Free tool · No signup · Runs in your browser

How ready are you for a DORA supervisory review?

Answer 10 questions. 90 seconds. Free. Built by an EU-native team — based on DORA Regulation (EU) 2022/2554 Articles 28, 29, 30.

0 of 10 answered 0%
Question 1 of 10

Do you maintain a single source of truth for every ICT third-party provider, including sub-processors?

DORA Art. 28(1)(a) — the register of contractual arrangements.

Question 2 of 10

Have you classified each provider as supporting a critical or important function?

DORA Art. 28(2) — criticality classification, reviewed on a defined cadence.

Question 3 of 10

Do you run a documented risk assessment BEFORE signing each new ICT provider?

DORA Art. 28(4) — pre-contractual risk assessment, evidenced not assumed.

Question 4 of 10

Do your contracts include the Article 30 mandatory clauses (data access, audit rights, exit, sub-contracting consent, incident reporting)?

DORA Art. 30 — mandatory contractual provisions for ICT third-party services.

Question 5 of 10

For each critical/important ICT provider, do you have a documented, tested exit strategy?

DORA Art. 28(8) — exit strategies and substitution plans.

Question 6 of 10

Can you produce, on demand, the sub-contracting chain for any critical provider down to data location?

DORA Art. 30(2)(a) and (3) — sub-contracting visibility and consent.

Question 7 of 10

Have you assessed concentration risk across your ICT third-party portfolio?

DORA Art. 29 — concentration risk at the entity level.

Question 8 of 10

Do you actively monitor SLAs and produce audit-ready performance evidence for critical providers?

DORA Art. 28(5)-(7) — ongoing monitoring obligations.

Question 9 of 10

Can your incident reports link to the specific ICT third-party provider involved?

DORA Articles 17-23 — ICT-related incident management and reporting.

Question 10 of 10

Is the maintained register reviewed at board or senior-management level on a defined cadence?

DORA Art. 5 + Art. 28 — management body responsibility for the ICT risk framework.

This calculator is an educational self-assessment tool. It is not legal advice, an audit, or a formal compliance certification. Results are indicative. For a formal assessment, engage a qualified DORA advisor.

Frequently Asked Questions

About the calculator, the scoring, and what to do next.

What is a DORA readiness assessment?+

A DORA readiness assessment is a structured self-evaluation of how well an organisation meets the ICT third-party risk management obligations set out in the Digital Operational Resilience Act (Regulation (EU) 2022/2554), particularly Articles 28, 29, and 30. It covers the maintained register of ICT providers, criticality classification, pre-contractual risk assessment, mandatory contractual provisions, exit strategies, sub-contracting visibility, concentration risk, SLA monitoring, incident linkage, and board oversight.

Which DORA articles does this calculator cover?+

The calculator is mapped to DORA Articles 28 (general principles, register, pre-contractual risk assessment, contractual provisions, exit strategies), 29 (concentration risk at entity level), and 30 (mandatory contract provisions for ICT third-party services, including data access, audit rights, sub-contracting consent, and incident reporting). It is built on the published DORA Level 1 text and the European Supervisory Authorities' Regulatory Technical Standards.

What scoring bands does the calculator use?+

Each question is scored on a 0, 4, 7, or 10 point scale, giving a total of 0 to 100. Below 40 is Red, indicating supervisory exposure and material gaps that a national competent authority would likely flag in an inspection. 40 to 69 is Amber, indicating partial coverage with material gaps still to close. 70 and above is Green, indicating an audit-ready posture suitable for a DORA supervisory review, with maintenance-level work remaining.

Is the calculator legal advice or a formal compliance certification?+

No. The DORA Readiness Calculator is a free, educational self-assessment tool. It is not legal advice, an audit, or a formal compliance certification. Results are indicative and intended to help procurement, compliance, and risk teams identify priority gaps. For a formal assessment, organisations should engage a qualified DORA advisor or run a full audit against the DORA Level 1 text and the European Supervisory Authorities' Regulatory Technical Standards.

Does the calculator collect personal data or send results to FiorLab?+

No. The calculator runs entirely in the browser. No answers, email addresses, or identifying data are transmitted to FiorLab or any third party. There are no analytics calls or tracking pixels on the calculator itself. If you would like a written follow-up or a guided walk-through of your gaps, you can voluntarily email hello@fiorlab.com — but nothing is sent automatically.

Word from our founder

We built this calculator because every procurement and compliance team we speak to is staring at the same DORA gap-analysis exercise — and most are doing it in a spreadsheet at 9pm on a Sunday. There's no need for that.

Ten questions, mapped honestly to the regulation, no email gate. Use it as a board-prep tool. Use it to scope your next audit. Use it to argue for the budget you actually need. Then, if FiorLab can help close the gaps, we're an email away.

— The FiorLab team, Dublin

Link copied to clipboard