Guide Compliance Financial Services

How to conduct a DORA gap analysis: a step-by-step framework for FinTechs

DORA has applied since 17 January 2025. Most FinTechs have partial controls and open gaps. A structured gap analysis across all five pillars tells you exactly where you stand and what to fix first, so you build programmes around evidence rather than assumptions.

CT
Cyvra Team
Cyvra Consultancy
3 June 2026
9 min read
Key takeaways
  • DORA applies to 20 categories of financial entity and has been in force since 17 January 2025. There is no grace period.
  • A gap analysis must cover all five pillars: ICT risk management, incident reporting, resilience testing, third-party risk, and information sharing
  • Major ICT incidents must be reported within 4 hours of classification, with a final report due within one month
  • The Register of Information (ROI) for ICT third-party arrangements is one of the most demanding operational requirements. Build time into your plan for it.
  • TLPT (threat-led penetration testing) applies only to entities identified as significant by their competent authority, but basic testing applies to everyone

Start with a gap analysis, not a programme

Your instinct may be to start DORA compliance by drafting policies. That approach puts outputs before inputs. A gap analysis comes first: it identifies where you are exposed, which your policies cannot tell you.

DORA's five pillars create requirements across ICT risk management, incident reporting, operational testing, third-party risk, and information sharing. Most FinTechs have partial controls in some of these areas and nothing in others. The gap analysis maps what exists, scores it against DORA's requirements, and produces a prioritised list of actions. Without it, you build programmes around assumptions and discover the gaps when a regulator asks.

20
categories of financial entity in scope, including crypto-asset service providers and payment institutions
4h
to submit your initial notification after classifying an incident as major
6.5%
of firms passed all ROI data quality checks in the ESA dry-run exercise in 2024

Before the analysis: confirm your scope

DORA (Regulation EU 2022/2554) applies to financial entities operating in the EU across 20 defined categories. These include credit institutions, payment institutions, investment firms, insurance and reinsurance undertakings, crypto-asset service providers, crowdfunding service providers, and critical ICT third-party service providers, among others.

Scope is not always obvious for FinTechs. A company providing a payment initiation service is a payment institution. A company embedding insurance products into a platform may be an insurance distribution entity. A crypto wallet provider is a crypto-asset service provider under MiCA, which brings it within DORA's scope. Confirm your classification with your legal counsel before running a gap analysis. The classification determines which obligations apply at which level of detail.

DORA applies a proportionality principle. Microenterprises (fewer than 10 employees, annual turnover under €2 million) qualify for a simplified regime across several pillars. If your organisation sits close to this threshold, confirm whether the simplified or full regime applies to you.

Critical ICT third-party providers

If you supply ICT services to financial entities and the European Supervisory Authorities (ESAs) designate you as critical, you come under DORA's oversight framework directly. The ESAs published the first list of designated critical ICT third-party service providers in 2025. Cloud providers, data analytics platforms, and core banking infrastructure providers are the categories most likely to be included.

1
ICT risk management framework
Articles 5-16 · Everyone in scope

DORA requires every in-scope financial entity to maintain a documented ICT risk management framework covering the full lifecycle of a risk: identification, protection, detection, response, and recovery. The framework must be approved by the management body and reviewed at least annually.

When assessing your gap on this pillar, work through the following questions:

  • Does a documented ICT risk management framework exist, or are your controls informal? DORA requires the framework to be written, approved by your board, and version-controlled.
  • Does it cover all five functions? Identification (asset inventory, mapping of critical functions), protection (access controls, patch management), detection (logging, monitoring), response (incident handling procedures), and recovery (backup and restore procedures, RTO/RPO targets).
  • Has your board approved it? DORA Article 5 puts the ICT risk management framework directly on the management body's agenda. If your board has not explicitly approved the framework, that is a gap regardless of how well-written the document is.
  • Is your asset inventory complete? You cannot protect what you have not catalogued. Map all ICT assets supporting critical or important functions, including those hosted by third parties.
  • Do your business continuity and recovery plans reflect current infrastructure? Plans that reference deprecated systems or untested restore procedures will not satisfy an audit.

The most common gap at this pillar is not the absence of controls but the absence of documentation. Most FinTechs have engineers who know how the systems work; fewer have written frameworks that a regulator can read and assess.

