DORA (EU Regulation 2022/2554) has been in force since 17 January 2025. Where you start depends on where you are — a live incident, a board-level gap review, or an upcoming NCA supervisory engagement each require a different sequence through the regulation's obligations. Pick your scenario below.
Each scenario runs the same four-tool structure — proportionality scoping first, AP2 mandate export last — with the two middle steps tailored to your immediate need.
Before any DORA compliance work — whether you're in an incident or preparing for a board review — you need to establish your entity's proportionality tier. DORA's obligations scale with the systemic importance, size, and risk profile of the financial entity. This tool maps your entity profile to the three proportionality tiers, identifies which ICT risk management articles apply in full vs simplified form, and flags any exemptions. This scoping output drives everything in Steps 2 and 3.
Classify the incident against DORA Article 17 criteria — availability, authenticity, integrity, confidentiality impacts — and determine whether it crosses the major incident threshold requiring NCA notification. The engine applies the RTS on incident classification (JC 2023 83) to produce a severity determination, initial notification deadline (within 4 hours of major incident detection), intermediate report deadline (within 72 hours), and final report deadline (within 1 month). Outputs feed directly into Step 3.
Once severity is determined in Step 2, this tool maps the full NCA reporting obligation — which national competent authority to notify, which reporting template applies (per ESMA/EBA/EIOPA joint ITS), and the exact deadlines for initial notification, intermediate report, and final report. It also tracks voluntary notification requirements for significant cyber threats under Article 19 and generates a submission checklist keyed to your entity type and primary NCA.
Consolidate the outputs from Steps 1–3 into a validated AP2 Policy Mandate — a structured JSON document that captures your DORA compliance posture, incident response configuration, or gap remediation plan in a machine-readable format. The mandate includes an agent_instructions array that is directly ingestible by MCP agent runtimes, enabling automated compliance monitoring and policy enforcement downstream. Built-in contradiction detection flags any policy conflicts before export.
After running this chain you will have: a proportionality tier determination confirming your DORA scope (T307), a major/non-major incident classification with severity scoring and reporting timeline (RBE-11), a complete NCA submission checklist with deadlines and template references (T308), and a validated AP2 DORA Policy Mandate capturing the full incident response posture (T310).
The AP2 mandate JSON from T310 includes an agent_instructions array that can be ingested by an MCP agent runtime for automated ongoing compliance monitoring — turning a one-off incident response into a persistent policy enforcement layer.