Dora
Uploaded by
Andrei NicolaeDora
Uploaded by
Andrei NicolaeComprehensive Guide to the
DORA Regulation
Copyright ©2025 Advisera Expert Solutions Ltd. All rights reserved.
Copyright © 2025 Advisera Expert Solutions Ltd. All rights reserved. 1
Table of Contents
1. Overview of DORA EU regulation ...................................................................................................................... 3
2. Who must comply with the DORA regulation? ....................................................................................... 4
3. Nine key requirements specified in the DORA regulation ................................................................ 6
4. 18 steps to comply with DORA requirements ............................................................................................ 9
5. List of documents required by the DORA regulation .......................................................................... 13
6. Which IT companies need to comply with DORA, and how? ....................................................... 33
7. How to organize DORA training and awareness ................................................................................... 37
8. Penalties and enforcement ................................................................................................................................ 49
9. Relationship to other standards and regulations ................................................................................... 51
10. What are DORA commission delegated regulations? .................................................................. 53
Copyright © 2025 Advisera Expert Solutions Ltd. All rights reserved. 2
1. Overview of DORA EU regulation
1.1. DORA regulation summary
DORA is a European Union regulation that specifies cybersecurity and resilience
requirements for financial organizations.
Its full name is “Regulation (EU) 2022/2554 on digital operational resilience for the financial
sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014,
(EU) No 909/2014 and (EU) 2016/1011,” and it was published on 14 December 2022.
Since DORA is a regulation, this means that it directly applies to practically any financial
entity in the European Union — in other words, EU Member States do not need to publish
their own regulations on cybersecurity for the financial sector, since financial
organizations must comply directly with DORA.
The “DORA” abbreviation stands for “Digital Operational Resilience Act.”
1.2. Why is DORA important?
DORA is important because it introduces the same level of cybersecurity and digital
resilience to all financial entities in all EU countries — this way, cybersecurity and
continuity of banks, insurance companies, and other financial organizations will be the
same across all EU countries.
1.3. Where can I find the full text of DORA?
Here is the official text of DORA: https://eur-lex.europa.eu/eli/reg/2022/2554/oj
You can also find the full text here, arranged by chapters and articles, and with the ability
to search by keyword: Full Text of DORA Regulation.
1.4. How is DORA structured?
The DORA regulation has 64 articles structured in the following nine chapters:
• Chapter I - General provisions
• Chapter II - ICT risk management
• Chapter III - ICT-related incident management, classification and reporting
• Chapter IV - Digital operational resilience testing
• Chapter V - Managing of ICT third-party risk
• Chapter VI - Information-sharing arrangements
• Chapter VII - Competent authorities
• Chapter VIII - Delegated acts
• Chapter IX - Transitional and final provisions
1.5. DORA regulation timeline
DORA was published in December 2022, and it applies starting January 17, 2025.
This means that all financial organizations and their IT suppliers must be compliant from
January 2025.
Copyright © 2025 Advisera Expert Solutions Ltd. All rights reserved. 3
2. Who must comply with the DORA regulation?
Since DORA is a regulation focused on financial entities, it is expected that all kinds of
financial organizations need to be compliant with it.
But what is interesting is that smaller financial organizations have to comply with different
parts of DORA compared to other financial entities, and even more interesting is that IT
companies that provide their services to financial organizations need to be compliant as
well.
2.1. Which financial organizations must comply with DORA?
In its Article 2, DORA specifies that it applies to almost all financial entities in all EU
countries:
• credit institutions
• payment institutions
• account information service providers
• electronic money institutions
• investment firms
• crypto-asset service providers
• central securities depositories
• central counterparties
• trading venues
• trade repositories
• managers of alternative investment funds
• management companies
• data reporting service providers
• insurance and reinsurance undertakings
• insurance intermediaries, reinsurance intermediaries and ancillary insurance
intermediaries
• institutions for occupational retirement provision
• credit rating agencies
• administrators of critical benchmarks
• crowdfunding service providers
• securitisation repositories
However, there are differences between what smaller financial organizations need to
comply with when compared to other financial organizations.
