Services.

Tier 1 — DORA Quick-Start Assessment

Duration: 2 weeks · Scope: Fixed

What it is

A structured gap analysis of your firm's current position against the five DORA pillars. The output is a written report — not a slide deck — with a prioritised action list, your specific regulatory filing obligations (CySEC, MFSA, or HCMC), and a fixed-price proposal for the next stage.

Who it's for

• •Firms that have not yet started DORA compliance
• •Firms that have received a regulatory query or inspection notice
• •Firms that have existing policies and want to understand what is missing

Deliverables

• Current-state ICT posture review
• Gap analysis against DORA pillars (proportionate to your entity category)
• Register of Information readiness check
• Prioritised remediation list with estimated effort
• Fixed-price proposal for Tier 2 or Tier 3

Best first step. The Quick-Start Assessment is the fastest way to understand your obligations and commit to a realistic compliance plan.

Tier 2 — DORA RoI Build

Duration: 4–6 weeks · Scope: Fixed

What it is

Construction and validation of your Register of Information — the DORA Article 28(3) mandatory register of all ICT third-party service providers. Formatted to the ESA Implementing Regulation (EU) 2024/2956 standard, validated against the latest ESA Reporting Technical Package, and prepared for direct submission to your competent authority.

Who it's for

• •Firms with a pending or overdue RoI submission to CySEC, MFSA, or HCMC
• •Firms that have received a CySEC portal request (Circular C751)
• •Firms that have completed their own initial DORA review and need RoI build support only

Deliverables

• ICT third-party provider inventory (direct providers, subcontractors, intra-group ICT services)
• Criticality assessment for each provider (critical/important function classification)
• Register of Information in ESA-compliant plain-CSV format
• Supporting policy documentation (ICT third-party risk policy, contract compliance checklist)
• Regulatory submission support (portal guidance, file validation)

Tier 3 — DORA Full Framework Build

Duration: 6–8 weeks · Scope: Fixed

What it is

Complete DORA compliance documentation — all five pillars, regulator-ready. This is the full engagement for firms that need to demonstrate a working DORA compliance posture, not just a submitted Register of Information.

Who it's for

• •Firms preparing for a CySEC, MFSA, or HCMC inspection
• •Firms that need board-level governance documentation and management reporting
• •Firms that have completed Tier 1 or Tier 2 and are ready for the full build

Deliverables

• All Tier 2 deliverables
• ICT risk management framework (DORA Article 6, proportionate)
• ICT asset inventory and risk register
• Incident classification criteria, reporting procedures, and regulatory notification templates
• ICT business continuity plan and recovery procedures
• Third-party due diligence documentation (DORA Article 28 full requirements)
• Resilience testing scope and coordination (basic testing programme)
• ICT security programme review (advanced vulnerability assessment)
• Board governance summary and management reporting template
• Handover pack: all source documents in editable format

Tier 4 — NIS2 Readiness Pack

Duration: 3–4 weeks · Scope: Fixed

What it is

For entities within NIS2 scope that are not fully covered by DORA. We deliver the Article 21 security measures documentation set, incident response procedures, and a structured evidence workspace.

Deliverables

• Information security policy framework (Article 21 compliant)
• Incident response and reporting procedures
• Business continuity documentation
• Supply chain security register
• Evidence workspace (structured for regulatory inspection)
• Management liability briefing for directors

See /nis2 for full details.

Tier 5 — DORA Governance Retainer

Duration: From month 6 of an active engagement · Scope: Monthly retainer, fixed monthly fee

What it is

An ongoing monthly retained service for firms that need qualified DORA governance capacity without a full-time hire. We maintain your registers, monitor regulatory change, prepare management reporting, and support incident reporting and regulator correspondence. Tessera does not assume any formal statutory or accountable-officer role unless that role is separately scoped and contracted.

Who it's for

• •Firms that have completed a Full Framework Build and need ongoing maintenance
• •Firms that have a compliance function but no ICT/DORA specialism in-house
• •Firms subject to annual RoI resubmission obligations

Deliverables

• Register of Information maintenance (annual update cycle)
• Regulatory change monitoring and impact briefing
• Management reporting (monthly one-page compliance status)
• Incident reporting support (on-call, if a significant ICT incident occurs)
• Regulator correspondence preparation and liaison support

The DORA Governance Retainer is only available to firms that have completed a Tier 3 Full Framework Build with Tessera Cyber, or that have provided equivalent documentation for our review.