Expert Consulting

DORA Compliance Services

Hands-on advisory for financial institutions navigating the Digital Operational Resilience Act. From gap analysis to full implementation — we deliver actionable results, not reports that gather dust.

150+ Institutions Served
990 EUR / Half-Day
ISO 27001 Certified
NEW — Best Value to Start

DORA Power Assessment

30-minute expert video call + personalised compliance report. We analyse your current DORA posture and deliver a prioritised action plan within 48 hours.

  • 30-min 1-on-1 video session with DORA specialist
  • Written compliance score with gap highlights
  • Top-5 priority actions tailored to your institution
  • 100% applicable towards a half-day booking
149 EUR excl. VAT
Book Power Assessment

No commitment needed

Regulatory determination

DORA Scope & Regulatory Determination

Not sure whether DORA applies to you? We classify your entity against Article 2 (and any exemptions), confirm which obligations apply, and deliver a written memo you can show your board or supervisor.

  • Article 2 classification + exemption check (Art. 2(3) / Art. 16)
  • Applicable obligations by pillar + recommended actions
  • Written memo (2–5 pages) within 5 business days

Not sure yet? Try the free scope check tool first.

349 EUR excl. VAT
Pay & Book

Memo in 5 business days

Or Choose a Full Engagement

Half-Day
4 hours
990EUR excl. VAT
Pay & Book
Most Popular
Full Day
8 hours
1,890EUR excl. VAT
Save 5% vs 2 half-days
Pay & Book
5-Day Pack
40 hours
8,500EUR excl. VAT
Save 14% vs daily rate
Pay & Book

Consultant building your own DORA practice?

The DORA Consultant Kit bundles our 4 flagship template packs + the Certified DORA Advisor certification — €615 of products for €349. Many consultants pair it with a half-day session on their first engagement.

See the kit — €349 →

Specialised & Ongoing

DORA Remote Audit
1 day · written report in 10 business days
1,499EUR excl. VAT
Pay & Book
TLPT Provider Vetting
RFP + provider vetting · memo in 15 business days
999EUR excl. VAT
Pay & Book
Monthly Retainer
4 h / month · ongoing priority support
2,500EUR excl. VAT / mo
Enquire

What We Deliver

DORA Gap Analysis

Systematic audit of your current posture against all 5 DORA pillars. You get a prioritized remediation roadmap with clear ownership and deadlines.

  • Full 5-pillar compliance assessment
  • Risk-ranked gap register
  • Remediation roadmap with timelines
  • Executive summary for the board
Book Half-Day

Implementation Roadmap

We build a concrete, phased implementation plan tailored to your institution's size, risk profile, and existing frameworks.

  • Phased implementation timeline
  • Resource and budget estimation
  • Quick wins identification
  • Milestone tracking framework
Book Half-Day

ICT Governance & Risk Framework

Design and implement the governance structure DORA requires: roles, responsibilities, risk appetite, and reporting lines.

  • ICT risk management framework design
  • Governance structure & RACI matrix
  • Risk appetite statement drafting
  • Board reporting templates
Book Half-Day

TLPT & Resilience Testing

Prepare for and coordinate Threat-Led Penetration Testing under the TIBER-EU framework. We manage the full lifecycle.

  • TLPT scoping & preparation
  • TIBER-EU framework alignment
  • Red team provider selection
  • Purple team exercises & remediation
Book Half-Day

Third-Party Risk Management

Build your Register of Information, review ICT contracts, and establish a robust vendor oversight framework per Article 28.

  • Register of Information (RoI) build
  • ICT contract clause review
  • Vendor risk scoring methodology
  • Exit strategy documentation
Book Half-Day

Incident Management & Reporting

Design your incident response procedures aligned with DORA's strict reporting timelines: 4h initial, 72h intermediate, 1 month final.

  • Incident classification framework
  • Response playbook development
  • NCA reporting templates
  • Tabletop exercise facilitation
Book Half-Day

Business Continuity & Recovery

Develop and test your ICT business continuity plans, disaster recovery strategies, and crisis communication protocols.

