EU Regulation 2022/2554 · DORA in force since 17 Jan 2025
Demonstrate compliance with the five DORA pillars — ICT risk management, incident reporting, resilience testing, third-party risk and information sharing. SCMC covers 10 areas with around 60 control questions, on a 0–4 maturity scale with the defined target level ‘Managed’.
Our platform turns the DORA requirements into a practical framework for ICT resilience, incident management and third-party governance.
Simple, transparent pricing
Monthly
CHF 175
/ month
Annual
CHF 1'750
≈ CHF 146 / month
2 months free
The Digital Operational Resilience Act (DORA, EU 2022/2554) obliges financial entities and their critical ICT third-party providers to implement concrete measures for digital operational resilience. SCMC consolidates the requirements along the five DORA pillars — ICT risk management, incident reporting, resilience testing, third-party risk and information sharing — into 10 areas with around 60 control questions. Every requirement is scored on a uniform 0–4 maturity scale with a clear ‘Managed’ target level — structured, documented and audit-ready.
The Challenge
You know DORA applies to your organisation, but the path from the regulation text and RTS/ITS to concrete measures in daily operations remains hard to grasp. A robust position assessment across all five pillars is missing.
Our Solution
Our platform translates the DORA requirements into 10 areas with around 60 control questions and makes the implementation status visible along a uniform maturity scale.
Process the DORA requirements in a clear digital workflow instead of Excel mappings, Word documents and scattered evidence.
Create a shared working basis for ICT, IT Security, Risk Management, Compliance, Management and third-party owners.
Keep assessments, evidence, incident reports, test results and third-party contracts in one place.
Score every DORA requirement on the 0–4 maturity scale and see at a glance how far you still are from the ‘Managed’ target level.
Capture requirements for cloud providers, outsourcing partners and critical ICT third-party providers in a structured, traceable way — including mandatory contractual clauses.
Document reporting paths, classification logic, deadlines and escalation steps for ICT incidents, plus results from resilience tests and TLPT — robust for supervisors and management.
Build a solid foundation for supervisory authorities, internal audits and management reporting under DORA.
Keep an eye on changes, developments and prior assessments and document progress cleanly over time.
Use the DORA assessment not as a one-off but as a repeatable process for ongoing compliance and continuous improvement.
Register for free on our platform and try the entry-level free Cyber-Security Basis Check.
Our platform turns DORA requirements, ICT risk management, incident reporting, resilience testing and third-party risk into a clear, digital and traceable working process.
The Digital Operational Resilience Act (DORA, EU Regulation 2022/2554) is a directly applicable EU regulation on digital operational resilience in the financial sector. It obliges financial entities and their critical ICT third-party providers to meet uniform requirements along five pillars: ICT risk management, incident reporting, resilience testing, third-party risk and information sharing. DORA has been in force since 17 January 2025.
DORA covers virtually all EU financial entities — banks, insurers, investment firms, payment service providers, crypto-asset service providers, trading venues, central securities depositories, fund managers, reinsurers and others — as well as their critical ICT third-party providers. Swiss organisations are affected as soon as they provide regulated EU financial services or operate subsidiaries there.
SCMC covers the DORA requirements along the five pillars in 10 areas with around 60 control questions — ICT risk management, handling and reporting of ICT-related incidents, resilience testing, third-party risk and information sharing. Scoring is based on a 0–4 maturity scale with a defined ‘Managed’ target level.
1) ICT risk management (governance, strategy, protection measures). 2) Handling, classification and reporting of ICT-related incidents. 3) Digital operational resilience testing, including TLPT for significant financial entities. 4) Management of third-party risk from critical ICT providers. 5) Information sharing on cyber threats and vulnerabilities.
The maturity scale ranges from 0 (not in place) to 4 (optimised). The ‘Managed’ target level typically corresponds to level 3 — the measure is defined, documented, managed and reviewed. SCMC shows for each control area how far you still are from the target level.
The DORA assessment is available as a monthly or annual subscription — details at scmc.ch/pricing. To try the platform, the Cyber-Security Basis Check is available free of charge (10 areas, 39 control questions).
No. SCMC replaces neither the formal incident report to supervisors nor a formal conformity check by the competent authority. The platform is a digital tool for structured self-assessment, documentation and evidence preparation — formal responsibility remains with the management body.
