NEW — Best Value to Start
DORA Power Assessment
30-minute expert video call + personalised compliance report. We analyse your current DORA posture and deliver a prioritised action plan within 48 hours.
- 30-min 1-on-1 video session with DORA specialist
- Written compliance score with gap highlights
- Top-5 priority actions tailored to your institution
- 100% applicable towards a half-day booking
Or Choose a Full Engagement
Most Popular
Full Day
8 hours
1,890EUR HT
Save 5% vs 2 half-days
Pay & Book
5-Day Pack
40 hours
8,500EUR HT
Save 14% vs daily rate
Pay & Book
What We Deliver
DORA Gap Analysis
Systematic audit of your current posture against all 5 DORA pillars. You get a prioritized remediation roadmap with clear ownership and deadlines.
- Full 5-pillar compliance assessment
- Risk-ranked gap register
- Remediation roadmap with timelines
- Executive summary for the board
Book Half-Day
Implementation Roadmap
We build a concrete, phased implementation plan tailored to your institution's size, risk profile, and existing frameworks.
- Phased implementation timeline
- Resource and budget estimation
- Quick wins identification
- Milestone tracking framework
Book Half-Day
ICT Governance & Risk Framework
Design and implement the governance structure DORA requires: roles, responsibilities, risk appetite, and reporting lines.
- ICT risk management framework design
- Governance structure & RACI matrix
- Risk appetite statement drafting
- Board reporting templates
Book Half-Day
TLPT & Resilience Testing
Prepare for and coordinate Threat-Led Penetration Testing under the TIBER-EU framework. We manage the full lifecycle.
- TLPT scoping & preparation
- TIBER-EU framework alignment
- Red team provider selection
- Purple team exercises & remediation
Book Half-Day
Third-Party Risk Management
Build your Register of Information, review ICT contracts, and establish a robust vendor oversight framework per Article 28.
- Register of Information (RoI) build
- ICT contract clause review
- Vendor risk scoring methodology
- Exit strategy documentation
Book Half-Day
Incident Management & Reporting
Design your incident response procedures aligned with DORA's strict reporting timelines: 4h initial, 72h intermediate, 1 month final.
- Incident classification framework
- Response playbook development
- NCA reporting templates
- Tabletop exercise facilitation
Book Half-Day
Business Continuity & Recovery
Develop and test your ICT business continuity plans, disaster recovery strategies, and crisis communication protocols.
- BCP/DRP development & review
- Recovery time objective setting
- Crisis simulation exercises
- Communication protocol design
Book Half-Day
Framework Alignment
Map your existing controls (ISO 27001, NIST, COBIT) to DORA requirements. Avoid duplication and leverage what you already have.
- DORA vs ISO 27001 mapping
- NIST CSF alignment analysis
- NIS2 cross-compliance review
- EBA/EIOPA guidelines integration
Book Half-Day
How It Works
1
Book a Slot
Choose a date that works for your team. Half-day, full day, or multi-day engagement.
2
Briefing Call
30-minute pre-engagement call to understand your context, scope, and priorities.
3
Delivery
On-site or remote session. Actionable deliverables within 48 hours.
Our Engagement Methodology
Effective DORA consulting work is not lectures, slides or theoretical frameworks — it is concrete, document-grade output that survives a supervisor's scrutiny twelve months later. Every engagement we run follows a four-step methodology designed for compliance evidence and operational usability.
1Discovery
30-minute pre-call to understand entity authorisation, supervisor, current frameworks (ISO 27001, NIST CSF, EBA guidelines), and immediate priorities. Output: scope brief and pre-read list shared 48 hours before the session.
2Working session
Live structured discussion against a working template. We don't brainstorm — we fill in gaps in pre-built artefacts (gap register, RACI, register of information, contract clause matrix, etc.) so the working session itself produces deliverable-grade output.
3Deliverable
Written deliverable produced within 48 hours. Format depends on engagement (gap register spreadsheet, board-ready slide deck, framework outline document, contract review notes). All deliverables include explicit DORA article citations.
4Follow-up
30-minute follow-up call within 7 days to walk through the deliverable, answer implementation questions, and adjust priorities. Available for 30 days post-engagement at no extra cost.
Why Choose This Engagement Model
The DORA consulting market in 2026 is dominated by two formats: large-firm engagements that deliver methodology decks at €200K-€2M with multi-month timelines, and individual freelancers offering hourly rates with limited evidence of regulatory expertise. Our model is built for the institutions that find both options unfit: too slow and expensive on the one hand, too unstructured on the other.
Fixed-fee, fixed-scope sessions: Each engagement format (half-day, full-day, 5-day) has a documented scope, agreed deliverables, and a single all-in price. No hourly meter, no scope creep, no surprise overruns. The only variable is the topic — you pick what to focus on, we deliver against it.
Document-first delivery: The output is always a tangible document a board, supervisor or auditor can read. We do not deliver "verbal advice" or "discussion summaries" — every engagement produces a written artefact you can paste into your compliance evidence file.
DORA specialism, not generalist consulting: Our practice is exclusively DORA and adjacent frameworks (NIS2, GDPR, EBA/EIOPA guidelines, TIBER-EU, ISO 27001/27002 mappings to DORA). We do not run a parallel ERP practice, audit practice or strategy practice. Every senior consultant has worked on at least 15 DORA engagements across multiple sectors.
EU-specific, not US-imported: DORA is a Regulation under EU law with specific interactions with Solvency II, CRD/CRR, MiFID II, MiCAR and PSD2. We work natively in this regulatory ecosystem — not by adapting US-style cybersecurity playbooks to a European audience.