  • BCP/DRP development & review
  • Recovery time objective setting
  • Crisis simulation exercises
  • Communication protocol design
Book Half-Day

Framework Alignment

Map your existing controls (ISO 27001, NIST, COBIT) to DORA requirements. Avoid duplication and leverage what you already have.

  • DORA vs ISO 27001 mapping
  • NIST CSF alignment analysis
  • NIS2 cross-compliance review
  • EBA/EIOPA guidelines integration
Book Half-Day

How It Works

1

Book a Slot

Choose a date that works for your team. Half-day, full day, or multi-day engagement.

2

Briefing Call

30-minute pre-engagement call to understand your context, scope, and priorities.

3

Delivery

On-site or remote session. Actionable deliverables within 48 hours.

Our Engagement Methodology

Effective DORA consulting work is not lectures, slides or theoretical frameworks — it is concrete, document-grade output that survives a supervisor's scrutiny twelve months later. Every engagement we run follows a four-step methodology designed for compliance evidence and operational usability.

1

Discovery

30-minute pre-call to understand entity authorisation, supervisor, current frameworks (ISO 27001, NIST CSF, EBA guidelines), and immediate priorities. Output: scope brief and pre-read list shared 48 hours before the session.

2

Working session

Live structured discussion against a working template. We don't brainstorm — we fill in gaps in pre-built artefacts (gap register, RACI, register of information, contract clause matrix, etc.) so the working session itself produces deliverable-grade output.

3

Deliverable

Written deliverable produced within 48 hours. Format depends on engagement (gap register spreadsheet, board-ready slide deck, framework outline document, contract review notes). All deliverables include explicit DORA article citations.

4

Follow-up

30-minute follow-up call within 7 days to walk through the deliverable, answer implementation questions, and adjust priorities. Available for 30 days post-engagement at no extra cost.

Why Choose This Engagement Model

The DORA consulting market in 2026 is dominated by two formats: large-firm engagements that deliver methodology decks at €200K-€2M with multi-month timelines, and individual freelancers offering hourly rates with limited evidence of regulatory expertise. Our model is built for the institutions that find both options unfit: too slow and expensive on the one hand, too unstructured on the other.

Fixed-fee, fixed-scope sessions: Each engagement format (half-day, full-day, 5-day) has a documented scope, agreed deliverables, and a single all-in price. No hourly meter, no scope creep, no surprise overruns. The only variable is the topic — you pick what to focus on, we deliver against it.

Document-first delivery: The output is always a tangible document a board, supervisor or auditor can read. We do not deliver "verbal advice" or "discussion summaries" — every engagement produces a written artefact you can paste into your compliance evidence file.

DORA specialism, not generalist consulting: Our practice is exclusively DORA and adjacent frameworks (NIS2, GDPR, EBA/EIOPA guidelines, TIBER-EU, ISO 27001/27002 mappings to DORA). We do not run a parallel ERP practice, audit practice or strategy practice. Every senior consultant has worked on at least 15 DORA engagements across multiple sectors.

EU-specific, not US-imported: DORA is a Regulation under EU law with specific interactions with Solvency II, CRD/CRR, MiFID II, MiCAR and PSD2. We work natively in this regulatory ecosystem — not by adapting US-style cybersecurity playbooks to a European audience.

What You Walk Away With

Concrete deliverables vary by engagement type, but every consulting outcome shares the same characteristics: written, citation-rich, supervisor-ready. Examples from recent engagements:

Framework Expertise

ISO 27001Information Security
NIST CSFCybersecurity Framework
COBITIT Governance
TIBER-EUThreat-Led Testing
NIS2Network Security Directive
EBA/EIOPASupervisory Guidelines
PCI DSSPayment Security
GDPRData Protection

Which Option Fits Your Institution?

Consulting delivers momentum. Resiplan keeps it running. Many clients combine both.

Consulting

Expert-led engagements: gap analysis, implementation, TLPT preparation.

Best for: one-off projects, deep expertise, urgent deadlines.
From 149 EUR
RECOMMENDED

Resiplan SaaS

Continuous DORA/GRC automation: register, incidents, vendor risk, dashboards.

