We confirm which DORA obligations apply to your entity (proportional to your critical/important functions), identify critical services and key ICT dependencies, and set concrete deliverables, milestones and owners to kick off on the right track.

We build the ICT risk register with KRIs/KCIs, assess control maturity against DORA, and map roles, committees and reporting lines. Output: a prioritized gap matrix with owners and due dates, sequenced for quick wins and high-risk fixes first.

We deliver incident/major-disruption procedures, severity thresholds, and ready-to-file templates for supervisors, clients and partners. Escalation paths, comms playbooks and evidence-capture steps are included to meet strict reporting timelines and audit traceability.

We define an annual testing calendar and craft realistic scenarios/scripts covering resilience, recovery and response. Where TLPT applies, we coordinate planning and documentation. Every exercise ends with logged findings, owners and remediation actions.

We inventory ICT/ops providers, classify criticality and concentration risk, and provide a contract clause pack (sub-outsourcing, resilience, data access, incident duties, termination/exit). Onboarding and periodic-review checklists are included for continuous oversight.

You receive the policy set, operational runbooks, registers and focused training materials, plus a 90-day remediation backlog your teams can execute without friction. Optional: monthly evidence collection and governance support.