The 60-Day DORA Countdown: Are You Audit-Ready?

The clock is ticking. But there’s still time to get it right.

With just 60 days until January 2026, financial institutions across the EU are entering a critical phase of their DORA readiness journey. Regulators will soon expect evidence that your organisation can withstand, respond to, and recover from ICT disruptions. This isn’t about future compliance, it’s about proving operational resilience today.

If your organisation is still closing gaps, the next two months represent an opportunity to prioritise, validate, and strengthen your controls. Every system, process, and third-party relationship plays a part and focusing your efforts strategically now can prevent both regulatory and reputational risk later.

Understanding the 60-Day Imperative for DORA

DORA’s five pillars; ICT risk management, incident reporting, digital operational resilience testing, information sharing, and third-party risk management. All require demonstrable, continuously monitored controls. Yet for many, the real challenge lies in understanding how these expectations will be tested and evidenced in practice.

While the specific approach to DORA audits is still taking shape, the direction of travel is clear: regulators will expect assurance, not assertions. That means now is the time to validate your data, test your controls, and ensure traceability across your resilience framework.

In other words, this is the window to build confidence — not just for compliance, but for your own operational assurance.

Key Areas of Concern: Where Auditors Will Focus

While all DORA pillars matter, auditors are likely to pay extra attention to high-risk areas—especially given the rise in third-party cyber incidents:

1. Third-Party Risk Management
   Your organisation is only as strong as its weakest link. Recent cyber-attacks show that breaches often start with vendors. DORA requires not just knowing your vendors but actively monitoring their operational resilience. This includes visibility into your vendors’ controls, incident handling, and even their suppliers. Continuous monitoring tools are essential; manual checks alone won’t pass audit scrutiny.
2. ICT Systems and Controls
   Auditors will expect evidence that critical systems are controlled and continuously monitored. Any gaps or lapses in monitoring are red flags.
3. Incident Response and Reporting
   Detection and timely reporting of ICT-related incidents are under intense scrutiny. Auditors will want documented proof that your response plans are tested and effective.

Bottom line: Third-party risk and continuous monitoring are likely to be the make-or-break factors in passing a DORA audit. Focus here first to maximise your readiness in the final 60 days.

Where to Focus in the Final Countdown

1. ICT Risk Management
   Ensure every critical ICT system has a mapped risk profile. Identify high-risk areas, implement controls, and validate them continuously. Evidence of ongoing monitoring and testing will be required at audit.
2. Incident Reporting and Response
   Review your incident management processes: Are incidents detected early? Are response and escalation procedures clear? Documented and tested processes are key to passing regulatory review.
3. Resilience Testing
   Operational resilience isn’t theoretical—it’s practical. Regulators will expect evidence of resilience testing, including simulations of severe disruptions. Even if you’ve tested before, ensure your latest exercises cover critical digital systems and align with DORA expectations.
4. Third-Party Oversight
   Reinforce monitoring of vendors and their suppliers. Use continuous controls monitoring to ensure that third-party risks are visible in real time, and weaknesses can be addressed before they become incidents.
5. Information Sharing and Reporting
   Document and share operational resilience insights across your organisation. Ensure dashboards, reporting mechanisms, and internal communications reflect the true state of ICT controls.

Practical Steps for the Next 60 Days

• Conduct a gap analysis: Identify where your organisation falls short across all DORA pillars.
• Prioritise remediation: Focus on high-risk areas—particularly third-party monitoring and critical ICT systems.
• Implement continuous monitoring: Automated tools provide evidence that controls work continuously, not just at a point in time.
• Test and validate: Run tabletop exercises or simulations to ensure response plans work under pressure.
• Document everything: From risk assessments to incident logs, auditors will want clear, accessible evidence.

Why Time Matters for DORA Compliance

Two months may seem like plenty, but operational resilience improvements take time to implement, test, and embed. Organisations that start late risk rushing critical steps, leaving controls untested or documentation incomplete. With DORA audits looming, there’s no room for delay and you are going to need to prove you are continuously monitoring.

