DORA Gap Analysis: Action Plan

DORA Gap Analysis

From January 2025, the Digital Operational Resilience Act (DORA) within the financial sector. From then on, institutions will have to demonstrate that they have their digital security in order. However, many organizations are still unsure whether they meet all the requirements. Audit managers and CISOs in particular wonder: Did we arrange everything correctly? And what is still missing?

Performing a DORA gap analysis offers the solution for this. It creates a clear comparison between your current situation and DORA obligations. This way, you know exactly where the gaps are and how to address them. This helps you avoid surprises during supervisory authority inspections.

This guide therefore offers a clear step-by-step plan. You'll also gain insight into common mistakes and tips on how to avoid them. Furthermore, you will receive a practical checklist to get you started quickly.

Need help with DORA?

Our consultants are happy to help you.

Contact us

What is a DORA gap analysis?

An DORA gap analysis Simply put, it means you compare your ICT security with what DORA mandates. You do this in a structured way, following clear rules from this European legislation. Think of rules for risk management, incident reporting, system testing, and secure handling of IT suppliers.

The goal of such an analysis is clear: to find out where your organization is not yet compliant before the regulator does. So you are actively looking for problems. For example, processes that are not well-documented or incidents that are not reported within the required timeframe. The results are presented clearly in a report. This immediately provides you with a practical action plan for implementing improvements.

Important here: DORA is specifically aimed at financial institutions. Although it has overlaps with general IT audits, the emphasis here is clearly on operational resilience. Keep this in mind when you perform the analysis.

Why is DORA compliance important?

Complying with the DORA regulation is mandatory for financial institutions. Those who do not meet these requirements risk fines, reputational damage, and operational restrictions. However, compliance not only provides protection against sanctions. It also improves your digital security, ensuring peace of mind for your customers and regulators.

Starting in January 2025, the time will come. This means that audit and risk managers need to take action this year. The gap analysis is an ideal tool for this. It allows you to immediately show management where your organization is performing well and where there are areas for improvement. Furthermore, this can form the basis for plans you present to executives. This way, DORA will not only receive attention from IT specialists but also from management members who make strategic decisions.

Key DORA Requirements and Pillars

DORA sets specific requirements for the digital security of financial organizations. These requirements are divided into five clear pillars. They are briefly explained below:

  • ICT risk management: Your policy must be clearly laid out and you must regularly assess and address risks.
  • Incident management and notification: Incidents such as cyberattacks must be reported to supervisory authorities within 24 hours.
  • Digital Resilience Testing: Conduct annual tests to identify vulnerabilities, for example with penetration testing.
  • Third-party management: Managing ICT risks with suppliers through clear agreements and regular checks.
  • Information exchange Collaborate within the sector to share threat and incident information.

All these areas are covered in your gap analysis. This is important because it ensures you check all key points.

Step 1 – Determine scope and objectives

Every good gap analysis starts with determining the scope and goals. First, determine what exactly falls under your analysis. Are these just certain departments, or are you including the entire organization? Also consider which IT systems, processes, and external suppliers are important.

Your goal should be clear and measurable. For example: “Our organization will be fully compliant with DORA by the end of 2024.” Such a clear goal provides direction for the entire project.

Also assemble a project team. Audit managers, compliance officers, or CISOs often lead such a project. Employees from other departments should also be included. This ensures that everyone understands why the analysis is important.

Document all of this in a scope document. This will prevent discussions later about what should or should not be included.

Step 2 – Mapping the current situation

First, gather all relevant documents. These include, for example, IT policy documents, previous incident reports, and vendor agreements. Ensure you are complete, as only then can you make a good comparison.

Conversations with employees are also important. Measures often turn out differently in practice than they appear on paper. By talking to IT managers and colleagues from compliance, you gain better insight into the actual situation.

A good tip here is to first do a quick self-scan. This gives you immediate insight into potential shortcomings. For example, does your organization conduct annual penetration tests as required by DORA?

Finally, summarize all this information in a clear overview. This will be your starting point for identifying gaps in the next step.

Step 3 – Identify and analyze gaps

Now comes the real work: discovering the differences between the current situation and what DORA precisely requires. Do this step by step, per DORA pillar. Use a checklist or Excel matrix for this. Clearly put the requirements opposite what your organization currently does.

Distinguish between different types of problems here. Are they, for example, policy problems, is a technical measure missing, or are certain procedures not yet clearly elaborated? By making this distinction clear, it will soon become apparent what exactly is needed to implement improvements.

An example of a clear gap: DORA requires an annual penetration test, but your organization only conducts one every few years. This kind of difference is immediately noticeable.

Step 4 – Assess and prioritize gaps

Once you have a list of all gaps, determine which ones to tackle first. Not every shortcoming carries the same risks.

Please pay special attention to:

  • Impact of the problem (what happens if this persists?)
  • Effort needed to solve the problem
  • Urgency

Step 5 - Create Action Plan

With your priority list, you create a concrete action plan. For each item, you clearly define what needs to be done, who will do it, and when it needs to be completed.

Include the necessary budgets and capacity in the plan. This will prevent delays. If necessary, create a visual timeline to maintain an overview.

Use existing projects where possible. Is your organization involved with ISO27001? Then integrate DORA measures into it. This is how you work efficiently.

Step 6 – Implementation and Monitoring

Execution requires regular checks. Schedule moments to discuss progress. Train employees and ensure sufficient awareness. Set metrics to see if improvements are having an effect.

Also plan an internal audit or an external review afterward. This will make compliance a permanent part of your work.

Common challenges and tips

During a gap analysis, you always encounter obstacles:

  • Uncertainty about regulations Start with clear objectives and involve specialists.
  • Lack of time Prioritize actions and seek external help if needed.
  • Internal resistance Clearly demonstrate the practical advantage.
  • Outdated systems Break down large problems for separate approaches.
  • Lack of structure Use tools such as checklists.

    Want to know more about the DORA Gap Analysis? Follow us on social media.

    YouTube LinkedIn Spotify