IT governance, cybersecurity and digital transformation in Belgiumcontact@itselect.be
DORA diagnostic
V1 · DORA readiness

DORA readiness diagnostic for SMEs and ICT providers

Assess your ability to respond to digital resilience expectations from financial-sector clients: ICT governance, incidents, continuity, testing, suppliers and evidence.

Start assessmentOpen checklistFR
24structured questions
6DORA domains
90 dactionable roadmap
Use precaution. This tool supports operational preparation and decision-making. It is not legal advice and does not certify DORA compliance. The applicable scope must be validated with legal, compliance or competent authorities.
DORA readiness

Quick DORA readiness assessment

Select the real maturity level for each item. “Evidence” means the organisation can produce dated, validated and usable evidence.

01

ICT governance

Ownership, executive oversight, documentation and decision traceability.

An owner for digital resilience or ICT governance is identified.

Appointment, RACI matrix or steering committee record.

ICT risks are regularly reviewed by management.

Dashboard, risk register or executive reporting.

Security, continuity and incident management policies are documented.

Approved, versioned and accessible policies.

Critical IT decisions are recorded and justified.

Minutes, budget decisions, supplier decisions.
02

ICT risk management

Inventory, classification, controls, vulnerabilities and dependencies.

Critical assets, applications and services are inventoried.

Light CMDB, application register or service map.

ICT risks are assessed according to business impact and likelihood.

Risk matrix, scoring and risk owner.

Backups and restores are tested periodically.

Test report, RTO/RPO and restore evidence.

Vulnerabilities and patches are managed with business priority.

Scan results, patching plan, documented exceptions.
03

Incidents and escalation

Detection, classification, notification, logging and lessons learned.

An ICT incident procedure exists and is known by key teams.

Procedure, roles, contacts and severity levels.

Significant incidents are logged and analysed.

Incident register, timeline, root causes and corrective actions.

Escalation thresholds to clients, management or authorities are defined.

Decision tree, responsibilities and communication templates.

A lessons-learned review is conducted after major incidents.

Post-mortem, actions, owner and deadline.
04

Continuity and resilience

BCP/DRP, scenarios, tests, recovery and crisis communication.

Critical processes have defined recovery objectives.

RTO/RPO by service and business validation.

A continuity or recovery plan exists for essential services.

BCP/DRP, runbook, contacts and failover procedures.

Crisis exercises or recovery tests are performed.

Report, scenario, results and improvements.

Cloud, network and supplier dependencies are included in scenarios.

Dependency map and fallback options.
05

ICT suppliers and contracts

Supplier register, clauses, SLA, subcontracting and exit planning.

Critical ICT suppliers are identified and classified.

Supplier register, criticality and services provided.

Contracts cover SLA, security, incident, audit and exit provisions.

Contract clauses, security annexes and exit plan.

Subcontractors and chain dependencies are known.

Supplier declaration, location and subcontracting chain.

Supplier performance and risks are reviewed periodically.

Supplier committee, KPIs and action plans.
06

Evidence and 90-day roadmap

Evidence pack, priorities, budget, governance and client readiness.

Key documents can be provided quickly to a regulated client.

Evidence pack: policies, registers, tests and contracts.

Gaps are prioritised in a 30/60/90-day roadmap.

Action plan, owner, budget and deadline.

Teams can answer a client DORA questionnaire.

Standard answers, associated evidence and internal validation.

The exact applicable DORA scope is clarified with legal or compliance advice.

Scoping note, limits and responsibilities.
Score0%Initial

Complete the assessment to generate a prioritised reading.

Executive result

Priorities to address

    Report

    Receive the DORA readiness report

    Enter your details to receive the executive summary by email. A copy is sent to Selection ICT for commercial follow-up.

    Complete the diagnostic, then enter your details.

    Roadmap

    Recommended 30/60/90-day roadmap

    A first engagement should produce simple, usable and defensible evidence for financial-sector clients.

    30 daysScope the perimeter

    Scope the perimeter, identify critical services, appoint owners, build the supplier register and start the evidence pack.

    60 daysFormalise incidents

    Formalise incidents, backups, BCP/DRP, supplier clauses, RACI and ICT risk dashboard.

    90 daysTest restore

    Test restore, run an incident exercise, review critical contracts, produce a client evidence pack and arbitrate remediation budget.

    Request DORA supportOpen evidence checklist
    Executive report

    DORA readiness

    DORA readiness assessment

    Operational preparation for SMEs and ICT providers facing digital resilience expectations.

    0 /100
    Organisation
    Contact
    Report date
    Selection ICT

    Executive summary report

    DORA readiness diagnostic

    Overall score0/100
    Level
    Organisation

    Contact details

    Synthèse

    Domain results

    DomaineScoreNiveau

    Priority recommendations

    Collected answers

    DomaineQuestionRéponse

    This diagnostic is a decision-support tool. It is not legal advice and does not certify DORA compliance.