Become DORA-ready and prove operational resilience across your critical services
The Digital Operational Resilience Act (DORA) is a mandatory EU regulation for a wide range of financial entities and certain critical ICT third-party providers supporting them. It has applied since 17 January 2025, and it’s increasingly treated as best practice by UK organisations that trade in the EU or support EU-regulated firms.
DORA is risk-based and tier-based, focused on keeping services available to customers. Its core pillars include ICT risk management, incident reporting, operational resilience testing, ICT third-party risk management/oversight, and information-sharing on threats. Lockdown can guide you through the DORA journey with consultancy, professional services, and intelligence capability to help demonstrate compliance.
- Regulatory compliance for financial industry and operations
- Builds and demonstrates operational resiliency around availability
- Builds processes and controls around critical third-party supplier assurance
- Develops intelligence and intelligence-sharing capabilities
- Format: DORA readiness + gap assessment, remediation roadmap, evidence pack, testing & reporting support, ongoing compliance rhythm
- Duration: typically 4–12 weeks for readiness (depends on scope, tiering, suppliers, and current maturity)
- Audience: risk/compliance, IT/security, ops/service owners, incident response, procurement/vendor management, senior accountability
- Ideal for: banks, insurers, asset/investment firms, fintechs, crypto firms, and ICT providers supporting EU-regulated entities
- What's included: control mapping to DORA pillars, supplier register support, incident reporting readiness, resilience testing plan, evidence framework
DORA
Common problems
“We don’t know if DORA applies to us or what scope we’re accountable for.”
Explore problem →
Recommended focus: scope + applicability check
You’ll get: a clear scope, obligations, and ownership model
“We can’t evidence resilience testing and continuity for critical services.”
Explore problem →
Recommended focus: resilience testing plan + BC/DR evidence
You’ll get: test scenarios, results tracking, and improvement actions
“Our ICT risk management is spread across teams and not consistent.”
Explore problem →
Recommended focus: unified ICT risk framework
You’ll get: one operating model, mapped to DORA pillars
“Third-party ICT risk is our biggest gap contracts and oversight.”
Explore problem →
Recommended focus: supplier register + contract controls
You’ll get: stronger supplier governance and evidence of oversight
“Incident reporting isn’t ‘DORA-ready’ thresholds, timelines, evidence.”
Explore problem →
Recommended focus: incident reporting process + evidence
You’ll get: a practical reporting workflow and audit trail
“We want UK/EU alignment without duplicating effort.”
Explore problem →
Recommended focus: harmonise with UK operational resilience
You’ll get: one joined-up approach that reduces duplication
What this service includes
- DORA scoping + applicability assessment (entity type, services, criticality, suppliers)
- Gap assessment mapped to DORA pillars (what’s in place, what’s missing, what’s evidenced)
- ICT risk management operating model (roles, processes, risk register, controls mapping)
- Incident management + reporting readiness (classification, evidence capture, reporting workflow)
- Digital operational resilience testing plan (BC/DR, scenario testing, lessons learned)
- ICT third-party risk support (supplier register approach, oversight controls, contract expectations)
- Threat intelligence and information-sharing enablement (what to consume, how to share safely, how to evidence)
- Evidence pack structure for audit and regulator conversations (repeatable, not one-off)
Ask for price
Tell us your number of staff, service of interest, your sector, and timeline. If you’d like a call back, leave your phone number in the optional message field and we’ll get back to you. We’ll recommend the best-fit option and send a clear quote.
