DORA (Regulation (EU) 2022/2554) requires EU financial entities to manage ICT risk, report major ICT-related incidents, and run a digital operational resilience testing programme — applicable since January 2025. CyberICS delivers scenario-based exercises, AI-generated After Action Reports, and audit-ready evidence supporting the DORA chapters on ICT incident management and resilience testing — turning a continuous regulatory obligation into demonstrable readiness across the EU financial sector.
DORA establishes a single, harmonised digital operational resilience framework across the EU financial sector. It binds a broad set of financial entities directly, and extends — via the oversight regime — to the ICT third-party service providers they depend on, including those designated as critical.
DORA applies to a wide range of regulated financial entities operating in the EU. Each must implement an ICT risk-management framework, manage and report major ICT-related incidents, and maintain a digital operational resilience testing programme proportionate to its size and risk profile.
DORA reaches the ICT supply chain. Financial entities must manage ICT third-party risk under Art. 28, while providers designated as critical (CTPPs) fall under a direct EU Oversight Framework. Joint exercises and coordinated incident response are central to demonstrating control of this dependency.
Art. 24 requires a sound, comprehensive digital operational resilience testing programme run on a risk-based basis, with appropriate tests at least yearly and lessons fed back under Art. 13. A standing CyberICS exercise programme turns that recurring requirement into a repeatable, evidence-generating cycle — in your team's working language.
DORA names specific ICT risk-management, incident-management, reporting, and resilience-testing duties. Scenario exercises directly satisfy the response-and-recovery, incident-management, reporting, and testing-programme requirements, and generate evidence for several more.
| Article | Obligation | Requirement Summary | CyberICS Capability | Coverage |
|---|---|---|---|---|
| Art. 5-6 | ICT risk-management framework | Establish, maintain and govern a sound, comprehensive ICT risk-management framework as part of the overall risk-management system | Exercises stress-test the framework's detection, response, and governance functions in action; the AI AAR documents how the framework performed and where it needs to evolve | Supporting |
| Art. 11 | Response & recovery | Implement an ICT business-continuity policy and response-and-recovery plans, and test them regularly | Scenario exercises rehearse response-and-recovery plans end-to-end under realistic disruption, producing the tested-plan record DORA requires | Core |
| Art. 13 | Learning & evolving | Conduct post-incident reviews after major ICT incidents and feed lessons learned back into the ICT risk framework and testing | Every exercise concludes with an AI After Action Report capturing root cause, gaps, and corrective actions — the structured learning loop Art. 13 mandates | Core |
| Art. 17 | ICT-related incident management process | Define and implement an ICT-related incident management process to detect, manage, classify and notify incidents | Exercises rehearse the full detection → classification → escalation → notification workflow, with every decision and timestamp logged as evidence | Core |
| Art. 19 | Reporting of major ICT incidents | Report major ICT-related incidents to the relevant competent authority within the DORA initial / intermediate / final reporting deadlines | The major-incident reporting drill rehearses the classification call and the who / what / timeline of the competent-authority report under realistic time pressure | Core |
| Art. 24 | General requirements for resilience testing | Establish a sound, comprehensive digital operational resilience testing programme run on a risk-based basis | A standing exercise programme is the testing system-of-record — recurring sessions, scope coverage, and AARs retained as the resilience-testing evidence base | Core |
| Art. 25 | Testing of ICT tools and systems | Apply an appropriate range of tests to ICT systems and tools (e.g. scenario-based tests, scans, reviews) and remediate findings | Scenario-based tests across core, payment, and trading systems validate ICT tools in context; remediation actions are tracked from the AAR | Supporting |
| Art. 26-27 | Threat-led penetration testing (TLPT) | Advanced testing via TLPT for designated entities, performed by accredited testers under a TIBER-EU-aligned framework | CyberICS supports TLPT preparation only — purple-team rehearsals, scoping workshops, and threat-scenario readiness ahead of an accredited engagement | Partial |
| Art. 28 | ICT third-party risk | Manage ICT third-party risk, including concentration, exit strategies and contractual safeguards across critical providers | Third-party-failure scenarios rehearse coordinated response, fail-over, and exit activation; content covers the risk domain but contracts and registers sit outside the exercise | Partial |
Three core capabilities work together to deliver, document, and evidence your ICT incident-management and operational-resilience-testing obligations.
Live Session mode runs real-time, multi-participant resilience exercises. Every step, decision, and host action is timestamped — producing the auditable response-and-recovery and testing record DORA requires you to retain.
Immediately after each exercise, CyberICS generates a structured AAR documenting the response actions taken, gaps, and DORA article references — the artifact a CISO or operational-resilience lead files as proof the test happened and what it found.
The Compliance Dashboard assembles a DORA evidence package — testing-programme coverage, major-incident reporting drill records, third-party joint-exercise records, and a board-level summary — so an operational-resilience lead walks into a supervisory review with the file already built.
Six high-fidelity scenarios built for financial entities — core-banking, payments, trading, ransomware, third-party, and cloud resilience — ready to run with AI facilitator briefing included.
A critical core-banking platform fails, cutting off account access and settlement. Exercises ICT business continuity, response-and-recovery activation, and the major-incident classification call under DORA timelines.
Payment-rail connectivity and SWIFT messaging are disrupted, halting outbound transfers. The team must scope impact, contain, and execute the major-incident report to the competent authority under pressure.
An investment firm's trading platform degrades during market hours, threatening orderly execution and client obligations. Tests response-and-recovery, fail-over, and resilience-testing coverage of a critical function.
Ransomware encrypts internal systems and threatens customer data exposure. Exercises containment, recovery from backups, the major-incident classification and reporting decision, and learning-and-evolving follow-up.
A critical ICT third-party provider suffers a major outage affecting multiple financial services. Exercises ICT third-party risk response, coordinated incident handling, exit-strategy activation, and concentration risk.
A cloud region or primary data-centre is lost, forcing fail-over of critical functions. A planned resilience test of recovery-time objectives, cloud-region redundancy, and the testing-programme evidence trail.
Plus 300+ additional ICS/OT and enterprise scenarios spanning the sectors and dependencies the EU financial sector relies on. Browse the full library →
Every CyberICS exercise generates four categories of evidence supporting DORA ICT incident-management, resilience-testing, and reporting demonstration during a supervisory review.
Structured post-exercise report capturing response actions, root cause, gaps, and corrective actions — the learning-and-evolving record DORA expects.
Dated, scoped record of each resilience test — what was tested, who took part, and the outcome — forming the testing-programme evidence base.
Timestamped log of a competent-authority reporting drill — the classification call, who decided what, and how fast — demonstrating reporting readiness.
Executive summary of resilience-testing posture, gaps, and remediation for the management body — supporting board accountability under DORA governance.
CyberICS exercise evidence maps to multiple frameworks simultaneously. One exercise program — complete regulatory coverage.
Start with a free 14-day trial — no credit card required. Or speak with our financial-resilience team about a standing DORA operational-resilience-testing exercise programme that pairs with your ICT risk framework.
Also explore: NIS2 Toolkit · ISO 27001 Toolkit · CISA CTEP Toolkit