Add DORA skill.

Author: Sushegaad

.claude-plugin/marketplace.json

@@ -1,7 +1,7 @@
 {
   "$schema": "https://anthropic.com/claude-code/marketplace.schema.json",
   "name": "grc-skills",
-  "description": "Claude Code skills for Governance, Risk & Compliance \u2014 ISO 27001, SOC 2, FedRAMP, GDPR, HIPAA, NIST CSF, PCI DSS, TSA Cybersecurity, ISO 42001 AI Management System, and ISO 27701 Privacy Information Management.",
+  "description": "Claude Code skills for Governance, Risk & Compliance \u2014 ISO 27001, SOC 2, FedRAMP, GDPR, HIPAA, NIST CSF, PCI DSS, TSA Cybersecurity, ISO 42001 AI Management System, ISO 27701 Privacy Information Management, and DORA Digital Operational Resilience.",
   "owner": {
     "name": "Hemant Naik",
     "email": "hemant.naik@gmail.com"
@@ -222,6 +222,30 @@
         "aisia",
         "grc"
       ]
+    },
+    {
+      "name": "dora",
+      "source": "./plugins/dora",
+      "description": "DORA (Regulation (EU) 2022/2554) compliance advisor for EU financial entities \u2014 ICT risk management framework, incident classification and reporting, TLPT, ICT third-party risk, Register of Information, and all adopted RTS/ITS with article-level citations.",
+      "version": "0.3.0",
+      "author": {
+        "name": "Hemant Naik",
+        "email": "hemant.naik@gmail.com"
+      },
+      "homepage": "https://sushegaad.github.io/Claude-Skills-Governance-Risk-and-Compliance/",
+      "category": "compliance",
+      "keywords": [
+        "dora",
+        "eu-2022-2554",
+        "ict-risk",
+        "digital-operational-resilience",
+        "financial-entities",
+        "third-party-risk",
+        "tlpt",
+        "rts",
+        "its",
+        "grc"
+      ]
     }
   ]
 }

DORA - Claude Skill/dora.skill

@@ -1,11 +1,11 @@
 # Claude Skills for Governance, Risk & Compliance (GRC)
-Expert-level compliance guidance for ISO 27001, SOC 2, FedRAMP, GDPR, HIPAA, NIST CSF, PCI DSS, TSA Cybersecurity, ISO 42001 AI Management System, and ISO 27701 Privacy Information Management — powered by Claude Skills.
+Expert-level compliance guidance for ISO 27001, SOC 2, FedRAMP, GDPR, HIPAA, NIST CSF, PCI DSS, TSA Cybersecurity, ISO 42001 AI Management System, ISO 27701 Privacy Information Management, and DORA Digital Operational Resilience — powered by Claude Skills.
 
 Benchmarked across 18 test cases (2 per framework) using the eval framework — each graded against 4–5 verifiable assertions by independent agents. Skills scored **94% ± 10%** vs a baseline of 72% ± 28%.
 
 [![Release: v0.3.0](https://img.shields.io/badge/Release-v0.3.0-brightgreen.svg)](../../releases/tag/v0.3.0)
 [![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](LICENSE)
-[![Skills: 10](https://img.shields.io/badge/Skills-10-green.svg)](#the-skills)
+[![Skills: 11](https://img.shields.io/badge/Skills-11-green.svg)](#the-skills)
 [![Built with Claude](https://img.shields.io/badge/Built%20with-Claude-orange.svg)](https://claude.ai)
 
 ---
@@ -25,6 +25,7 @@ Benchmarked across 18 test cases (2 per framework) using the eval framework —
   - [TSA Cybersecurity](#-tsa-cybersecurity)
   - [ISO 42001 AI Management System](#-iso-42001-ai-management-system)
   - [ISO 27701 Privacy Information Management](#-iso-27701-privacy-information-management)
+  - [DORA Digital Operational Resilience](#-dora-digital-operational-resilience)
 - [Potential Use Cases](#potential-use-cases)
 - [How to Install a Skill](#how-to-install-a-skill)
 - [Install via Claude Code Marketplace](#install-via-claude-code-marketplace)
@@ -261,6 +262,28 @@ The ISO 27701 skill turns Claude into an expert **ISO/IEC 27701:2025** Privacy I
 
