Skip to content
Framework · DORA

Digital operational
resilience, handled.

How 01GRC maps to the EU Digital Operational Resilience Act (Regulation (EU) 2022/2554) — across ICT risk management, incident management, resilience testing and ICT third-party risk.

Request a demo See the dependency graph Back to platform
4 DORA pillars · Register of Information export · built by GRC practitioners
The four pillars

Built around how DORA is structured.

DORA organises operational resilience into four pillars. Here is the article-by-article mapping of what each one asks for and what 01GRC delivers against it.

Pillar 1

ICT risk management

Governance, identification, protection, detection, response and continuous learning — the management framework at the heart of DORA (Arts. 5–13).

DORA focus
What 01GRC delivers
Governance & accountability Art. 5
Periodic management review with immutable, snapshotted sign-off and attestation, role-based accountability with senior-management approvals, built-in Learning module (courses, quizzes, schedules, completion tracking) for staff and board ICT awareness.
Risk-management framework, reviewed yearly Art. 6
Framework and policies managed as controlled documents with scheduled review cycles and attested annual review.
Identification & asset mapping Art. 8
First-class business graph — Department → Process → Asset → Data Flow → Vendor — with owners, CIA classification, RTO/RPO, and full upstream/downstream dependency mapping.
Protection & prevention Art. 9
Control library of 94 ISO 27001 Annex A + 24 ISMS controls, explainable baseline-scoping engine, control effectiveness history, and governed exemptions with approval and expiry.
Detection Art. 10
Structured detection-method capture and analytics across all incidents.
Response, recovery & business continuity Art. 11
BCP/DR plans managed as controlled documents with scheduled review, BIA-driven impact analysis, response and recovery exercised through tabletop, simulation, failover and functional drills.
Backup & restoration Art. 12
Backup and restoration policies managed as version-reviewed documents, restoration validated through resilience failover exercises capturing cutover, failback and data-loss metrics.
Learning & evolving Art. 13
Root-cause and post-incident review activities, resilience findings converted into tracked remediation actions, and a maintained vulnerability register.
Pillar 2

Incident management

A managed lifecycle for ICT-related incidents and the classification that drives reporting (Arts. 17–18).

DORA focus
What 01GRC delivers
Incident management process Art. 17
State-machine-enforced incident lifecycle, typed activity timeline (triage → containment → eradication → recovery → root cause → review), asset and data linkage, evidence attachments, and MTTD/MTTR dashboards.
Incident classification Art. 18
Impact analysis through dependency mapping — every incident surfaces the affected assets, the critical services they support, and the downstream dependent processes, plus the data elements involved.
Pillar 3

Resilience testing

A programme of digital operational resilience testing, evidenced against your recovery targets (Arts. 24–25).

DORA focus
What 01GRC delivers
Resilience testing programme Art. 24–25
Full exercise suite — tabletop, simulation, failover and functional — with injects, success-checks against targets, participant tracking, evidence, timelines, findings-to-remediation workflow, and BIA/RTO-linked reporting.
Pillar 4

ICT third-party risk

Third-party risk principles, contract management, and the Register of Information your regulator asks for (Arts. 28–30).

DORA focus
What 01GRC delivers
Register of Information Art. 28(3)
A one-click Register of Information export built to the official EBA Reporting Package v4.0 / DPM v2.0 taxonomy — templates B_01.01–B_07.01 covering entities, contractual arrangements, ICT providers, supply chain and critical-function assessment.
Third-party risk principles Art. 28
Vendor register with criticality automatically derived from process and BIA criticality, vendor questionnaires with encrypted, virus-scanned evidence, subcontractor-chain mapping with data-access level and materiality.
Contract management Art. 30
ICT contract lifecycle tracking with renewal and expiry reminders, arrangement-to-contract linkage, and subcontractor mapping.

01GRC provides the tooling and audit evidence that support these DORA requirements. It is one component of an organisation's broader operational-resilience programme.

More frameworks

One platform, every standard you answer to.

DORA is one of several frameworks built in — and you can add your own. More framework guides are on the way.

See your DORA programme
the way it should look.

Book a personalised walkthrough — we'll demo ICT risk, incident management, resilience testing and the Register of Information on data shaped like yours.

Request a demo