2.2. Smaller vs. other financial organizations in DORA
Out of the financial organizations listed above, the following sub-groups have a little bit
easier job of complying with DORA:
• small and non-interconnected investment firms
• small payment institutions exempted by the decision of Member States according
to Directive (EU) 2015/2366
• specific credit institutions defined in Directive 2013/36/EU (if Member States did not
exclude them completely from DORA)
Copyright © 2025 Advisera Expert Solutions Ltd. All rights reserved. 4
• small electronic money institutions exempted by the decision of Member States
according to Directive 2009/110/EC
• small institutions for occupational retirement provision.
These smaller organizations must comply with the “simplified ICT risk management
framework” that is specified in DORA’s Article 16 and in TITLE III of CDR 2024-1774
Technical standards specifying ICT risk management tools, methods, processes, and
policies and the simplified ICT risk management framework. In other words, these smaller
financial entities do not need to comply with the whole Chapter II ICT risk management
like the other financial organizations.
However, smaller financial organizations must comply with other parts of DORA in the
same way as all the other organizations.
2.3. ICT third-party service providers
IT companies that provide services to financial organizations in the European Union must
comply with requirements specified in Chapter V Managing of ICT third-party risk.
In particular, all IT service providers must be compliant with security standards, and follow
specific contractual obligations; however, if a service provider is designated as critical, then
the requirements are much stricter.
See sections below to find out which IT companies need to comply with DORA, and how.
Copyright © 2025 Advisera Expert Solutions Ltd. All rights reserved. 5
3. Nine key requirements specified in the DORA regulation
The DORA regulation is quite lengthy: 106 preamble items and 64 articles, altogether 79
pages — it would probably take you a couple of days (if not weeks) to read it through. To
save you some reading time, the text below summarizes the most important points from
DORA.
Please keep in mind these are requirements from the point of view of financial
organizations and their IT suppliers that need to comply with DORA, not from the
viewpoint of competent authorities (i.e., government bodies in charge of enforcing this
regulation).
3.1. Very detailed requirements for ICT risk management
The requirements for ICT risk management are described in DORA’s Chapter II, and in
CDR 2024/1774 Regulatory technical standards specifying ICT risk management tools,
methods, processes, and policies and the simplified ICT risk management framework;
altogether 54 articles in 42 pages — a lot to take in.
DORA has structured the ICT risk management requirements in the following way:
• Governance and organisation
• ICT risk management framework
• ICT systems, protocols and tools
• Identification
• Protection and prevention
• Detection
• Response and recovery
• Backup policies and procedures, restoration and recovery procedures and
methods
• Learning and evolving
• Communication
3.2. Simplified ICT risk management framework for smaller financial
entities
The ICT risk management requirements specified above would probably be overwhelming
for smaller financial organizations, which is why DORA has specified a “lighter” version of
ICT risk management for such entities.
This simplified ICT risk management framework is specified in DORA’s Article 16 and in
Title III of CDR 2024/1774 Regulatory technical standards specifying ICT risk management
tools, methods, processes, and policies and the simplified ICT risk management
framework.
The simplified framework follows a very similar structure to the “regular” ICT risk
management specified in DORA’s Chapter II, with the main difference being that the
requirements are not as detailed nor as strict.
Copyright © 2025 Advisera Expert Solutions Ltd. All rights reserved. 6
3.3. Incident & threat classification and reporting
DORA dedicates the whole of chapter Chapter III to management, classification, and
reporting of incidents and threats. It requires setting up an incident management
process, defines criteria for classifying incidents and threats, and defines how they need to
be reported.
Similar to requirements in NIS 2, financial entities need to submit the following incident
reports to competent authorities: initial notification, intermediate report, and a final report;
further, they need to inform them about significant cyber threats. Financial organizations
also need to inform their clients of any major ICT-related incidents or significant cyber
threats.
3.4. Testing of digital operational resilience, including penetration
testing
In its Chapter IV, DORA requires financial entities to execute a digital operational resilience
testing program that includes “a range of assessments, tests, methodologies, practices
and tools.”
