DORA Compliance Tracker
DORA 5-pillar compliance tracker for banks, insurers and payment institutions. EBA/EIOPA aligned.
🛡️ CYBER ESSENTIALS 2026 UPDATE — EFFECTIVE 28 APRIL 2026
The Cyber Essentials scheme is updated from 28 April 2026 with stricter criteria: mandatory multi-factor authentication (MFA) for all cloud services and admin accounts, tighter password policies, expanded scope for home workers and BYOD devices, and new vulnerability management timelines. All UK government suppliers must meet the updated standard. This product is aligned with the CE 2026 requirements.
⚡ DORA IN FORCE SINCE JANUARY 2025 — 22,000+ EU FINANCIAL ENTITIES IN SCOPE
The Digital Operational Resilience Act (DORA) has been fully applicable since 17 January 2025. It covers banks, insurers, investment firms, payment institutions, crypto-asset service providers, and their critical ICT third-party providers. The second annual Register of Information (RoI) is due March 2026 — approximately 50% of in-scope firms identify this as their most complex obligation. Fines: up to €10M or 5% of global turnover, with individual liability up to €1M.
DORA Compliance — Tracked, Evidenced, Board-Ready
DORA creates five pillars of operational resilience obligations: ICT risk management, incident reporting, digital resilience testing, ICT third-party risk management, and information sharing. Each pillar requires ongoing documentation, testing, and governance. Our tracker monitors all five continuously — with the RoI mapping as the centrepiece.
- ICT Risk Management Framework: DORA-aligned risk register, control mapping, and gap analysis across all five pillars
- Register of Information (RoI) Builder: Map all ICT third-party providers, classify by criticality, and generate the RoI in the format ESAs require — critical for the March 2026 submission
- ICT Incident Classification: Determine which incidents qualify as major ICT incidents and which trigger regulatory reporting — with 4-hour initial notification template
- TLPT Readiness (Threat-Led Penetration Testing): For in-scope significant entities — testing framework, vendor selection criteria, and result integration
- Third-Party ICT Risk Assessment: Standardised due diligence questionnaire for ICT providers, contractual requirement checklist, and exit strategy documentation
- Board Reporting: Quarterly DORA governance report for management body — fulfilling Art. 5 board oversight duties
- UK/EU Dual Mapping: For firms operating under both FCA Operational Resilience Policy and DORA — avoid duplicating work
- Monthly RoI Update: Third-party register changes tracked automatically — always submission-ready
💷 THE MATHS
£129/month. DORA consultancy retainer: £5,000–15,000/month. Maximum DORA fine: €10M or 5% of global turnover. Individual liability: €1M. RoI submission failure alone has drawn regulatory scrutiny — the tracker makes March 2026 a non-event.
📅 How this subscription works — month-1 to month-12
- Day 1 onboarding: instant portal access, automated onboarding checklist and baseline assessment intake — getting started guide delivered automatically.
- First week setup: integrations wired, first report generated, MLRO / DPO / IT lead invited to the portal.
- Ongoing monthly delivery: updated compliance report, new-regulation tracker delta, audit-trail snapshot, continuous regulatory updates aligned to your sector.
- Cancellation: cancel any time from the portal — no contract lock-in; 30-day data export window after cancellation.
⚠️ Legal disclaimer (COMPLIANCE): This product is provided for information and compliance documentation only; it is not regulatory advice. Read the full disclaimer below or in our Terms of Service before purchase.
Cyber Essentials 2026 Cross-Mapping
DORA Chapter II ICT risk management requirements overlap with CE 2026 controls — this tracker maintains both maps in one view:
- Firewalls — DORA Article 9 network segmentation requirements cross-mapped to CE perimeter controls
- Secure configuration — DORA Article 9 configuration management + CIS-benchmark hardening evidence
- User access control + MFA mandate — DORA Article 9 identity & access management + CE 2026 MFA mandate (28 April 2026); RBAC and least-privilege evidence
- Malware protection — DORA Article 9 ICT operations + endpoint protection / EDR coverage
- Security update management — DORA Article 9 vulnerability management + CE 2026 patch management cadence
£129.00/mo
MONTHLY SUBSCRIPTION · No VAT (not registered)
Trust & Delivery
ICO registered ZC112810
UK Information Commissioner's Office data controller registration.
Companies House 16419201
SummitBridge Horizon Ltd — registered 30 April 2025, London.
14-day satisfaction guarantee
See refund policy for full terms.
Sample materials available
Compare with the market
5 direct and adjacent competitors tracked.
| Vendor | Their price | Threat | vs SBH | Their advantages | Our advantages |
|---|---|---|---|---|---|
| MetricStream US | — | HIGH | pricier | — | — |
| Archer US | — | HIGH | pricier | — | — |
| Hyperproof US | $15,000+ /yr | MEDIUM | pricier | — | — |
| Corlytics IE | — | MEDIUM | pricier | — | — |
| AuditBoard US | — | MEDIUM | pricier | — | — |
Compliance Snapshot
Regulatory posture for this product — for procurement and security teams.
Conformity scaffold in place — formal record not yet published