DORA asks financial firms to prove they can take an ICT hit and keep running. Rizzqo makes that resilience something you operate — and test.
DORA holds financial entities to five pillars: ICT risk management, incident reporting, resilience testing, third-party risk and information sharing — all owned by the management body. Rizzqo anchors those pillars in your real systems and ICT providers — so a supervisory review meets a working programme, not a binder.
Financial entities and a simplified regime
DORA applies directly to financial entities across the EU — from banks and payment firms to insurers, investment firms and crypto-asset providers. Most run the full ICT risk-management framework; smaller, less complex entities may use a simplified one. Select a class to see what it means for you.
Full framework entities
The complete ICT risk-management framework
Most financial entities: credit institutions, payment and e-money institutions, investment firms, insurers, market infrastructures and crypto-asset service providers run the full framework.
- Banking, payments, investment, insurance, markets and crypto-asset services
- A documented ICT risk-management framework, reviewed at least yearly
- Resilience testing, and threat-led penetration testing for significant entities
- Major-incident reporting and a register of ICT third-party arrangements
Simplified framework entities
A lighter, proportionate framework
Smaller and less interconnected entities — such as small and non-interconnected investment firms, small payment or e-money institutions and microenterprises — may apply a simplified ICT risk-management framework under Article 16.
- Small and non-interconnected investment firms and payment institutions
- Small institutions for occupational retirement provision and microenterprises
- A proportionate framework: core controls without the full testing programme
- Same duty of continuity, protection and incident reporting, scaled to risk
Financial entities covered
DORA reaches across the financial sector rather than a list of infrastructure sectors. Alongside the entities themselves, critical ICT third-party service providers — cloud, data and software vendors that finance depends on — fall under direct EU oversight.
Financial entities
The regulated firms that must run the ICT risk-management framework.
ICT third-party providers
Technology providers finance relies on; the critical ones face direct EU oversight.
The building blocks DORA expects
DORA is organised around five pillars, broken into concrete obligations every financial entity must implement on the systems it runs and the providers it relies on. With Rizzqo, the framework is something you can see across your real systems and providers — not something you assert.
ICT risk-management framework
A documented framework with strategies, policies and tools to protect all ICT assets, reviewed at least once a year.
Incident management & reporting
A process to detect, classify and report ICT-related incidents, with major-incident notifications to the competent authority.
Response & continuity
ICT business-continuity and response plans so critical functions keep running and recover through disruption.
ICT third-party risk
Manage risk from ICT providers end to end, with key contractual terms and a register of all outsourcing arrangements.
Resilience testing
A testing programme across the estate, including threat-led penetration testing for entities identified as significant.
Detection & monitoring
Mechanisms to promptly detect anomalous activity, ICT network performance issues and potential single points of failure.
Awareness & training
Digital operational resilience awareness programmes and training built into the ICT risk-management framework.
Protection & prevention
Policies, controls and encryption that protect the confidentiality, integrity and availability of ICT systems and data.
Governance & accountability
The management body owns and is accountable for the framework, approves it, oversees it and keeps its knowledge current.
Backup & information sharing
Backup, restoration and recovery procedures, plus arrangements to share cyber-threat information with peers.
A major ICT incident opens a supervisor-facing clock
When an ICT-related incident is classified as major, DORA sets a staged reporting timeline to the competent authority. Rizzqo keeps you ready to meet every stage on time, with the incident’s context already to hand.
Classify the incident
Assess the incident against DORA’s criteria — clients affected, duration, data losses, geographic spread — to decide whether it is major.
Initial notification
Once classified as major, an initial notification to the competent authority, no later than 24 hours after becoming aware.
Intermediate report
Within 72 hours of the initial notification, an update on status, impact and the handling and recovery in progress.
Final report
Within one month, a final report with root cause, remediation applied and the lessons taken from the incident.
Anchored to your critical functions and their dependencies
Resilience is only real if it maps to what your services actually run on — not a generic checklist. Rizzqo grounds your DORA programme in the systems and ICT providers behind your critical functions, so what you show a supervisor is the live state, not a point-in-time binder.
Requirements linked to real assets
Your DORA programme is built on the systems and ICT providers you actually depend on — not a generic checklist that ignores how you really run.
- Grounded in the systems you actually depend on
- See where you really stand, pillar by pillar
- Risk in real money, not a heat-map colour
Owner-routed, evidence at the source
Every requirement has a clear owner and stays backed by current evidence as teams do the work — so the estate is audit-ready, not reconstructed before a supervisory review.
- Clear ownership on every requirement
- Evidence stays current, not reconstructed
- ICT third-party register kept up to date
An incident workflow against the clock
When an incident is major, the clock starts. Rizzqo keeps the 24-hour, 72-hour and one-month reports ready to file, with the context already in place — so each one is filed on time, not improvised.
- 24h, 72h and one-month deadlines tracked
- Incident context ready, not gathered under pressure
- Initial, intermediate and final reports on tap
DORA starts from your ISMS, then goes further
An ISO 27001 ISMS already carries much of DORA’s ICT risk-management framework — risk analysis, access control, encryption, supplier management. Rizzqo builds on that work and adds what DORA asks beyond it: resilience testing, a register of ICT third parties, and staged incident reporting.
Prove resilience before the supervisor asks.
Ground the five pillars in your real systems and ICT providers, and walk into a supervisory review with a live programme — not a binder.
DORA questions, answered
DORA applies to financial entities operating in the EU — including credit institutions, payment and e-money institutions, investment firms, insurance and reinsurance undertakings, insurance intermediaries, crypto-asset service providers, trading venues, central counterparties, central securities depositories, credit rating agencies and crowdfunding service providers. It also brings critical ICT third-party service providers, such as major cloud and software vendors, under direct EU oversight. Rizzqo helps you map your systems and providers to the regulation so the question is settled by evidence, not guesswork.
DORA is built on five pillars: ICT risk management, ICT-related incident management, classification and reporting, digital operational resilience testing, ICT third-party risk management, and information-sharing arrangements. In Rizzqo, each pillar is grounded in the real systems and ICT providers it governs, so you can see where you stand across all five rather than assert it.
Once an ICT-related incident is classified as major, DORA sets a staged timeline to the competent authority: an initial notification no later than 24 hours after becoming aware, an intermediate report within 72 hours of that notification, and a final report within one month. Rizzqo keeps you ready to meet each stage on time, with the incident’s context already to hand.
Yes. DORA overlaps heavily with ISO 27001, and an information-security management system already covers much of the ICT risk-management framework, from risk analysis and incident handling to access control, encryption and supplier security. In Rizzqo both frameworks share the same evidence, so a control you proved for ISO 27001 counts for DORA immediately, leaving only the genuine DORA-specific gaps — resilience testing, third-party register and major-incident reporting — to close.
Article 5 makes the management body ultimately responsible: it must approve, oversee and remain accountable for the ICT risk-management framework, allocate the budget for it and keep its own knowledge current, with liability possible for failures. Because Rizzqo keeps every requirement owned and backed by current evidence, leadership gets a defensible, current view of resilience rather than a point-in-time snapshot.