Cat-22 · DORA & Operational Resilience · 11 Tools

DORA compliance tools built for operational reality

Eleven deterministic, browser-based tools covering the full DORA framework — from ICT risk maturity scoring and CIF classification through incident classification with live reporting countdowns, third-party contract validation, concentration risk modelling, proportionality assessment, NCA submission calendars, NIS2/DORA overlap mapping, and the AP2 agentic policy mandate builder. EU 2022/2554. Zero PII.

ICT Risk · Incident Classification Third-Party · Concentration Risk Proportionality · NCA Deadlines NIS2/DORA Overlap · AP2 Agentic Zero PII · Client-Side
🔒 All inputs are processed locally in your browser. No data is transmitted. Do not enter real personal data — use synthetic or anonymised inputs only.
Programme Overview

Five Stages, 11 Tools

Five stages cover the full DORA compliance lifecycle — from gap analysis and ICT function classification through incident response, third-party governance, and agentic policy mandate export.

01 Assess ICT Risk & CIF T300 · T302 · 2 tools
02 Structure Register of Information T301 · 1 tool
03 Respond Incidents & Testing T303 · T304 · 2 tools
04 Govern Third-Party & Concentration T305–T309 · 5 tools
05 Automate AP2 Policy Mandate T310 · 1 tool
Tool Library

11 DORA & Operational Resilience Tools

Follow the 5-stage workflow above to navigate by use case, or scroll to any tool group directly. All tools run in your browser — no account, no data transmission.

  1. 1

    Score ICT Risk Maturity

    Open T300 to score all five DORA pillars. The remediation priority table becomes your implementation backlog. Then use T302 to classify your ICT functions into CIF tiers and flag TLPT scope.

    T300 ICT Risk Gap T302 CIF Identifier
  2. 2

    Build Register of Information

    Add each ICT provider, assign CIF tier, and run the 24 ESA data quality checks. Then use T308 to identify your NCA's submission deadline and required format.

    T301 RoI Builder T308 NCA Tracker
  3. 3

    Classify Incidents & Test Resilience

    Input all 7 RTS 2024/1772 criteria in T303. The compound Major logic (Condition A + B1/B2) determines classification. Use T304 to design your proportionate resilience testing programme.

    T303 Incident Engine T304 Testing Designer
  4. 4

    Govern Third-Party & Concentration Risk

    Use T305 to check ICT service agreements against Art. 30 mandatory clauses. Run T306 to model your provider portfolio HHI index and detect SPOF and CTPP exposure. Use T307–T309 for proportionality, NCA deadlines, and NIS2/DORA overlap.

    T305 Contract Checker T306 Concentration Risk T307 Proportionality T308 NCA Tracker T309 NIS2 Mapper
  5. 5

    Build AP2 Policy Mandate

    Use T310 to configure all five DORA pillars into a validated Policy Mandate JSON. The built-in validator flags RTO violations and runbook gaps. Export the mandate for board reporting or agentic pipeline consumption.

    T310 AP2 Mandate Builder
Group A · ICT Risk & CIF Assessment (T300, T302)
T300
ICT RiskGap Analysis

DORA ICT Risk Gap Analyser

Five-pillar DORA maturity assessment scored 0–4 per pillar. Composite score /100, pillar heatmap, remediation priority table. Policy Mandate JSON and Markdown export. Client-side. Zero PII.

Open Tool
T302
CIFTLPT Scope

DORA CIF Function Identifier & Classifier

T1/T2/T3 three-tier critical ICT function classification engine. RTO assessment against 72h Art. 11 requirement. TLPT scope flagging, Policy Mandate JSON and Markdown export. Client-side. Zero PII.

Open Tool
Group B · Register of Information (T301)
T301
RoIxBRL

DORA Register of Information Structure Builder

Dynamic provider entry with 24 ESA data quality checks. CIF T1/T2/T3 classification, xBRL-CSV export structure, Policy Mandate JSON. Client-side. Zero PII.

Open Tool
Group C · Incident Classification & Resilience Testing (T303, T304)
T303
RTS 2024/1772Incident

DORA Incident Classification & Reporting Timeline Engine

All 7 RTS 2024/1772 criteria. Compound Major logic: Condition A + B1/B2. Live 4h/72h/1-month countdown. ITS 2025/302 Annex I notification draft auto-populated. Policy Mandate JSON. Client-side. Zero PII.

