Resilience ComplianceDORA Live · Jan 2025AP2 Mandate + CRO Memo
Dual-Compliance Control Deduplicator
For EU financial entities subject to both DORA (EU 2022/2554) and NIS2 (EU 2022/2555). Visualise the control overlap as a Venn diagram, classify a live incident against the 4-hour NCA notification window, and export a Consolidated Resilience Roadmap as an AP2 JSON mandate ready for your Chief Risk Officer.
Zero PII · Client-sideLex specialis: DORA supersedes NIS2 on ICT risk for in-scope financial entitiesLast Reviewed · 2026-05-12
🔒 All inputs are processed locally in your browser. No data is transmitted. Do not enter real personal data — use synthetic or anonymised inputs only.
DORA · in force since 17 January 2025
LIVE
DORA (EU 2022/2554) entered application on 17 January 2025. Articles 17–19 incident classification and notification are live; major ICT-related incidents must be reported to the relevant National Competent Authority on a defined timeline. NIS2 (EU 2022/2555) transposition deadline was October 2024; member-state implementation continues to vary through 2026. Penalties for essential entities: up to €10M or 2% of global annual turnover.
Hover a region to filter the 14-control matrix below. DORA is lex specialis for ICT risk management on financial entities — the green intersection is your deduplication opportunity. The purple ring marks controls where the AI Act's High-Risk Management System obligations co-apply.
NIS2-onlyDORA-onlySharedAI-Act overlap
8
Shared controls
Satisfy both regimes with one implementation.
8
Dedup opportunities
Map one set of evidence to two regulators.
3
DORA-only
Lex specialis: financial-entity-only obligations.
3
NIS2-only
Sector-wide horizontal obligations.
§2 · Dual-Compliance Matrix 14 controls
CONTROL AREA
DORA
NIS2
CLASSIFICATION
§3 · Incident Classification Wizard DORA Art. 17–19 · ITS 2024/1772
Live incident triage — with NCA notification countdown
Answer the four thresholds to classify under DORA Art. 18 (major / significant cyber threat / minor). If classified as major, start the 4-hour countdown to your initial NCA notification under Art. 19(1).
Step 1 · Clients / Counterparties Affected
Number of clients impacted or transactions affected?
Step 2 · Service Downtime
Duration of service disruption to a critical or important function?
Step 3 · Geographical Spread
Cross-border impact across EU member states?
Step 4 · Data Loss / Economic Impact
Confidentiality breach, integrity loss, or economic impact?
Step 5 · Threat Vector (optional)
Is this a malicious cyber threat that did NOT yet materialise as an incident?
— Awaiting Inputs —
Complete steps 1–4 to derive a DORA Art. 18 classification.
§4 · Consolidated Resilience Roadmap For the Chief Risk Officer
12-step deduplicated programme
A roadmap composed from the matrix above + the wizard outcome. Exports as an AP2 JSON mandate addressable by your governance / GRC agent stack.
RegTech
Turning a compliance clock into an operating plan?
We help institutions operationalize obligations like DORA, MiCA, the EU AI Act, CFPB §1033 and AML — past the checklist and into production. Tell us what's on your enforcement calendar.