Solutions · DORA
DORA compliance, operated not improvised
The Digital Operational Resilience Act makes ICT risk a board-level obligation for financial entities and their critical providers. Acuna runs the whole programme in one place: the ICT risk framework, the third-party register, resilience testing, and incident reporting, each tied to a named owner and the evidence that proves it.
In short
DORA (Regulation (EU) 2022/2554) requires financial entities to manage ICT risk, maintain a register of information on ICT third-party arrangements, test their operational resilience, and report major ICT-related incidents to their competent authority. Acuna is a multi-framework GRC platform that operationalises those obligations: it maps the DORA requirements once, keeps the third-party register live against your vendor inventory, and ties every control to an owner and to evidence.
Turn a supervisory obligation into operational resilience you can prove
DORA is not a document exercise. Your competent authority can ask, at short notice, for your ICT third-party register, your resilience testing results, and your incident timeline. The entities that handle DORA well are the ones where those answers already exist as a running system, not a project that spins up when the regulator writes. That is the difference between resilience as a state you maintain and resilience as a scramble you survive.
One system for the whole DORA programme
DORA maps once across the four core panes, then the parts that are specific to financial ICT risk are carried by the extension your programme needs.
What it unlocks, and what waiting costs
| What a running DORA programme unlocks | What waiting costs |
|---|---|
| A third-party register you can produce on request, not reconstruct. | A register that ages out the moment a vendor arrangement changes and nobody updates the spreadsheet. |
| Resilience testing results and incident timelines that live in one place with the controls they relate to. | Resilience evidence scattered across teams, assembled under time pressure when the authority asks. |
| ICT risk work that reuses your NIS2 and ISO 27001 controls instead of duplicating them. | The same ICT control documented three times for three frameworks. |
| A defensible answer for your competent authority that matches the one your ICT and security teams give. |
We are early, so we will not quote a customer count. The mechanism is the argument: when the register, the controls, and the evidence share one system, producing a supervisory answer is a lookup, not a project. That is where the time goes back.
The hesitations worth naming
GRC ROI is genuinely hard to prove precisely. Use your own numbers below to build the internal case. These inputs are yours; the output is your estimate, not ours.
Pipeline at risk
Enterprise deal value
typical affected deal, annualised
CHF 200K
Deals blocked or slowed
per year, your estimate
3 deals
Security questionnaires
your team fills out, per month
5 / month
Questionnaire overhead
Hours per questionnaire
across all people involved (SIG/CAIQ often run 6–12 hrs)
6 hrs
All-in hourly cost
fully-loaded: salary + overhead of the person filling it
CHF 125
Acuna starts from
CHF 5'388 / year, all frameworks included
120×
your est. cost
These are your estimates, not ours. GRC ROI is notoriously hard to measure: most of the value is in deals not lost, incidents not escalated, and audits not rebuilt from scratch. Use this to structure the internal conversation, not as a number we stand behind.
Built by people who ran the programmes
Acuna is built and operated by an established Swiss GRC group led by practitioners with decades of combined experience in audit, resilience, and information security. The platform models how a mature ICT risk programme actually runs, because the people who built it run programmes for a living.
The DORA third-party register ties to your live vendor inventory, not a static list.
ICT risk controls reuse across DORA, NIS2, and ISO 27001 on one core.
Priced per organisation, so every owner, reviewer, and auditor is included.
Data hosted in Switzerland and the EU.