Open Tool
T304
TLPTTIBER-EU

DORA Resilience Testing Programme Designer

Basic Art. 25 testing (all entities) vs TLPT Art. 26 (significant entities ≥€30bn, TIBER-EU aligned). Test type schedule by article, frequency, TLPT scope, Policy Mandate JSON. Client-side. Zero PII.

Open Tool
Group D · Third-Party Governance & Concentration Risk (T305, T306)
T305
Art. 30Contracts

ICT Third-Party Contract Clause Checker

10 Art. 30 mandatory clause checklist. Compliance % score, missing clause list, model clause language stubs for renegotiation, Policy Mandate JSON. Client-side. Zero PII.

Open Tool
T306
HHICTPP

ICT Concentration Risk Modeller

Provider portfolio risk across HHI index, SPOF flags (dependency ≥40% + substitutability ≤2), 19 designated CTPP detection, diversification recommendations, Policy Mandate JSON risk register. Client-side. Zero PII.

Open Tool
Group E · Proportionality, NCA Submissions & NIS2 Overlap (T307–T309)
T307
Art. 4Art. 16

DORA Proportionality Assessment Tool

Art. 4 proportionality principle determination. Full vs Art. 16 simplified ICT risk management framework. Obligation applicability table for all DORA pillars, Markdown assessment. Client-side. Zero PII.

Open Tool
T308
NCAxBRL

DORA NCA Submission Deadline Tracker

All 27 EU member state NCA deadlines and xBRL format requirements. Penalty exposure indicators, earliest deadline summary, Markdown compliance calendar export. Client-side. Zero PII.

Open Tool
T309
NIS2/DORAAI Act

NIS2 / DORA Overlap & Dual-Compliance Mapper

14-control dual-compliance matrix: SHARED / DORA-ONLY / NIS2-ONLY / AI-OVERLAP. Deduplication count, AI Act overlap flag for entities using AI in ICT functions, Policy Mandate JSON. Client-side. Zero PII.

Open Tool
Group F · AP2 Agentic Policy Mandate (T310) ⚓ Anchor
T310
AP2 Agentic5 Pillars

AP2 DORA Policy Mandate Builder

Anchor agentic tool. Configure ICT risk appetite, incident escalation triggers, TLPT schedule, RoI update frequency, and NCA calendar across all 5 DORA pillars. Outputs validated Policy Mandate JSON, board policy summary, and machine-readable agent instruction set. Client-side. Zero PII.

Anchor agentic tool — consolidates all five DORA pillars into a single validated Policy Mandate JSON ready for autonomous agent consumption via the AINumbers.co MCP server.
Open Tool

Last reviewed: May 2026 · 11 tools · Cat-22 · DORA & Operational Resilience

Audience

Who Uses These Tools

Compliance / Legal

Use T300 to score ICT risk maturity against all five DORA pillars and generate a remediation roadmap. Use T303 for live incident classification against all 7 RTS criteria. Use T307 to confirm whether the simplified framework applies.

ICT / Technology

Use T302 to classify all ICT functions into CIF tiers. Use T301 to build and validate your Register of Information against 24 ESA data quality checks. Use T304 to design your proportionate resilience testing programme including TLPT scope.

Procurement / Vendor

Use T305 to check every ICT service agreement against the 10 Art. 30 mandatory clauses and generate model language stubs for renegotiation. Use T306 to model your provider portfolio HHI index and detect SPOF and CTPP exposure.

Regulatory Affairs

Use T308 to map DORA Register of Information submission deadlines across all 27 EU member state NCAs with xBRL format requirements. Use T309 to identify DORA/NIS2 overlap and deduplication opportunities for entities subject to both regimes.

AI Agent Developer

Use T310 to compile a Policy Mandate JSON your autonomous compliance agent can consume via the AINumbers.co MCP server. The mandate covers all five DORA operational dimensions with built-in validation thresholds — deployable directly into your agent runtime.

Board / CISO

T300 produces a radar heatmap and remediation priority table suitable for board reporting. T310 outputs a board-level policy summary covering all five pillars. T308 gives your upcoming NCA submission deadlines across all active jurisdictions.