The tests need to be performed at least once a year on all ICT systems supporting critical
or important functions. According to Article 25, those tests could include “vulnerability
assessments and scans, open source analyses, network security assessments, gap
analyses, physical security reviews, questionnaires and scanning software solutions, source
code reviews where feasible, scenario-based tests, compatibility testing, performance
testing, end-to-end testing and penetration testing.”
Article 26 introduces the concept of Threat-Led Penetration Testing (TLPT) that needs to
be carried out at least once every three years, and provides detailed rules for such testing.
3.5. Managing risks related to ICT third-party providers
DORA specifies very strict rules on how financial entities need to handle their IT providers,
in order to reduce third-party risks. Those rules include adopting a strategy on ICT third-
party risk and a policy on the use of ICT services, regular review of third-party risks, and
preparing an exit strategy (Article 28).
Further, financial entities must perform preliminary assessment of an IT supplier before
starting to use their products and services (Article 29) and make sure they comply with
information security standards.
Finally, in its article (Article 30), DORA specifies minimum contractual clauses that need to
be included in agreements with ICT third-party providers.
3.6. Requirements for ICT service providers and their oversight by the
government
ICT third-party providers that provide their services to financial organizations need to
comply with security standards, and with specific contractual requirements. If those
service providers are designated as critical, then there are a lot more requirements they
have to comply with.
European Supervisory Authorities (ESAs) will appoint a Lead Overseer for each ICT third-
party provider that is classified as critical. According to Article 33, the purpose of the Lead
Copyright © 2025 Advisera Expert Solutions Ltd. All rights reserved. 7
Overseer is to continually assess whether such an IT provider has in place “comprehensive,
sound and effective rules, procedures, mechanisms and arrangements to manage the ICT
risk which it may pose to financial entities.”
Lead Overseers have the right of full access to any information from ICT third-party
providers, and they can conduct investigations and issue recommendations, as well as
enforce fines and other penalties.
3.7. Sharing information on cyber threats
Although Chapter VI is the shortest chapter in DORA, it might introduce quite big
changes in how threat intelligence is handled.
It specifies the baseline for exchange of cyber threat information and intelligence, and the
role of competent authorities and IT service providers.
3.8. Government bodies (competent authorities) in charge of enforcing
DORA
According to regulations referenced in Article 46, for the majority of financial entities that
need to be compliant with DORA, EU Member States designate competent authorities
that supervise and enforce financial regulations.
There are a couple of exceptions, where EU authorities directly supervise and enforce
financial regulations:
• For credit institutions classified as significant - the European Central Bank (ECB)
• For securitisation repositories - the European Securities and Markets Authority
(ESMA)
3.9. Penalties for financial organizations and ICT third-party providers
For financial entities, DORA does not specify minimum fines — rather, it gives the freedom
to Member States to define their own fines in their countries. It does, however, specify
other penalties that can be enacted by competent authorities, including giving orders to
stop activities not compliant with DORA, defining any measures to make sure entities are
compliant with DORA, and issuing public notices.
For critical ICT third-party service providers, DORA specifies a fine of up to 1% of their
worldwide annual turnover. Further, the Lead Overseer (the body that supervises critical
service providers) must issue public notice that reveals the name of the service provider
that was fined.
Finally, a competent authority overseeing a financial organization using the services of a
third-party service provider that is not compliant with DORA can order this financial
organization to stop using those services.
Copyright © 2025 Advisera Expert Solutions Ltd. All rights reserved. 8
DORA Documentation Toolkit
All required policies, procedures, and forms to comply with
the EU regulation
Find out more
4. 18 steps to comply with DORA requirements
If your financial organization needs to comply with the DORA regulation, you need a
comprehensive approach to make sure you comply with all the requirements. The steps in
the text below present the best practice to cover all of those complex requirements.
From our experience, the following 18 steps will enable you to comply with DORA
efficiently. Before reading the steps, a couple of important notes:
• The steps below are designed for financial organizations, whereas for IT companies
that need to comply with DORA, see section “Which IT companies need to comply
with DORA, and how?”
