Full-scope reviews of ICT operational resilience in accordance with the Digital Operational Resilience Act (DORA). Includes review and challenge of ICT business-continuity plans, recovery capabilities and incident-response readiness, based on documented testing artefacts and evidence. Assesses ICT-third-party and critical-service-provider dependencies under Article 28.
Independent assessment of ICT third-party control frameworks, including critical provider dependencies, exit readiness, oversight evidence and contractual control alignment — not vendor management or contract drafting.
Assessment of ICT incident classification, escalation and regulatory reporting workflows, including evidence trails, decision ownership and supervisory notification readiness — not incident response operations.
Independent technical testing of ICT controls, exposure surfaces and resilience safeguards, including penetration-style validation and control bypass assessment. Focused on evidence of control effectiveness and supervisory defensibility — not remediation or system hardening.
Explicitly non-implementation: we assess, challenge and evidence — not ‘manage vendors’ or ‘run IT’.
Evidence-heavy approach aligned to supervisory expectations and audit defensibility.
Focus on resilience under stress, not paper compliance.
Assessment of evidence under stress conditions, not static compliance validation
Technical testing is used to validate control effectiveness, not to provide remediation or system hardening.
DORA control maturity assessment
Resilience and technical control testing findings with evidence references
Incident response and recovery capability assessment
ICT third-party dependency and critical supplier exposure review
DORA regulatory mapping and supervisory defensibility notes
Tell us what you’re building and what regulatory pressure you’re facing. We’ll respond with a scoped approach and evidence requirements.