Quick Start

Get Started in 5 Steps

  1. 1

    Assess Your DORA Maturity

    Start with T300 — DORA ICT Risk Gap Analyser to score all five pillars. The remediation priority table becomes your implementation backlog. Then use T302 to classify your ICT functions into CIF tiers and flag TLPT scope before your Register of Information submission.

  2. 2

    Prepare Your Register of Information

    Open T301 — DORA RoI Structure Builder. Add each ICT provider, assign CIF tier, and run the 24 ESA data quality checks. Then use T308 to identify your NCA's submission deadline and required format (xBRL-CSV vs Excel).

  3. 3

    Classify an ICT Incident

    Open T303 — DORA Incident Classification Engine. Input all 7 RTS 2024/1772 criteria. The compound Major logic (Condition A + B1/B2) determines classification. If Major: the live 4-hour countdown starts immediately and the ITS 2025/302 Annex I notification draft auto-populates.

  4. 4

    Govern Your ICT Third Parties

    Use T305 to check each ICT service agreement against the 10 Art. 30 mandatory clauses. Then run T306 to model your provider portfolio HHI index — HHI > 2500 indicates high concentration and triggers immediate diversification recommendations.

  5. 5

    Build a Policy Mandate for Your Compliance Agent

    Use T310 — AP2 DORA Policy Mandate Builder to configure all five DORA pillars. The built-in validator flags RTO violations and runbook gaps. Export the Policy Mandate JSON and reference the agent_instructions array as your agent's ordered DORA rulebook.

Related Hubs

Explore Adjacent Suites

Real-Time Payments Operations Hub

8 tools for FedNow readiness, ISO 20022 cross-rail compatibility, RTP fraud velocity rules, PSR APP reimbursement, and intraday credit facility sizing.

Open Hub →

AML/KYC & Financial Crime Compliance Hub

22 tools for CDD/EDD, transaction monitoring rule building, SAR narrative generation, sanctions screening, and AML programme gap auditing.

Open Hub →

Cross-Border FX & Payments Intelligence Hub

14 tools covering FX margin deconstruction, payment failure modelling, hedging, pacs.008 generation, FATF Travel Rule, and G20/FSB finality benchmarking.

Open Hub →

Counterparty Credit Risk & Due Diligence Hub

8 tools for credit risk rating, PD/LGD modelling, covenant monitoring, and counterparty due diligence under Basel IV frameworks.

Open Hub →
MCP Integration

Agentic Access via MCP

All 11 tools expose structured outputs compatible with the AINumbers MCP manifest. Use the tool IDs below with any MCP-capable agent.

Tool IDMCP NameInput SchemaOutput
T300analyse_dora_ict_riskpillars[], maturity_scores{}, entity_typecomposite_score, heatmap{}, remediation_priority[]
T301build_dora_roiproviders[], cif_tier, contract_typeroi_structure{}, quality_checks[], xbrl_export
T302classify_dora_ciffunction_name, rto_hours, substitutabilitycif_tier, tlpt_scope, rto_assessment, mandate_json
T303classify_dora_ict_incidentcriteria{7 RTS fields}, incident_timeclassification, major_flag, countdown_4h, notification_draft
T304design_dora_testing_programmeentity_size, assets_bn, cif_scope[]test_schedule{}, tlpt_required, tiber_eu_flag, mandate_json
T305check_dora_contract_clausescontract_clauses[], provider_typecompliance_pct, missing_clauses[], model_language{}
T306model_dora_concentration_riskproviders[], dependency_pct[], substitutability[]hhi_index, spof_flags[], ctpp_detected[], diversification[]
T307assess_dora_proportionalityentity_type, total_assets, interconnectednessframework_type, art16_applicable, obligation_table{}
T308track_dora_nca_deadlinesmember_states[], submission_yeardeadlines[], format_requirements[], penalty_indicators[]
T309map_nis2_dora_overlapentity_scope[], ai_use_flagoverlap_matrix{}, dedup_count, ai_act_flag, mandate_json
T310build_dora_ap2_mandateall 5 pillars config{}, nca_calendar[], rto_thresholds{}mandate_json{}, board_summary, agent_instructions[]