Solutions · DORA

DORA compliance, operated not improvised

The Digital Operational Resilience Act makes ICT risk a board-level obligation for financial entities and their critical providers. Acuna runs the whole programme in one place: the ICT risk framework, the third-party register, resilience testing, and incident reporting, each tied to a named owner and the evidence that proves it.

ICT third-party register on one systemDORA mapped alongside NIS2 and ISO 2700150+ frameworks on one core

In short

DORA (Regulation (EU) 2022/2554) requires financial entities to manage ICT risk, maintain a register of information on ICT third-party arrangements, test their operational resilience, and report major ICT-related incidents to their competent authority. Acuna is a multi-framework GRC platform that operationalises those obligations: it maps the DORA requirements once, keeps the third-party register live against your vendor inventory, and ties every control to an owner and to evidence.

Turn a supervisory obligation into operational resilience you can prove

DORA is not a document exercise. Your competent authority can ask, at short notice, for your ICT third-party register, your resilience testing results, and your incident timeline. The entities that handle DORA well are the ones where those answers already exist as a running system, not a project that spins up when the regulator writes. That is the difference between resilience as a state you maintain and resilience as a scramble you survive.

One system for the whole DORA programme

DORA maps once across the four core panes, then the parts that are specific to financial ICT risk are carried by the extension your programme needs.

Map the DORA requirements once and crosswalk them to the frameworks you already run, so ICT risk management under DORA reuses the controls you built for NIS2 and ISO 27001 rather than starting over.

Turn the mapped requirements into controls with named owners, so the ICT risk framework has accountable people behind it, not a policy document nobody maintains.

Keep the programme current between reviews: recurring tasks for resilience testing, control checks, and the register updates that DORA expects to be continuous rather than annual.

Produce the evidence pack and the incident and testing records a competent authority asks for, as a live view rather than a weekend assembly job.

Framework-specific extension

DORA Article 28 requires a register of information on your ICT third-party arrangements and contractual requirements for critical providers. Supplier Shield keeps that register live against your vendor inventory and runs the assessment campaigns behind it. The tightest fit in the whole programme: see third-party risk management for the full capability.

What it unlocks, and what waiting costs

What a running DORA programme unlocks vs What waiting costs
What a running DORA programme unlocksWhat waiting costs
A third-party register you can produce on request, not reconstruct.A register that ages out the moment a vendor arrangement changes and nobody updates the spreadsheet.
Resilience testing results and incident timelines that live in one place with the controls they relate to.Resilience evidence scattered across teams, assembled under time pressure when the authority asks.
ICT risk work that reuses your NIS2 and ISO 27001 controls instead of duplicating them.The same ICT control documented three times for three frameworks.
A defensible answer for your competent authority that matches the one your ICT and security teams give.

We are early, so we will not quote a customer count. The mechanism is the argument: when the register, the controls, and the evidence share one system, producing a supervisory answer is a lookup, not a project. That is where the time goes back.

The hesitations worth naming

GRC ROI is genuinely hard to prove precisely. Use your own numbers below to build the internal case. These inputs are yours; the output is your estimate, not ours.

Pipeline at risk

Enterprise deal value

typical affected deal, annualised

CHF 200K

CHF 10KCHF 1M

Deals blocked or slowed

per year, your estimate

3 deals

015

Security questionnaires

your team fills out, per month

5 / month

020 / month

Questionnaire overhead

Hours per questionnaire

across all people involved (SIG/CAIQ often run 6–12 hrs)

6 hrs

1 hr40 hrs

All-in hourly cost

fully-loaded: salary + overhead of the person filling it

CHF 125

CHF 25CHF 500
Pipeline at riskCHF 600'000
Questionnaire overhead / year (5×/mo × 6 hrs × CHF 125)CHF 45'000
Total identifiable costCHF 645'000

Acuna starts from

CHF 5'388 / year, all frameworks included

120×

your est. cost

These are your estimates, not ours. GRC ROI is notoriously hard to measure: most of the value is in deals not lost, incidents not escalated, and audits not rebuilt from scratch. Use this to structure the internal conversation, not as a number we stand behind.

Built by people who ran the programmes

Acuna is built and operated by an established Swiss GRC group led by practitioners with decades of combined experience in audit, resilience, and information security. The platform models how a mature ICT risk programme actually runs, because the people who built it run programmes for a living.

  1. The DORA third-party register ties to your live vendor inventory, not a static list.

  2. ICT risk controls reuse across DORA, NIS2, and ISO 27001 on one core.

  3. Priced per organisation, so every owner, reviewer, and auditor is included.

  4. Data hosted in Switzerland and the EU.

DORA: common questions.

Get started

Run DORA as a system, not a scramble

See how the ICT register, controls, and evidence run in one place.