 ---
 
+### 11. 🏦 DORA Digital Operational Resilience
+
+**File:** `DORA - Claude Skill/dora.skill`
+
+The DORA skill turns Claude into an expert advisor on **Regulation (EU) 2022/2554** (the Digital Operational Resilience Act) — the anchoring ICT regulation for EU financial entities since 17 January 2025. It encodes all 64 DORA articles, all 12 adopted RTS/ITS, and provides precise article-level guidance for every compliance workflow. It explicitly separates DORA from NIS2, legacy EBA ICT guidelines, and ISO 27001 — a common source of conflation in general LLM responses.
+
+**What it does:**
+- Conducts structured **DORA gap analyses** across all four pillars: ICT risk management framework (Chapter II, Art. 5–16), incident management (Chapter III, Art. 17–23), resilience testing / TLPT (Chapter IV, Art. 24–27), and ICT third-party risk (Chapter V, Art. 28–44)
+- Guides **ICT-related incident classification** against Art. 18 criteria and the materiality thresholds in CDR (EU) 2024/1772, with a full decision tree for major vs. non-major
+- Builds **three-stage incident reporting procedures** per Art. 19 and CDR (EU) 2025/301 — initial (4h), intermediate (72h), final (1 month) — including content requirements at each stage
+- Reviews and drafts **contractual provisions** per Art. 30(2)(a)–(i), flagging the common audit-rights gap with hyperscale cloud providers
+- Builds or validates the **Register of Information** with all mandatory fields per CIR (EU) 2024/2956
+- Assesses **ICT concentration risk** per Art. 28(6) and Art. 29 — including multi-function reliance on a single cloud provider
+- Scopes **TLPT programmes** per Art. 26 and CDR (EU) 2025/1190, covering threat intelligence phase, red team test, mutual recognition, and tester qualification requirements
+- Drafts **ICT risk management framework** documentation per Art. 6–14 and CDR (EU) 2024/1774
+- Precisely distinguishes **Chapter II** (proactive ICT risk governance) from **Chapter III** (reactive incident management) — a common compliance confusion point
+- References all **12 adopted RTS/ITS** by exact regulation number (CDR/CIR) with article-level mapping
+
+**Trigger phrases:** `DORA`, `Regulation (EU) 2022/2554`, `digital operational resilience`, `ICT risk management framework`, `DORA gap analysis`, `Art. 6 DORA`, `Art. 17 ICT incident`, `Art. 18 classification`, `Art. 19 incident reporting`, `Art. 26 TLPT`, `Art. 28 third-party risk`, `Art. 30 contractual provisions`, `Register of Information`, `CIR 2024/2956`, `CDR 2024/1772`, `CDR 2024/1773`, `CDR 2024/1774`, `CDR 2025/301`, `CDR 2025/1190`, `TLPT financial entities`, `ICT concentration risk`, `critical ICT TPSP`, `DORA vs NIS2`, `EBA ICT guidelines DORA`, `DORA incident classification`, `DORA reporting timelines`, `Chapter II DORA`, `Chapter III DORA`
+
+---
+
 ## Potential Use Cases
 