What You Walk Away With
Concrete deliverables vary by engagement type, but every consulting outcome shares the same characteristics: written, citation-rich, supervisor-ready. Examples from recent engagements:
- Gap analysis (5-day): 47-page DORA gap register covering all 5 pillars and 13 RTS, with 156 prioritised remediation items, ownership, effort estimates, and target dates. Used by the bank's CRO to negotiate the 2026 ICT budget.
- Register of Information build (5-day): Complete XBRL/XML-ready register for a mid-size insurer, covering 312 ICT contracts with sub-outsourcing chains down to Tier 3. Validated for 30 April supervisory submission with <3% missing fields.
- Article 30 contract review (full-day): 14 critical vendor contracts reviewed against Article 30 mandatory clauses; gap matrix delivered with negotiation talking points for each missing/weak clause.
- TLPT scoping & procurement (full-day + half-day): Complete TLPT scope document, NCA notification draft, RFP package for red team firm selection, evaluation matrix, vendor shortlist with strengths/weaknesses.
- Board readiness brief (half-day): 25-slide board pack covering DORA accountability framework, top risk areas for the institution, supervisory expectations, and the 2026 management programme. Delivered ahead of the spring board cycle.
- Incident classification framework (half-day): Decision tree, classification thresholds tailored to the institution, NCA portal walkthrough, and tabletop exercise script for the duty officer team.
Framework Expertise
ISO 27001Information Security
NIST CSFCybersecurity Framework
COBITIT Governance
TIBER-EUThreat-Led Testing
NIS2Network Security Directive
EBA/EIOPASupervisory Guidelines
PCI DSSPayment Security
GDPRData Protection
Which Option Fits Your Institution?
Consulting delivers momentum. Resiplan keeps it running. Many clients combine both.
Consulting
Expert-led engagements: gap analysis, implementation, TLPT preparation.
Best for: one-off projects, deep expertise, urgent deadlines.
From 149 EUR
RECOMMENDED
Resiplan SaaS
Continuous DORA/GRC automation: register, incidents, vendor risk, dashboards.
Best for: day-to-day compliance, audit-readiness, scaling across subsidiaries.
Try free 14 days →
Hybrid (Best Value)
Consulting to kick-off + Resiplan to sustain. Our most popular combo.
Best for: institutions wanting expert setup then autonomy.
Discuss your needs →
Frequently Asked Questions
What is the difference between a half-day, full-day and 5-day engagement?
A half-day (4 hours) suits a focused topic — a register of information review, a TLPT scoping session, an Article 30 contract clause workshop, or a board readiness brief. A full day (8 hours) addresses two related themes (e.g., gap analysis + roadmap) or a deep dive into a single complex topic. The 5-day pack (40 hours) covers a complete workstream — typically a full DORA gap analysis with prioritised remediation backlog, or end-to-end TLPT preparation, or building the Register of Information from scratch. We always deliver written outputs within 48 hours of session completion.
Do you provide on-site consulting or only remote?
Both. Most engagements run remotely via secure video conferencing — we have delivered DORA work to institutions across 22 EU countries this way. On-site engagements are available across Continental Europe with travel costs invoiced separately at cost. For sensitive topics like TLPT scoping, board briefings or sensitive incident response work, on-site is often preferable.
What is the DORA Power Assessment and how is it different from the half-day?
The Power Assessment (€149) is an entry-point format: a 30-minute structured video call followed by a written report with compliance score and top-5 priority actions delivered within 48 hours. The €149 fee is fully credited against any subsequent half-day or larger booking — so it is effectively risk-free.
What deliverables do I get with each engagement?
Every engagement produces written outputs. A typical half-day produces a 6-12 page deliverable plus session recordings and any working artefacts (spreadsheets, templates, RACI matrices). The 5-day pack typically produces a 30-50 page comprehensive output with annexes. All deliverables are yours to use and modify.
Are you independent of vendors and software providers?
Yes. We have no commercial referral arrangements with software vendors, GRC platforms, hyperscalers or testing providers. Where the engagement involves vendor selection, we provide objective shortlists with strengths/weaknesses but never recommend a single vendor in exchange for fees.
Can you support a TLPT exercise end-to-end?
Yes. We act as the white team coordinator — managing scope, NCA notification, threat intelligence provider selection, red team firm selection, schedule, blue team isolation, and post-exercise reporting. We do NOT perform the red team work itself (independence requirement under TLPT RTS); we orchestrate the exercise so the institution receives a defensible attestation file at completion.
How quickly can you start?
Typically 1-2 weeks from confirmed booking to first session. Urgent matters (incident response support, board briefings ahead of supervisory visits) can be accommodated faster. The Power Assessment can be scheduled within 5 business days.
Do you sign NDAs and work under client confidentiality?
Yes. Every engagement includes a comprehensive NDA executed before any sensitive material is shared. We handle client material under ISO 27001-aligned controls. Client material is never used for marketing without explicit written consent.
What sectors do you serve?
All financial entities in DORA scope: credit institutions, insurance and reinsurance undertakings, insurance intermediaries, IORPs, investment firms, payment institutions, e-money institutions, CCPs, CSDs, trading venues, AIFs and UCITS managers, crowdfunding service providers, crypto-asset service providers under MiCAR. We also work with ICT third-party providers seeking to align their offering with DORA expectations.
How are fees invoiced — is VAT included?
All listed prices are HT (excluding VAT). VAT is added at the standard rate of the supply jurisdiction unless reverse charge applies. Invoices are issued through our entity in the EU; payment terms are net 30 days from invoice date.