CompliWiseAI
Resilience · EU

DORA documentation generator

The Digital Operational Resilience Act (Regulation (EU) 2022/2554) is binding EU law for financial entities and their critical ICT providers. It harmonises ICT risk management, incident reporting, resilience testing, third-party risk and information sharing — applicable since 17 January 2025. CompliWiseAI generates the full DORA documentation set tailored to your entity type and size.

DORA — the Digital Operational Resilience Act — is the EU regulation that makes digital operational resilience a legal requirement for banks, insurers, investment firms, payment and crypto-asset providers and many other financial entities, along with their critical ICT third-party providers. Applicable since 17 January 2025, it requires a documented ICT risk-management framework, classified incident reporting to competent authorities, a digital resilience testing programme, tight management of ICT third parties (including a 'Register of Information'), and resilience-focused continuity arrangements. CompliWiseAI produces the complete DORA evidence set — framework, policies, incident and reporting procedures, testing programme, third-party register and continuity plans — tailored to whether you are a significant entity, a smaller proportionate one, or an ICT provider in scope.

Documents we generate for DORA

9 required documents, each tailored to your company and structured for audit.

ICT Risk Management Framework

Required

The overarching framework governing how ICT risk is identified, protected against, detected, responded to and recovered from.

Policy · DORA Art. 6

ICT Risk Management Policy

Required

Operational policy for protecting ICT assets, identifying risks and applying controls.

Policy · DORA Art. 6–8

ICT Asset Inventory & Classification

Required

Inventory of information and ICT assets supporting critical/important functions, classified by criticality.

Risk register · DORA Art. 8

ICT Incident Management & Classification Procedure

Required

Detection, handling and classification of ICT-related incidents by severity and impact.

Incident response · DORA Art. 17–18

Major ICT Incident Reporting Procedure

Required

Process and timelines for reporting major ICT incidents to the competent authority.

Incident response · DORA Art. 19

Digital Operational Resilience Testing Programme

Required

Programme of vulnerability assessments, scenario and resilience testing of ICT systems.

SOP · DORA Art. 24–25

Threat-Led Penetration Testing (TLPT) Approach

Advanced threat-led testing approach for entities identified as significant.

SOP · DORA Art. 26–27

ICT Third-Party Risk Management Policy

Required

Governance of risks arising from the use of ICT third-party service providers.

Policy · DORA Art. 28–30

Register of Information (ICT Third-Party Arrangements)

Required

The mandated register of all contractual arrangements with ICT third-party providers, reportable to authorities.

Log template · DORA Art. 28(3)

ICT Business Continuity & Response/Recovery Plan

Required

Continuity, response and recovery arrangements for ICT disruptions, including backups.

Incident response · DORA Art. 11–12

Cyber Threat Information-Sharing Arrangements

Voluntary arrangements for sharing cyber threat intelligence with trusted communities.

Policy · DORA Art. 45

DORA readiness checklist

  • ICT risk management framework approved by the management body
  • ICT assets supporting critical functions inventoried and classified
  • ICT incident classification and management procedure in place
  • Major-incident reporting process and timelines defined
  • Digital operational resilience testing programme running
  • ICT third-party risk policy and due diligence applied
  • Register of Information maintained and report-ready
  • ICT continuity, response and recovery plan tested

DORA — frequently asked questions

Who has to comply with DORA?+

A broad range of EU financial entities — credit institutions, payment and e-money institutions, investment firms, insurers and intermediaries, crypto-asset service providers, fund managers and more — plus the critical ICT third-party providers that serve them. Some requirements are applied proportionately to smaller entities.

What is the DORA 'Register of Information'?+

A structured register of all contractual arrangements with ICT third-party service providers, which entities must maintain and report to competent authorities. CompliWiseAI generates a Register of Information template aligned to the regulatory technical standards.

When did DORA take effect?+

DORA entered into force in January 2023 and has applied since 17 January 2025. Entities are expected to be able to evidence their ICT risk framework, incident classification/reporting and resilience testing from that date.

Start your DORA documentation free

Create a workspace, add DORA, and generate your first audit-ready document in minutes.