 | Scenario | Relevant Skill(s) |
@@ -319,6 +342,16 @@ The ISO 27701 skill turns Claude into an expert **ISO/IEC 27701:2025** Privacy I
 | Mapping ISO 27701:2025 controls to GDPR articles for a compliance audit | ISO 27701 |
 | Assessing sub-processor management obligations for a cloud-native B2B SaaS | ISO 27701 |
 | Integrating a PIMS with an existing ISO 27001:2022 ISMS to avoid duplicating controls | ISO 27701 + ISO 27001 |
+| Running a DORA gap analysis for an EU credit institution ahead of a supervisory review | DORA |
+| Classifying an ICT incident against Art. 18 criteria and CDR (EU) 2024/1772 thresholds | DORA |
+| Building a three-stage incident reporting procedure (4h / 72h / 1 month) per Art. 19 | DORA |
+| Reviewing ICT vendor contracts against Art. 30(2) mandatory provisions | DORA |
+| Building or validating the Register of Information per CIR (EU) 2024/2956 | DORA |
+| Assessing ICT concentration risk for a bank reliant on a single hyperscaler | DORA |
+| Scoping a TLPT programme and evaluating whether the Art. 26 threshold applies | DORA |
+| Drafting an ICT Third-Party Risk Policy satisfying CDR (EU) 2024/1773 | DORA |
+| Advising on the interaction between DORA and NIS2 for a financial entity | DORA |
+| Mapping DORA obligations to legacy EBA ICT guidelines and identifying what changed | DORA |
 
 ---
 
@@ -338,6 +371,7 @@ The ISO 27701 skill turns Claude into an expert **ISO/IEC 27701:2025** Privacy I
    | 🚨 TSA Cybersecurity | [TSA-Compliance.skill](https://github.com/Sushegaad/Claude-Skills-Governance-Risk-and-Compliance/raw/main/TSA%20Compliance%20-%20Claude%20Skill/TSA-Compliance.skill) |
    | 🤖 ISO 42001 AI Management System | [ISO-42001.skill](https://github.com/Sushegaad/Claude-Skills-Governance-Risk-and-Compliance/raw/main/ISO%2042001%20-%20Claude%20Skill/ISO-42001.skill) |
    | 🔒 ISO 27701 Privacy Information Management | [iso27701.skill](https://github.com/Sushegaad/Claude-Skills-Governance-Risk-and-Compliance/raw/main/ISO%2027701%20-%20Claude%20Skill/iso27701.skill) |
+   | 🏦 DORA Digital Operational Resilience | [dora.skill](https://github.com/Sushegaad/Claude-Skills-Governance-Risk-and-Compliance/raw/main/DORA%20-%20Claude%20Skill/dora.skill) |
 
 2. Open Claude and navigate to **Customize → Skills**.
 3. Click **Upload Skill** and select the `.skill` file.
@@ -357,7 +391,7 @@ Add the marketplace and install the skills you need directly from the terminal:
 
 ```shell
 /plugin marketplace add Sushegaad/Claude-Skills-Governance-Risk-and-Compliance
-/plugin install iso27001@grc-skills soc2@grc-skills fedramp@grc-skills gdpr-compliance@grc-skills hipaa-compliance@grc-skills nist-csf@grc-skills pci-compliance@grc-skills tsa-compliance@grc-skills iso42001@grc-skills iso27701@grc-skills
+/plugin install iso27001@grc-skills soc2@grc-skills fedramp@grc-skills gdpr-compliance@grc-skills hipaa-compliance@grc-skills nist-csf@grc-skills pci-compliance@grc-skills tsa-compliance@grc-skills iso42001@grc-skills iso27701@grc-skills dora@grc-skills
 ```
 
 Teams can pre-wire the marketplace in `.claude/settings.json` so every developer gets the skills automatically when they open the project — no manual install required.

README.md

@@ -375,7 +375,7 @@ <h1>Claude Skills for Governance, Risk &amp; Compliance</h1>
   <div class="badges">
     <img src="https://img.shields.io/badge/Release-v0.3.0-brightgreen.svg" alt="Release v0.3.0" />
     <img src="https://img.shields.io/badge/License-MIT-blue.svg" alt="MIT License" />
-    <img src="https://img.shields.io/badge/Skills-10-green.svg" alt="10 Skills" />
+    <img src="https://img.shields.io/badge/Skills-11-green.svg" alt="11 Skills" />
     <img src="https://img.shields.io/badge/Built%20with-Claude-orange.svg" alt="Built with Claude" />
   </div>
 </header>
@@ -566,6 +566,21 @@ <h3>10. 🔒 ISO 27701 Privacy Information Management</h3>
       <div class="trigger-tags"><strong>Trigger phrases:</strong> <code>ISO 27701</code> <code>PIMS</code> <code>privacy information management</code> <code>PII controller</code> <code>PII processor</code> <code>DPIA</code> <code>RoPA</code> <code>data subject rights</code> <code>privacy by design</code> <code>data processing agreement</code> <code>GDPR alignment ISO 27701</code></div>
     </div>
 