2
ICT incident reporting
Articles 17-23 · Everyone in scope

DORA sets mandatory reporting deadlines for major ICT-related incidents. An incident qualifies as major where it meets one or more materiality thresholds:

1
Service downtime
More than 2 hours of disruption to ICT services supporting critical or important functions.
2
Geographic spread
The incident affects operations in two or more EU member states.
3
Data impact
Any loss of availability, authenticity, integrity, or confidentiality of data that adversely affects business objectives.
4
Economic impact
Costs and losses exceeding €100,000, or reputational damage that triggers customer complaints, regulatory inquiries, or media coverage.
5
Malicious access
Any successful, malicious, and unauthorised access to network and information systems, regardless of other impact thresholds.

Once an incident is classified as major, three reporting deadlines run from that classification:

  • 4 hours: initial notification to the competent authority, covering the nature of the incident, its impact, and the containment measures taken.
  • 72 hours: intermediate report with a fuller assessment of cause, impact scope, and remediation status.
  • 1 month: final report with root cause analysis, corrective actions, and any cross-border effects.

When auditing your gap here, check whether your incident response runbooks include a classification step against the DORA materiality thresholds and a named individual responsible for regulatory notification. Most FinTech incident response processes stop at containment. The notification obligation begins at classification, not at resolution.

Watch out

The 4-hour clock starts when you classify an incident as major, not when the incident began. If your classification process takes 6 hours, you are already out of time. Build the classification decision into the first hour of your incident response.

3
Digital operational resilience testing
Articles 24-27 · All entities; TLPT for significant entities only

DORA requires all in-scope entities to run a programme of operational resilience testing. The requirements split by entity size and significance.

All in-scope entities must conduct vulnerability assessments, scenario-based testing, and network security assessments at least annually. These cover ICT tools and systems supporting critical or important functions, not the entire technology estate.

Significant entities (those identified by competent authorities against criteria set out in the TLPT Regulatory Technical Standards, Commission Delegated Regulation EU 2025/1190, applicable from July 2025) must additionally conduct Threat-Led Penetration Testing (TLPT) at least every three years. TLPT follows the TIBER-EU framework and requires an independent threat intelligence provider and a separate red team provider. Outcomes are reported to the competent authority with a certificate of completion.

For your gap assessment on this pillar:

  • List what testing your organisation has conducted in the past 12 months and against which systems.
  • Check whether the scope covered ICT services supporting critical or important functions specifically, not just perimeter assets.
  • If you have been informed by your competent authority that you qualify for TLPT, confirm your last test date and when the next three-year cycle falls.
  • Review whether test results are documented, remediation actions are tracked, and outcomes are reported to the management body.
4
ICT third-party risk management
Articles 28-44 · Everyone in scope

Most FinTechs have their largest DORA gap in third-party risk. DORA's requirements go well beyond a supplier questionnaire.

The centrepiece is the Register of Information (ROI), required under Article 28(3). The ROI is a structured inventory of every contractual arrangement your organisation has with ICT third-party service providers. It must distinguish between arrangements supporting critical or important functions and those supporting non-critical ones, and it must be maintained at entity, sub-consolidated, and consolidated levels. The ROI is submitted to competent authorities annually, with the 2026 cycle covering a reference date of 31 December 2025.

In the ESA dry-run exercise in 2024, only 6.5% of nearly 1,000 participating firms passed all 116 data quality checks. The most common failures were incomplete contract data, missing subcontractor information, and incorrect CIF (Common Information Framework) classifications. If you have not started building your ROI, start now.

Beyond the ROI, your gap assessment on this pillar should cover:

  • Due diligence. Do you conduct documented risk assessments before onboarding ICT service providers supporting critical functions? DORA requires pre-contractual due diligence, not just annual reviews.
  • Contract terms. Do your ICT contracts with critical or important function providers include the mandatory provisions under DORA Article 30? These include: clear descriptions of services and SLAs, security requirements, audit rights, incident reporting obligations, and exit provisions.
  • Subcontractors. Do you know who your critical providers subcontract to? DORA requires you to track material subcontracting chains, not just direct supplier relationships.
  • Concentration risk. Do you have multiple critical functions dependent on a single provider? DORA expects entities to identify and manage ICT concentration risk at both the firm and sector level.
5
Information sharing
Articles 45-49 · Voluntary

DORA's fifth pillar permits financial entities to participate in information sharing arrangements covering cyber threats, threat intelligence, and attack indicators. Participation is voluntary and requires that sharing arrangements meet data protection obligations and do not breach competition law.