• In its Article 16, DORA specifies special rules for smaller financial organizations
called the “simplified ICT risk management framework” — nevertheless, even for
such smaller organizations, the 18 steps listed below are valid, the only difference
being that the requirements might be somewhat less strict. See which financial
entities qualify for simplified risk management in the section “Who must comply
with the DORA regulation?”
4.1. Start with a gap analysis
First, since your financial entity probably already does comply with many DORA
requirements, it is useful to find out what are you missing.
Once you know your gap, you can decide which of the following steps are applicable to
you.
4.2. Obtain senior management support
Even though compliance with DORA is mandatory, you still might have problems with
implementing various aspects of it — this is why it is important to have formal approval
from the top management for the project, together with enough time, people, and
budget to implement it.
This way, you will be able to overcome most of the problems that you will face during the
project.
4.3. Set up project management
To make your project run more smoothly, you need to define:
• Responsibilities — who is in charge (project manager), who from the senior
management will help you if you get stuck (project sponsor), and with whom from
Copyright © 2025 Advisera Expert Solutions Ltd. All rights reserved. 9
the mid-level management you need to cooperate the most (project team). If you
already have a security committee, this might serve as your project team.
• Milestones — define the major steps in your project, and their timing.
• Project outcomes — define exactly what kinds of documents, activities, and other
things will be produced during the project.
4.4. Perform initial training
Since DORA and its related Commission Delegated Regulations are quite complex, you
should train the project team at the very early stage of the project. In the beginning, it
makes sense to start with introductory topics on DORA, and later on focus on specific
DORA requirements.
This way, you will have a knowledgeable team of people that will execute the project in a
much more efficient way.
4.5. Define governance and senior management's role
In its Article 5, DORA is quite specific regarding the responsibilities of the senior
management, and how to set up the governance of ICT risks. This includes setting up
policies, roles, and responsibilities; approving the strategy, audit plans, and budget; setting
up reporting channels, etc.
Such governance is the foundation upon which the ICT risk management is built.
4.6. Set up the ICT risk management framework
Article 6 specifies what the risk management framework looks like — according to it, you
need to establish appropriate “… strategies, policies, procedures, ICT protocols and tools
that are necessary to duly and adequately protect all information assets and ICT assets.”
This kind of documented framework will enable you to perform the next steps, starting
with risk assessment and treatment.
4.7. Perform asset identification, risk assessment, and treatment
In its Article 8, DORA requires financial organizations to “identify, classify and adequately
document all ICT supported business functions, roles and responsibilities, the information
assets and ICT assets supporting those functions, and their roles and dependencies,” and,
on top of this, to identify threats, vulnerabilities, and risks.
Further, it requires classifying those assets that are considered critical, and identifying if
ICT third-party service providers support any critical or important functions.
This kind of analysis is important to decide which cybersecurity measures need to be
implemented.
4.8. Write and approve the digital operational resilience strategy
Article 8(6) requires a comprehensive document to be written, called the digital
operational resilience strategy — it must include several elements, including how the risk
management framework supports business strategy and objectives, risk tolerance level,
and security objectives, and it needs to explain how the risk management framework
needs to be implemented.
Copyright © 2025 Advisera Expert Solutions Ltd. All rights reserved. 10
This is a crucial step because it sets in motion the implementation of concrete
cybersecurity and resilience measures.
4.9. Implement cybersecurity measures
Articles 9 and 10 specify various cybersecurity measures that must be implemented,
including network management, access control, authentication, change management,
patches and updates, detection of anomalous activities, etc.
These will probably take the longest time to implement, but this is, in fact, the core of
cybersecurity.
4.10. Implement resilience measures
Articles 11 and 12 are oriented towards business continuity, and include a top-level ICT
business continuity policy, business impact analysis (BIA), response and recovery plans,
crisis management and communication, and testing, but also backup and restoration.
These measures are a bit more abstract than the cybersecurity measures from the
previous step, but are nevertheless equally important, especially when a financial
organization needs to deal with larger incidents.
4.11. Set up risk management for ICT third-party risk
DORA dedicates Articles 28 to 30 to how to handle IT companies that provide their
services to financial organizations. This includes assessing the risks related to a particular
IT provider, specific contractual obligations, defining the exit strategy, etc.