+    <div class="skill-card">
+      <h3>11. 🏦 DORA Digital Operational Resilience</h3>
+      <span class="file-badge">DORA - Claude Skill/dora.skill</span>
+      <p>Turns Claude into an expert advisor on <strong>Regulation (EU) 2022/2554</strong> (DORA) — the anchoring ICT regulation for EU financial entities since 17 January 2025. Encodes all 64 DORA articles, all 12 adopted RTS/ITS, and provides precise article-level guidance. Explicitly separates DORA from NIS2, legacy EBA ICT guidelines, and ISO 27001.</p>
+      <ul>
+        <li>Conducts structured <strong>DORA gap analyses</strong> across ICT risk management (Chapter II, Art. 5–16), incident management (Chapter III, Art. 17–23), TLPT (Chapter IV, Art. 24–27), and third-party risk (Chapter V, Art. 28–44)</li>
+        <li>Guides <strong>ICT incident classification</strong> against Art. 18 criteria and CDR (EU) 2024/1772 materiality thresholds, with a full decision tree for major vs. non-major</li>
+        <li>Builds <strong>three-stage reporting procedures</strong> per Art. 19: initial (4h), intermediate (72h), final (1 month), including content requirements per CDR (EU) 2025/301</li>
+        <li>Reviews contracts against <strong>Art. 30(2)(a)–(i)</strong> mandatory provisions and flags the audit-rights gap common with hyperscale cloud providers</li>
+        <li>Builds and validates the <strong>Register of Information</strong> with all mandatory fields per CIR (EU) 2024/2956</li>
+        <li>Scopes <strong>TLPT programmes</strong> per Art. 26 and CDR (EU) 2025/1190, covering threat intelligence, red team, mutual recognition, and tester qualifications</li>
+      </ul>
+      <div class="trigger-tags"><strong>Trigger phrases:</strong> <code>DORA</code> <code>Regulation (EU) 2022/2554</code> <code>digital operational resilience</code> <code>ICT risk management framework</code> <code>Art. 18 classification</code> <code>Art. 19 incident reporting</code> <code>Art. 26 TLPT</code> <code>Art. 30 contractual provisions</code> <code>Register of Information</code> <code>ICT concentration risk</code> <code>DORA vs NIS2</code> <code>Chapter II DORA</code> <code>Chapter III DORA</code></div>
+    </div>
+
     <hr />
 
