DORA Gap Assessment
A DORA gap assessmentis a structured review that measures a financial entity's current state against DORA's requirements across all five pillars, producing a prioritised list of gaps and remediation actions. It is usually the first engagement in a DORA programme.
What a gap assessment covers
A thorough assessment maps the entity's existing controls, policies, and contracts against each DORA obligation: ICT risk management, incident reporting, resilience testing, third-party risk, and information sharing. It identifies where documentation, governance, or testing falls short and rates each gap by risk and effort.
When you need one
Entities that have not yet mapped their programme to DORA, or that have changed materially since the January 2025 application date, benefit from a baseline. You can get an instant, self-service estimate with our free DORA Readiness Score before commissioning a formal assessment, then compare providers who deliver them.
Frequently asked questions
How long does a DORA gap assessment take?
Typically two to six weeks depending on entity size and the number of ICT third-party arrangements, though a self-service readiness check takes minutes.
Is a gap assessment mandatory under DORA?
No. DORA does not mandate a gap assessment, but it is the standard first step to demonstrate the entity understands and is closing its compliance gaps.
What is the difference between a gap assessment and a DORA audit?
A gap assessment identifies where you fall short and how to fix it; a DORA audit independently verifies compliance, usually after remediation.