DORA recognizes that managing supply chain risk is of greatest importance, because it
introduces a government oversight of critical IT service providers, although financial
organizations are not directly impacted by such oversight.
4.12. Set up regular cybersecurity training
Articles 5, 13, and 16 require financial organizations to set up regular training and
awareness for all employees, including the senior management. Articles 13 and 30 go a
step further, and require financial entities to “include ICT third-party service providers in
their relevant training schemes.”
This step is pretty obvious — with all these complex rules and requirements, it would be
hard to expect that people would follow them without being trained and aware.
4.13. Set up incident & threat classification and reporting
Articles 17 to 19 require financial organizations to “define, establish and implement an ICT-
related incident management process to detect, manage and notify ICT-related
incidents,” including their classification and reporting to authorities.
Despite all the (preventive) cybersecurity measures, it will be impossible to avoid every
incident — this is why the response to them needs to be effective, and all interested
parties need to be informed.
Copyright © 2025 Advisera Expert Solutions Ltd. All rights reserved. 11
4.14. Set up regular digital operational resilience testing
The whole Chapter IV is dedicated to digital operational resilience testing and requires
“the execution of appropriate tests, such as vulnerability assessments and scans, open
source analyses, network security assessments, gap analyses, physical security reviews,
questionnaires and scanning software solutions, source code reviews where feasible,
scenario-based tests, compatibility testing, performance testing, end-to-end testing and
penetration testing,” “for the purpose of assessing preparedness for handling ICT-related
incidents, of identifying weaknesses, deficiencies and gaps in digital operational resilience,
and of promptly implementing corrective measures.” This also includes the “Threat-Led
Penetration Testing.”
This kind of testing is crucial in order to find out what the real situation is. The internal
audit explained in step #16 has a similar purpose, but is done in a different way.
4.15. Set up measurement, monitoring, and reviews
It is impossible to manage anything, let alone cybersecurity and resilience in a financial
entity, if you’re not informed about its performance. This is why Article 13 requires several
types of reports and information to reach appropriate managers, including post-incident
reviews, lessons from operational testing, effectiveness of the implementation of the
digital operational resilience strategy, technological developments, etc.
This way, the management can react quickly and appropriately to any trend or risk.
4.16. Conduct periodic internal audits
Articles 5 and 6 require financial entities to perform regular internal audits by auditors that
have enough independence, and “sufficient knowledge, skills and expertise in ICT risk.”
Such audits are crucial to find out what the reality is in a company, because very often
policies and procedures define one thing, but in reality employees might be doing
something very different.
4.17. Conduct periodic management review
Article 5 specifies several review activities that need to be performed regularly by the
senior management — these include reviewing the business continuity policy, response
and recovery plans, policy for the use of third-party ICT services, various reports, internal
audits, digital resilience budget, etc.
Such reviews are crucial, because this is how the senior management is informed about
key risks and activities related to cybersecurity and resilience.
4.18. Execute follow-up actions and corrective measures
Follow-up actions and corrective measures are mentioned in different contexts in DORA
— e.g., Article 6 requires a follow-up process after an internal audit, Article 17 requires a
follow-up after incidents, Article 24 requires corrective measures after digital operational
resilience testing, while Article 30 requires corrective actions to be included in the
contracts with IT suppliers.
All of these are crucial for ICT risk management to be continually improved and,
consequently, digital operational resilience to be raised to a better level.
Copyright © 2025 Advisera Expert Solutions Ltd. All rights reserved. 12
DORA Documentation Toolkit
All required policies, procedures, and forms to comply with
the EU regulation
Find out more
5. List of documents required by the DORA regulation
The DORA regulation is pretty specific on what needs to be implemented in order to
ensure cybersecurity and resilience of IT systems. The problem is that there are many
requirements, and it is hard to conclude what needs to be covered with which
documents.
The table below maps each relevant requirement from DORA with documents that are
the best suited to cover those requirements.
