Posted inFeatured Resources

DORA Gap Assessment Template

This template is designed for organizations required to adhere to the EU’s Digital Operational Resilience Act (DORA). 

Download DORA Gap Assessment Template

About the Template

The Excel template has four sheets:

  • Information: An overview of the regulations included in the template, with easy navigation to each section.
  • Requirements: This is the heart of the template. It lists all the requirements from the regulation. For each requirement, you can assess your compliance status.
  • Dashboard: A visual representation of your compliance status, showing which areas are fully compliant, partially compliant, non-compliant, or not applicable.
  • Changelog: Any updates or changes to the template will be recorded here for version control.

Step-by-Step Instructions

Step 1: Understanding the Template

The template has the following columns:

  • Chapter
  • Article
  • Requirement ID
  • Requirement
  • Compliance
  • Notes

Each row represents a specific regulatory requirement that needs to be assessed for compliance.

Step 2: Review the Requirements

Review the Requirements:

  1. Begin by reading through each requirement listed in the Requirement column. These are the regulatory expectations that must be evaluated.
  2. Each requirement is categorized under a specific Chapter and Article, which corresponds to the relevant section of the regulation.
  3. Assign Compliance Status:
    • For each requirement, evaluate the organization’s current practices, controls, and processes.
    • In the Compliance column, use the dropdown menu to select one of the following statuses:
      • Not Applicable: The requirement does not apply to the organization.
      • Fully Compliant: Your organization fully meets the requirement.
      • Partially Compliant: Your organization meets some, but not all, aspects of the requirement. This could mean that either the full intent of the requirement is not met or it is not fully complied with in all cases or functions within the organization.
      • Not Compliant: Your organization does not meet the requirement at all.

  1. Document the context:
    • Use the Notes column to provide additional context like justification for the selected compliance status or references to internal policies, procedures, etc.

Using the Dashboard

How to use the dashboard

Deriving Requirements from the Regulation

Conversion to the Template format 

The graphic below visually illustrates how the regulation was translated into actionable assessment requirements.

  • Chapter: The regulatory chapter is referenced as “CHAPTER II: ICT Risk Management”.
  • Article: The specific article is referenced as “Article 5: Governance and Organisation”.
  • Requirement Statement: The regulatory text is retained exactly as it appears in the original document
  • Requirement ID: A unique identifier is assigned to each requirement for easy reference within the assessment template. This ID is specific to the template and not part of the original regulation.
  • Section: I chose to exclude the section level, as I found that combining the chapter and article provided sufficient detail. Additionally, not all parts of the regulation included a “Section,” and most people tend to reference things at the article level.

Splitting and merging of content 

The original text is in some cases not very suited to a direct gap assessment. Many different requirements are added as one paragraph. 

But when you are doing a gap analysis, you ideally want more granular requirements which you can easily judge whether its compliant or not. To facilitate this, certain sub-paragraphs and points may have been split or merged to better document potential gaps. 

The graphic below visually illustrates this: 

The regulation clause in question, numbered 6 contains two sub-requirements, labeled (a) and (b), is divided into two distinct requirements in the template, each with its own identifiers. 

‍By splitting the clause into two separate requirements, it allows for more precise tracking and assessment. Each requirement can now be evaluated independently, facilitating a clearer understanding of compliance status and identifying specific areas where improvements are needed. 

Disclaimer

The Excel template is independently created and is not affiliated with, nor has it been officially endorsed by, any official body associated with the EU DORA regulation.

For any clarifications, please consult the official document from the official EU website site: https://www.eiopa.europa.eu/digital-operational-resilience-act-dora_en

I have taken care to ensure the content’s accuracy, but you should verify the information for your specific needs. 

Feel free to modify the template to better suit your organization’s requirements, but if you share it, please credit the original source.

Enjoy !