Retail banking, ~4,500 employees

DORA readiness for a regional retail bank

Eighteen-month DORA readiness programme covering operational-resilience testing, incident reporting, third-party risk, and ICT supplier oversight.

The client was a regional retail bank with limited prior exposure to the DORA framework. Their internal security and risk function had assessed the workload as manageable but had not yet started structured readiness work; the regulatory clock was approximately twenty months from the assessment.

Our scope covered the full DORA obligation set, with workstreams running in parallel from month two onwards: ICT risk management framework alignment, incident-reporting procedure design, operational-resilience testing programme establishment, third-party risk management programme implementation, ICT supplier register population and contractual review.

The longest workstream by some distance was the ICT supplier review. The bank had over 400 contracted ICT suppliers across its operational estate; the requirement to apply the DORA supplier-risk regime to each one — assess concentration risk, review contractual terms, document exit strategies — took six full months and involved every line of business.

We finished the readiness programme three months ahead of the regulatory deadline. The bank's first formal DORA-aligned incident-reporting drill — a tabletop scenario with the relevant home-state supervisor observing — was completed successfully without finding any blocking gaps.

Outcome

Full DORA readiness completed three months ahead of deadline; first regulator-observed tabletop exercise passed without blocking findings.