For most FinTechs at the gap analysis stage, this pillar is lower priority than the first four. The gap to assess here is simply whether your organisation has a position on information sharing, knows what forums exist in your sector, and has considered the confidentiality and legal parameters of participating.

Building the remediation roadmap

A gap analysis produces a list of findings across five pillars. Turning that list into a roadmap requires three things: a severity rating for each gap, a realistic effort estimate, and a sequencing logic.

Use this sequencing approach:

  1. Fix regulatory exposure first. Gaps in incident reporting procedures and the ROI carry the highest immediate enforcement risk. Get those to a defensible state before refining your ICT risk management framework.
  2. Document what already works. Most FinTechs have controls that exist but are not written down. Converting informal practice into documented policy is faster than building new controls and reduces your gap count.
  3. Sequence third-party work early. Renegotiating supplier contracts and building your ROI both require lead time you do not control. Start those workstreams in parallel with your internal policy work, not after it.
  4. Align testing to your next cycle. If your annual penetration test is due in three months, plan your testing gap remediation to feed into that cycle rather than scheduling a standalone assessment.

The roadmap should name owners for each action, carry a completion date, and be reviewed by your management body. DORA's management body obligations mean your board needs to see this document and formally approve the remediation plan, not just receive a summary.

Regulators treated 2025 as a transition year, reviewing frameworks and setting expectations rather than pursuing immediate sanctions. That period is closing. Organisations that arrive at a regulatory review with a completed gap analysis and a board-approved roadmap are in a materially better position than those presenting work in progress.

Frequently asked questions

Who does DORA apply to?

DORA (Regulation EU 2022/2554) applies to 20 categories of financial entity operating in the EU, including credit institutions, payment institutions, investment firms, insurance undertakings, crypto-asset service providers, and critical ICT third-party service providers. It has applied since 17 January 2025. Microenterprises (fewer than 10 employees and annual turnover under €2 million) benefit from a proportionality regime with simplified requirements.

What are the five pillars of DORA?

DORA is built around five pillars: (1) ICT risk management framework, requiring a documented, board-approved framework covering protection, detection, response, and recovery; (2) ICT incident reporting, with mandatory notification of major incidents within 4 hours of classification; (3) digital operational resilience testing, including annual vulnerability assessments and TLPT for significant entities every three years; (4) ICT third-party risk management, including a Register of Information covering all ICT service providers; and (5) information sharing, allowing voluntary threat intelligence exchange between financial entities.

What makes an ICT incident reportable under DORA?

DORA requires financial entities to classify incidents against defined materiality thresholds. An incident qualifies as major where it causes service downtime of more than 2 hours for critical functions, affects operations in two or more EU member states, causes data loss with adverse business impact, or generates costs and losses exceeding €100,000. Major incidents must be reported to the competent authority with an initial notification within 4 hours of classification, an intermediate report within 72 hours, and a final report within one month.

Does every financial entity under DORA need to do Threat-Led Penetration Testing?

No. TLPT is mandatory only for entities identified by competent authorities as significant under the criteria in the TLPT RTS (Commission Delegated Regulation EU 2025/1190, applicable from July 2025). For those entities, TLPT must be conducted at least every three years using the TIBER-EU framework, with an independent threat intelligence provider and a separate red team provider. All other in-scope entities must conduct regular vulnerability assessments and scenario-based testing, but not full TLPT.

What is the DORA Register of Information?

The Register of Information (ROI) is a mandatory inventory under DORA Article 28(3) covering all contractual arrangements with ICT third-party service providers. It must distinguish between providers supporting critical or important functions and those supporting non-critical functions. The ROI must be maintained at entity, sub-consolidated, and consolidated levels, and submitted to competent authorities annually. In the ESA dry-run exercise in 2024, only 6.5% of nearly 1,000 participating firms passed all 116 data quality checks, demonstrating how demanding the ROI requirement is in practice.

DORA Gap Analysis

Know exactly where your DORA gaps are

We run structured DORA gap analyses across all five pillars and deliver a prioritised remediation roadmap your board can approve and your team can act on.

Book a Gap Analysis Our Compliance Services

Disclaimer: This article is for general informational purposes only and does not constitute legal, regulatory, or professional advice. Cyvra makes no warranty as to the accuracy or completeness of this content, which may not reflect the most current regulatory developments. Readers should seek independent legal and regulatory advice appropriate to their specific circumstances. Cyvra accepts no liability for any loss arising from reliance on this content.