Best for: day-to-day compliance, audit-readiness, scaling across subsidiaries.
Try free 14 days →

Hybrid (Best Value)

Consulting to kick-off + Resiplan to sustain. Our most popular combo.

Best for: institutions wanting expert setup then autonomy.
Discuss your needs →

You're a DORA service provider?

Join our partner programme — list your firm and receive qualified, in-scope referrals from financial entities and ICT providers across the EU. No listing fee.

Become a partner →

Frequently Asked Questions

What is the difference between a half-day, full-day and 5-day engagement?
A half-day (4 hours) suits a focused topic — a register of information review, a TLPT scoping session, an Article 30 contract clause workshop, or a board readiness brief. A full day (8 hours) addresses two related themes (e.g., gap analysis + roadmap) or a deep dive into a single complex topic. The 5-day pack (40 hours) covers a complete workstream — typically a full DORA gap analysis with prioritised remediation backlog, or end-to-end TLPT preparation, or building the Register of Information from scratch. We always deliver written outputs within 48 hours of session completion.
Do you provide on-site consulting or only remote?
Both. Most engagements run remotely via secure video conferencing — we have delivered DORA work to institutions across 22 EU countries this way. On-site engagements are available across Continental Europe with travel costs invoiced separately at cost. For sensitive topics like TLPT scoping, board briefings or sensitive incident response work, on-site is often preferable.
What is the DORA Power Assessment and how is it different from the half-day?
The Power Assessment (€149) is an entry-point format: a 30-minute structured video call followed by a written report with compliance score and top-5 priority actions delivered within 48 hours. The €149 fee is fully credited against any subsequent half-day or larger booking — so it is effectively risk-free.
What deliverables do I get with each engagement?
Every engagement produces written outputs. A typical half-day produces a 6-12 page deliverable plus session recordings and any working artefacts (spreadsheets, templates, RACI matrices). The 5-day pack typically produces a 30-50 page comprehensive output with annexes. All deliverables are yours to use and modify.
Are you independent of vendors and software providers?
Yes. We have no commercial referral arrangements with software vendors, GRC platforms, hyperscalers or testing providers. Where the engagement involves vendor selection, we provide objective shortlists with strengths/weaknesses but never recommend a single vendor in exchange for fees.
Can you support a TLPT exercise end-to-end?
Yes. We act as the white team coordinator — managing scope, NCA notification, threat intelligence provider selection, red team firm selection, schedule, blue team isolation, and post-exercise reporting. We do NOT perform the red team work itself (independence requirement under TLPT RTS); we orchestrate the exercise so the institution receives a defensible attestation file at completion.
How quickly can you start?
Typically 1-2 weeks from confirmed booking to first session. Urgent matters (incident response support, board briefings ahead of supervisory visits) can be accommodated faster. The Power Assessment can be scheduled within 5 business days.
Do you sign NDAs and work under client confidentiality?
Yes. Every engagement includes a comprehensive NDA executed before any sensitive material is shared. We handle client material under ISO 27001-aligned controls. Client material is never used for marketing without explicit written consent.
What sectors do you serve?
All financial entities in DORA scope: credit institutions, insurance and reinsurance undertakings, insurance intermediaries, IORPs, investment firms, payment institutions, e-money institutions, CCPs, CSDs, trading venues, AIFs and UCITS managers, crowdfunding service providers, crypto-asset service providers under MiCAR. We also work with ICT third-party providers seeking to align their offering with DORA expectations.
How are fees invoiced — is VAT included?
All listed prices are HT (excluding VAT). VAT is added at the standard rate of the supply jurisdiction unless reverse charge applies. Invoices are issued through our entity in the EU; payment terms are net 30 days from invoice date.

Ready to Start?

Book a free 30-minute discovery call. No commitment, no sales pitch — just an honest assessment of where you stand.

Schedule Free Discovery Call

Or email us at support@cryptaguard.com

How Compliant Is Your Institution?

Take our free 5-minute assessment and get an instant DORA compliance score with personalised recommendations.

Get Your Free DORA Score Join Free Monthly Webinar