5.1. DORA requirements and related documents
Before you start reading the list below, a couple of notes:
* “Smaller” financial organizations are the following entities (these are the ones that must
go for the simplified ICT risk management framework according to DORA Article 16):
• small and non-interconnected investment firms
• small payment institutions exempted by the decision of Member States according
to Directive (EU) 2015/2366
• specific credit institutions defined in Directive 2013/36/EU (if Member States did not
exclude them completely from DORA)
• small electronic money institutions exempted by the decision of Member States
according to Directive 2009/110/EC
• small institutions for occupational retirement provision.
** “Microenterprises” are those financial entities that employ fewer than 10 persons and
have an annual turnover and/or annual balance sheet total that does not exceed 2 million
euros.
Which financial Usually documented
Requirements References
entities through
DORA Article Each document listed in
5(2)(c) this column must
Set clear roles and responsibilities for
CDR All except smaller* define clear roles and
all ICT-related functions
2024/1774 responsibilities for all
Title II specified activities
DORA Article
5(2)(c) Information Security
Establish appropriate governance
CDR All except smaller Policy + all documents
arrangements
2024/1774 listed in this column
Title II
Copyright © 2025 Advisera Expert Solutions Ltd. All rights reserved. 13
Which financial Usually documented
Requirements References
entities through
Set and approve digital operational
resilience strategy; the ICT risk DORA Article
management framework shall include 5(2)(d); Article
a digital operational resilience strategy 6(8) Digital Operational
All except smaller
setting out how the framework shall CDR Resilience Strategy
be implemented, and shall include 2024/1774
methods to address ICT risk and attain Title II
specific ICT objectives
DORA Article
Approve, oversee and periodically 5(2)(e)
ICT Business Continuity
review the implementation of ICT CDR All except smaller
Policy
business continuity policy 2024/1774
Title II
DORA Article Disruptive Incident
Approve, oversee and periodically 5(2)(e) Response Plan + Activity
review the implementation of ICT CDR All except smaller Recovery Plan for
response and recovery plans 2024/1774 (activity name) + ICT
Title II Disaster Recovery Plan
DORA Article
5(2)(f)
Approve and periodically review ICT
CDR All except smaller Internal Audit Program
internal audit plan
2024/1774
Title II
DORA Article
5(2)(g)
Allocate and periodically review the Digital Operational
CDR All except smaller
appropriate budget Resilience Strategy
2024/1774
Title II
DORA Article
Approve and periodically review policy
5(2)(h)
on arrangements regarding the use of
CDR All except smaller Supplier Security Policy
ICT services provided by ICT third-
2024/1774
party service providers
Title II
Reporting channels related to ICT DORA Article
third-party service providers: 5(2)(i)
arrangements concluded, planned CDR All except smaller Supplier Security Policy
material changes, and their impact on 2024/1774
critical or important functions Title II
Establish a role in order to monitor the
arrangements concluded with ICT DORA Article
third-party service providers on the 5(3) All except smaller Information Security
use of ICT services, or designate a CDR and Policy + Supplier
member of senior management as 2024/1774 microenterprises** Security Policy
responsible for overseeing the related Title II
risk exposure
Copyright © 2025 Advisera Expert Solutions Ltd. All rights reserved. 14
Which financial Usually documented
Requirements References
entities through
Members of the management body of DORA Article
Security Policy for
the financial entity must actively keep 5(4)
Human
up to date with sufficient knowledge CDR All except smaller
Resources + Training
and skills to understand and assess ICT 2024/1774
and Awareness Plan
risk and its impact on the operations Title II
The ICT risk management framework
DORA Article
shall include at least strategies,
6(2) Information Security
policies, procedures, ICT protocols and
CDR All except smaller Policy + all documents
tools that are necessary to duly and
2024/1774 listed in this column
adequately protect all information
Title II
assets and ICT assets
DORA Article
Minimise the impact of ICT risk by
6(3) Information Security
deploying appropriate strategies,
CDR All except smaller Policy + all documents
policies, procedures, ICT protocols and
2024/1774 listed in this column
tools
Title II
DORA Article