     <h2>Potential Use Cases</h2>
@@ -601,6 +616,14 @@ <h2>Potential Use Cases</h2>
           <tr><td>Completing a DPIA for a new AI feature that profiles users for targeted advertising</td><td>ISO 27701</td></tr>
           <tr><td>Mapping ISO 27701:2025 controls to GDPR articles for a compliance audit</td><td>ISO 27701</td></tr>
           <tr><td>Integrating a PIMS with an existing ISO 27001:2022 ISMS to avoid duplicating controls</td><td>ISO 27701 + ISO 27001</td></tr>
+          <tr><td>Running a DORA gap analysis for an EU credit institution ahead of a supervisory review</td><td>DORA</td></tr>
+          <tr><td>Classifying an ICT incident against Art. 18 criteria and CDR (EU) 2024/1772 thresholds</td><td>DORA</td></tr>
+          <tr><td>Building a three-stage incident reporting procedure (4h / 72h / 1 month) per Art. 19</td><td>DORA</td></tr>
+          <tr><td>Reviewing ICT vendor contracts against Art. 30(2) mandatory provisions</td><td>DORA</td></tr>
+          <tr><td>Building or validating the Register of Information per CIR (EU) 2024/2956</td><td>DORA</td></tr>
+          <tr><td>Assessing ICT concentration risk for a bank reliant on a single hyperscaler</td><td>DORA</td></tr>
+          <tr><td>Scoping a TLPT programme and evaluating whether Art. 26 applies</td><td>DORA</td></tr>
+          <tr><td>Advising on the interaction between DORA and NIS2 for a financial entity</td><td>DORA</td></tr>
         </tbody>
       </table>
     </div>
@@ -637,6 +660,7 @@ <h2>How to Install a Skill</h2>
           <tr><td>8. 🚨 TSA Cybersecurity</td><td><a href="https://github.com/Sushegaad/Claude-Skills-Governance-Risk-and-Compliance/raw/main/TSA%20Compliance%20-%20Claude%20Skill/TSA-Compliance.skill">TSA-Compliance.skill</a></td></tr>
           <tr><td>9. 🤖 ISO 42001 AI Management System</td><td><a href="https://github.com/Sushegaad/Claude-Skills-Governance-Risk-and-Compliance/raw/main/ISO%2042001%20-%20Claude%20Skill/ISO-42001.skill">ISO-42001.skill</a></td></tr>
           <tr><td>10. 🔒 ISO 27701 Privacy Information Management</td><td><a href="https://github.com/Sushegaad/Claude-Skills-Governance-Risk-and-Compliance/raw/main/ISO%2027701%20-%20Claude%20Skill/iso27701.skill">iso27701.skill</a></td></tr>
+          <tr><td>11. 🏦 DORA Digital Operational Resilience</td><td><a href="https://github.com/Sushegaad/Claude-Skills-Governance-Risk-and-Compliance/raw/main/DORA%20-%20Claude%20Skill/dora.skill">dora.skill</a></td></tr>
         </tbody>
       </table>
     </div>
@@ -650,7 +674,7 @@ <h2>Install via Claude Code Marketplace</h2>
     <p>Add the marketplace and install the skills you need directly from the terminal:</p>
 
     <pre><code>/plugin marketplace add Sushegaad/Claude-Skills-Governance-Risk-and-Compliance
-/plugin install iso27001@grc-skills soc2@grc-skills fedramp@grc-skills gdpr-compliance@grc-skills hipaa-compliance@grc-skills nist-csf@grc-skills pci-compliance@grc-skills tsa-compliance@grc-skills iso42001@grc-skills</code></pre>
+/plugin install iso27001@grc-skills soc2@grc-skills fedramp@grc-skills gdpr-compliance@grc-skills hipaa-compliance@grc-skills nist-csf@grc-skills pci-compliance@grc-skills tsa-compliance@grc-skills iso42001@grc-skills iso27701@grc-skills dora@grc-skills</code></pre>
 
     <p>Teams can pre-wire the marketplace in <code>.claude/settings.json</code> so every developer gets the skills automatically when they open the project — no manual install required.</p>
     <p>📖 <a href="https://github.com/Sushegaad/Claude-Skills-Governance-Risk-and-Compliance/blob/main/INSTALLATION.md"><strong>Full installation instructions, team setup, and update guide → INSTALLATION.md</strong></a></p>

index.html

@@ -0,0 +1,24 @@
+{
+  "name": "dora",
+  "description": "DORA (Regulation (EU) 2022/2554) compliance advisor for EU financial entities — ICT risk management framework, incident classification and reporting, TLPT, ICT third-party risk, Register of Information, and all adopted RTS/ITS with article-level citations.",
+  "version": "0.3.0",
+  "author": {
+    "name": "Hemant Naik",
+    "email": "hemant.naik@gmail.com"
+  },
+  "homepage": "https://sushegaad.github.io/Claude-Skills-Governance-Risk-and-Compliance/",
+  "repository": "https://github.com/Sushegaad/Claude-Skills-Governance-Risk-and-Compliance",
+  "license": "MIT",
+  "keywords": [
+    "dora",
+    "eu-2022-2554",
+    "ict-risk",
+    "digital-operational-resilience",
+    "financial-entities",
+    "third-party-risk",
+    "tlpt",
+    "rts",
+    "its",
+    "grc"
+  ]
+}