Skip to main content
DORA Auditor

DORA Gap Assessment

Last updated: 2 authoritative sourcesDORA Auditor Editorial Team

A DORA gap assessmentis a structured review that measures a financial entity's current state against DORA's requirements across all five pillars, producing a prioritised list of gaps and remediation actions. It is usually the first engagement in a DORA programme.

What a gap assessment covers

A thorough assessment maps the entity's existing controls, policies, and contracts against each DORA obligation: ICT risk management, incident reporting, resilience testing, third-party risk, and information sharing. It identifies where documentation, governance, or testing falls short and rates each gap by risk and effort.

When you need one

Entities that have not yet mapped their programme to DORA, or that have changed materially since the January 2025 application date, benefit from a baseline. You can get an instant, self-service estimate with our free DORA Readiness Score before commissioning a formal assessment, then compare providers who deliver them.

Frequently asked questions

How long does a DORA gap assessment take?
Is a gap assessment mandatory under DORA?
What is the difference between a gap assessment and a DORA audit?

Sources

  1. Regulation (EU) 2022/2554 (DORA), EUR-Lex
  2. ESMA, Digital Operational Resilience Act (DORA)