HomeCompliance › DORA

DORA compliance software for EU financial entities.

DORA ICT-risk register, third-party register with concentration risk flags, TLPT cycle tracker, incident classification per Article 18, register of contractual arrangements. EU-built, EU-hosted. From €299 a month.

Open the portal See pricing

What is DORA?

EU Digital Operational Resilience Act (Regulation (EU) 2022/2554). Banks, investment firms, payment institutions, insurance and reinsurance undertakings, crypto-asset service providers, central counterparties, trade repositories, and the ICT third-party providers serving them.

Who needs to comply

  • Banks and credit institutions
  • Investment firms, payment and e-money institutions
  • Insurance and reinsurance undertakings
  • Crypto-asset service providers under MiCA
  • Critical ICT third-party providers serving any of the above

Key DORA controls covered by Dazr

Articles 5-15ICT risk management framework: governance, identification, protection, detection, response & recovery, learning & evolution, communication.
Articles 17-23ICT-related incident management, classification (Article 18) and reporting.
Article 26-27Threat-led penetration testing (TLPT) on at least a 3-year cycle for significant entities.
Articles 28-44Third-party ICT risk: register of contractual arrangements (Article 28), concentration analysis, exit strategy, sub-contracting controls.

What auditors look for

DORA supervisors look for an ICT-risk framework approved by the management body, a third-party register with concentration analysis, recent TLPT evidence, and a major-incident classification trail. Dazr is built around these four pillars.

How Dazr helps with DORA

  • Maintain the ICT-risk framework as recurring tasks reviewed by the management body
  • Operate the register of contractual arrangements (vendor register) with concentration flags
  • Track TLPT planning, execution and remediation as cyclical tasks (at least every 3 years for significant entities)
  • Run the incident register with Article 18 classification, severity, and the major-incident reporting workflow
  • Hand the supervisor a single PDF audit trail or a read-only audit view

Back to the full Dazr Compliance overview › | Sign up free ›

DORA questions, answered.

What is the difference between DORA and NIS2 in this platform?

NIS2 is a directive transposed by member states; DORA is a regulation that applies directly. They overlap on incident reporting and on supply-chain / third-party risk; they differ on TLPT cadence (DORA explicit) and on the register of contractual arrangements (DORA-specific). Dazr lets you enable both; the tasks stay distinct.

Do you support TLPT scoping?

We track the TLPT cycle as a recurring set of tasks (scoping, red-team execution, blue-team review, remediation). The actual TLPT engagement is delivered by an external red team you contract with; Dazr is the system of record.

Can I use Dazr if I am a Tier-1 critical ICT third-party provider?

Yes. The Custom tier covers the multi-entity setup, dedicated CSM and the procurement-friendly contracting that Tier-1 ICT providers typically need.

Where is data hosted?

European Union only. AES-256-GCM at rest. Italian entity, EU jurisdiction.

Ready to start your DORA program?

Free for one user. Pro €29/mo and Enterprise €299/mo are self-serve via Mollie. Custom (from €800/mo) is the only tier on a contract.

Open the portal All frameworks