Kruso Logo
Contact us

DORA Agent | AI

Achieving DORA compliance across the organization

The EU's regulation on digital operational resilience is now in effect. Yet many organizations still struggle to document how they are actually complying with the requirements. Here, you'll find a practical checklist and insight into how our DORA Agent can help you gain control of both oversight and compliance. 

DORA is now a reality - but are you operationally compliant?

DORA - the Digital Operational Resilience Act - came into force and has been effective since January 2025. All organizations in the financial sector, from banks and insurance companies to fintechs and their suppliers, are now required to document and ensure that their digital resilience is in order. 

But being “DORA-ready” is not the same as being DORA-compliant in practice. 

Many organizations still experience: 

  • A gap between policy and practice 

  • Unclear processes for incident management and reporting 

  • Manual and fragmented workflows that make documentation difficult 

DORA is not just about having rules in place – it's about proving they work. This is where a checklist becomes a simple, effective tool for identifying weaknesses and strengths in your compliance setup. 

DORA’s five pillars - A brief overview

  1. ICT risk management

    Organizations must set up and maintain robust IT-systems that can withstand and mitigate the impact of ICT risks. This includes: 

    • Identifying and classifying critical functions and assets 

    • Continuously monitoring all sources of digital risk 

    • Implementing detailed contingency and recovery plans, tested at least annually 

    • Mechanisms for quickly detecting abnormal behavior and learning from both internal and external incidents 

    Risk management must be living and operational – not just a PDF in a governance folder. 

  2. Incident handling and reporting

    DORA requires consistent and timely reporting of IT-related incidents. This means: 

    • Incidents must be logged, classified, and assessed according to a common EU-standard 

    • Major incidents must be reported in three stages: initial, intermediate, and final 

    • Reporting must follow templates and workflows set by European supervisory authorities (EBA, EIOPA, and ESMA) 

    This requires organizations to have automated processes and clear responsibilities for both monitoring and reporting.

  3. Testing digital resilience

    Organizations must test their digital resilience at least once a year, and basic checklists are not enough. Requirements include: 

    • Fundamental technical testing of systems and tools 

    • Swift identification and remediation of weaknesses 

    • Advanced threat-led penetration testing (TLPT) for systems supporting critical functions 

    DORA insists that resilience must be tested – not assumed. 

  4. Third-party risk management

    DORA introduces stricter requirements for collaboration with IT-service providers, especially those deemed critical. This includes: 

    • Monitoring all outsourced activities – including intra-group outsourcing 

    • Focusing on concentration risks and further outsourcing 

    • Harmonizing contract terms, including SLA's, data location, and access conditions 

    • Maintaining a fully updated registry of suppliers and subcontractors 

    Companies must prove they have full control of their digital supply chain and that they can respond if something fails.

  5. Information sharing

    Finally, DORA encourages active exchange of knowledge about cyber threats and digital vulnerabilities, both between companies and from authorities. This means: 

    • Companies can establish collaborative forums and sharing arrangements 

    • Supervisory authorities will share anonymized cyber threat data 

    • Organizations should have a defined process for responding to shared threat intelligence 

    Information sharing is not about “exposing yourself” - it’s a way to strengthen the collective cyber defense of the entire sector. 

The DORA Agent

DORA’s five pillars are clear and ambitious but complex to implement in practice. It requires structured collaboration across IT, leadership, security, and compliance. This is where Kruso’s DORA Agent can play a key role: By consolidating data, visualizing status, and automating documentation, it helps make DORA work practical, transparent, and manageable every day. 

At Kruso, we’ve developed a prototype of a DORA Agent: a digital tool that helps organizations consolidate, visualize, and automate their compliance efforts. 

With the DORA Agent, you can: 

  • Gain a real-time visual overview of your compliance status 

  • Identify gaps and risks across systems 

  • Automatically generate documentation and reports 

  • Support collaboration between IT, governance, and leadership 

Our solution is built on API-first principles, making it easy to integrate into existing system landscapes without heavy transitions or data duplication. 

DORA compliance made simple with the AI DORA agent

Curious about the DORA Agent? Explore more here

Meet the people behind DORA Agent

You may also want to read

DORA compliance made simple with the AI DORA agentHow AI can help organizations with DORA
svEN