The 60-Day DORA Countdown: Audit-Readiness Roadmap

Phase 1: November – Assess & Prioritise

Goal: Understand gaps, prioritise high-risk areas, and plan remediation.

Weeks 1: Gap Analysis

• Map all critical ICT systems and their risk profiles.
• Identify gaps across all DORA pillars: ICT risk management, incident reporting, resilience testing, information sharing, third-party oversight.
• Review existing third-party contracts and controls – are they sufficient and auditable?

Weeks 2: Prioritisation & Planning

• Prioritise remediation based on risk and audit impact. High-risk = critical ICT systems and third-party controls.
• Develop a remediation plan: assign responsibilities, deadlines, and resources.
• Identify continuous monitoring tools needed for real-time assurance.
• Begin documentation of current processes, incidents, and controls for auditors.

Phase 2: December – Implement & Test

Goal: Remediate gaps, deploy monitoring, and test operational resilience.

Weeks 3-4: Control Remediation & Monitoring Implementation

• Implement missing controls in high-risk ICT systems.
• Onboard continuous controls monitoring (CCM) tools for critical systems and vendors.
• Strengthen third-party oversight: request control evidence from vendors, monitor suppliers where possible.
• Document all updates: changes, controls implemented, and risk mitigation steps.

Weeks 5: Resilience Testing & Incident Management

• Conduct tabletop exercises and simulations for critical disruptions.
• Review incident reporting procedures: ensure timely detection, escalation, and documentation.
• Update dashboards and reporting mechanisms to reflect real-time monitoring and test results.
• Share operational resilience insights with key stakeholders.

Phase 3: January – Validate & Certify Readiness

Goal: Ensure everything is audit-ready and continuously monitored.

Weeks 6-7: Audit Simulation & Validation

• Run internal audits/mock inspections to simulate regulator scrutiny.
• Validate continuous monitoring dashboards, logs, and evidence packages.
• Remediate any gaps discovered during simulations.

Weeks 8: Final Review & Continuous Assurance

• Confirm all documentation is complete and accessible: risk assessments, incident logs, third-party evidence, resilience testing results.
• Review communication channels: ensure management, auditors, and teams have a clear view of operational resilience.
• Set ongoing monitoring and reporting cadence to maintain compliance beyond DORA go-live.

Key Focus Areas Throughout the 60 Days

1. Third-Party Risk Management – visibility into vendors’ controls and their suppliers.
2. ICT Systems & Controls – continuous monitoring and evidence of effectiveness.
3. Incident Detection & Reporting – tested and documented response plans.
4. Operational Resilience Testing – practical simulations, not just policies.
5. Documentation & Reporting – dashboards, logs, and evidence ready for auditors.

Quick Wins for DORA Compliance

• Automate monitoring where possible → saves time and provides continuous audit evidence.
• Focus first on high-risk vendors and critical ICT systems.
• Keep all documentation structured and accessible → auditors love clarity.
• Run tabletop exercises early to identify gaps → don’t wait until January.

The Path to Audit-Readiness for DORA

The final 60 days should be seen as an opportunity to bring structure, clarity, and confidence to your DORA readiness programme. It’s less about a last-minute sprint and more about validating what’s in place, closing known gaps, and building assurance that can stand up to regulatory scrutiny.

Success now depends on three things: a clear plan, the right priorities, and visibility you can trust. That means focusing effort where it matters most—critical ICT systems, high-risk vendors, and evidence that your controls work in practice, not just on paper.

If your teams are still determining where to start, or how to turn strategy into audit-ready evidence, a practical roadmap can make all the difference. Our latest DORA white paper outlines a structured approach to readiness—helping you decide what to do first, where to focus, and how to demonstrate continuous resilience with confidence.

Take this time to assess, strengthen, and prove your resilience—because in January, auditors won’t be asking what’s planned, they’ll be asking what’s proven. Download our DORA white paper –  Download it now.