DORA is the EU rulebook for banks, insurers and their critical IT vendors. It demands you can survive a serious cyber incident, prove it with tests, and keep a register of every IT supplier you depend on.
DORA focuses on operational resilience for financial entities: ICT risk management, incident reporting, testing, third-party risk and resilience evidence.
Each requirement of the chosen framework, scored against each tool. Coverage is editorial — based on public documentation, vendor demos and user reports.
| Requirement | 🇵🇱 $200 / month | 🇺🇸 from $59 / endpoint / year | 🇺🇸 Quote required | 🇨🇭 from $85 / workstation / year | 🇺🇸 from ~$8 | 🇺🇸 Quote required (enterprise) | Editor's note |
|---|---|---|---|---|---|---|---|
ICT risk management framework Board-approved ICT risk framework. | Implemented | Partial | Partial | Not included | Strong | Strong | ›Pre-built DORA risk taxonomy with live evidence. |
Incident classification & reporting Major incident classification. | Implemented | Strong | Partial | Not included | Partial | Implemented | ›Built-in DORA classification flow with regulator templates. |
Resilience & TLPT testing Threat-led penetration test evidence. | Partner | Strong | Partial | Partial | Not included | Not included | ›TLPT partner intake + evidence storage. |
Third-party ICT risk register All critical ICT vendors tracked. | Implemented | Not included | Not included | Not included | Strong | Strong | ›DORA-shaped third-party register included. |
Contract clauses (Art. 30) Mandatory clauses present in vendor contracts. | Implemented | Not included | Not included | Not included | Partial | Strong | ›Contract gap analysis flags missing Art. 30 clauses. |
Operational resilience evidence Restore tests, exercises, RTO proofs. | Via integration | Partial | Partial | Strong | Partial | Partial | ›Pulls Acronis restore evidence and bundles for the regulator. |
Methodology: public docs, vendor demos, practitioner interviews. Verify with each vendor before purchase.
DORA is the EU rulebook for banks, insurers and their critical IT vendors. It demands you can survive a serious cyber incident, prove it with tests, and keep a register of every IT supplier you depend on.
Banks, insurers, investment firms and their critical ICT providers.
TLPT results, incident registry, contract clauses, resilience tests.
Third-party register and contract evidence are commonly missing.
Third-party register, contract gap analysis, resilience evidence.