exposureUp to 10% of annual turnover or €10m for serious breaches; senior managers up to €1m
ARTEFACTS

The files this framework actually requires.

DORA names an ICT risk framework, a third-party register and testing records. Hael generates and maintains each.

Files · Evidence pack
PDFICT Risk Management Frameworkv3updated 2 min agoApproved
PDFRegister of Information (third parties)v2updated 14 MayApproved
PDFIncident Reporting Procedurev2updated 11 MayApproved
PDFResilience Testing Recordv2updated 04 MayApproved
PDFICT Third-Party Risk Policyv2updated 02 MayApproved
PDFBusiness Continuity Planv1updated 28 AprDraft

GRC tools tell you these are missing. Hael generates them — from each system's real configuration.

THE DIFFERENCE

A checklist tells you what's missing. Hael puts it on record.

A checklist asks for your ICT risk framework and third-party register. Hael generates both and keeps the register current as vendors change.

Typical GRC tool
ICT Risk Management Frameworkupload required
Register of Information (third parties)upload required
Incident Reporting Procedureupload required
Resilience Testing Recordupload required
ICT Third-Party Risk Policyupload required
Business Continuity Planupload required

Tracks the gap. You still author every document.

Hael
ICT Risk Management Frameworkv3Generated 2 min agoview
Register of Information (third parties)v2Generated · Approvedview
Incident Reporting Procedurev2Generated · Approvedview
Resilience Testing Recordv2Generated · Approvedview
ICT Third-Party Risk Policyv2Generated · Approvedview
Business Continuity Planv1Generated · Draftview

Generated from each system's real configuration, versioned, and kept current as it changes.

HOW HAEL WORKS

Discover, classify, produce — for DORA.

01DISCOVER

Find the systems in DORA scope, including embedded third-party AI.

Inventory · 14 systems
Credit scoring enginehigh
HR screening bothigh
Salesforce Einsteinlimited
02CLASSIFY

Assess each against DORA's risk tiers and obligations.

Risk tier
Prohib.HighLimitedMin.
Role: ProviderArt. 9 · 11 · 14
03PRODUCE

Generate the DORA records, versioned and current.

Generated files
Annex IV v4Approved
FRIA v2Approved
Monitoring v1Draft
COVERAGE

Every obligation, mapped to the control that satisfies it.

Rows are the framework's clauses.

Columns are the controls and files that satisfy them.

Cells update as the underlying configuration changes.

Coverage Map
Obligation → Control
5 obligations · 4 controls
84%
covered
Risk FW
Incident
Testing
3rd-party
ICT risk mgmt
Incident reporting
Resilience testing
Third-party risk
Info sharing
ICT risk mgmt
Risk FW
v3 · sealed
MAPPING

Clause by clause.

Obligation
What it requires
Hael control / file
Status
ICT risk-management frameworkDocumented framework across the five pillarsICT Risk Management FrameworkApproved
Major-incident classification & reportingClassification and reporting workflowIncident Reporting ProcedureApproved
Digital operational resilience testingPeriodic and TLPT testing evidenceResilience Testing RecordApproved
Register of ICT third partiesLive register of informationRegister of InformationIn progress
Threat-information sharingParticipation and governanceICT Third-Party Risk PolicyApproved
REUSE

Author once. Satisfy many.

DORA's ICT risk and third-party records overlap heavily with ISO 27001 and SOC 2 security controls, and with the EU AI Act where AI is part of a financial entity's ICT estate — build the control once, evidence it across all three.

→ shared evidenceISO/IEC 27001SOC 2EU AI Act
Trust & Security
SOC 2 Type IIISO/IEC 27001EU & US data residencySSO / SCIMEncryption in transit & at restAudit logging

Already mandatory — evidence resilience now, not at the next filing.

DORA has applied since January 2025 with no grace period. Hael produces the ICT risk framework, register and testing records it requires.