Assign the responsibility for managing 6(4) All except smaller
Information Security
and overseeing ICT risk to a control CDR and
Policy
function 2024/1774 microenterprises
Title II
DORA Article
Ensure appropriate segregation and
6(4)
independence of ICT risk Information Security
CDR All except smaller
management functions, control Policy
2024/1774
functions, and internal audit functions
Title II
DORA Article
6(5)
The ICT risk management framework Information Security
CDR All except smaller
shall be documented and reviewed Policy
2024/1774
Title II
DORA Article
The ICT risk management framework 6(6) All except smaller Information Security
shall be subject to internal audit by CDR and Policy + Internal Audit
auditors on a regular basis 2024/1774 microenterprises Procedure
Title II
DORA Article
Internal auditors shall possess
6(6) All except smaller
sufficient knowledge, skills and Internal Audit
CDR and
expertise in ICT risk, as well as Procedure
2024/1774 microenterprises
appropriate independence
Title II
DORA Article
Establish a formal follow-up process,
6(7) Internal Audit
including rules for the timely
CDR All except smaller Procedure + Procedure
verification and remediation of critical
2024/1774 for Corrective Actions
ICT audit findings
Title II
Copyright © 2025 Advisera Expert Solutions Ltd. All rights reserved. 15
Which financial Usually documented
Requirements References
entities through
Identify, classify and adequately
document all ICT supported business DORA Article
functions, roles and responsibilities, 8(1) Asset Management
the information assets and ICT assets CDR All except smaller Procedure + Asset
supporting those functions, and their 2024/1774 Register
roles and dependencies in relation to Title II
ICT risk
On a continuous basis, identify all
sources of ICT risk, in particular the risk DORA Article
Risk Management
exposure to and from other financial 8(2)
Methodology + Risk
entities, and assess cyber threats and CDR All except smaller
Assessment Table / Risk
ICT vulnerabilities relevant to their ICT 2024/1774
Register
supported business functions, Title II
information assets and ICT assets
DORA Article
Risk Management
Review on a regular basis, and at least 8(2)
Methodology + Risk
yearly, the risk scenarios impacting CDR All except smaller
Assessment Table / Risk
them. 2024/1774
Register
Title II
Perform a risk assessment upon each
major change in the network and DORA Article
Risk Management
information system infrastructure, in 8(3) All except smaller
Methodology + Risk
the processes or procedures affecting CDR and
Assessment Table / Risk
their ICT supported business 2024/1774 microenterprises
Register
functions, information assets or ICT Title II
assets
Identify all information assets and ICT DORA Article
assets, including those on remote 8(4) Asset Management
sites, network resources and hardware CDR All except smaller Procedure + Asset
equipment, and map those 2024/1774 Register
considered critical Title II
Map the configuration of the DORA Article
information assets and ICT assets and 8(4) Asset Management
the links and interdependencies CDR All except smaller Procedure + Asset
between the different information 2024/1774 Register
assets and ICT assets Title II
Identify and document all processes
that are dependent on ICT third-party DORA Article
service providers, and identify 8(5) Asset Management
interconnections with ICT third-party CDR All except smaller Procedure + Asset
service providers that provide services 2024/1774 Register
that support critical or important Title II
functions
Copyright © 2025 Advisera Expert Solutions Ltd. All rights reserved. 16
Which financial Usually documented
Requirements References
entities through
For the purposes of paragraphs 1, 4
DORA Article
and 5 of Article 8, maintain relevant
8(6) Asset Management
inventories and update them
CDR All except smaller Procedure + Asset
periodically and every time any major
2024/1774 Register
change as referred to in paragraph 3
Title II
occurs
On a regular basis, and at least yearly, DORA Article
Risk Management
conduct a specific ICT risk assessment 8(7) All except smaller
Methodology + Risk
on all legacy ICT systems and, in any CDR and
Assessment Table / Risk
case before and after connecting 2024/1774 microenterprises
Register
technologies, applications or systems Title II
DORA Article
Continuously monitor and control the 9(1)
Logging and
security and functioning of ICT CDR All except smaller
Monitoring Procedure
systems and tools 2024/1774
Title II
Design, procure and implement ICT
security policies, procedures, protocols DORA Article
and tools that aim to ensure the 9(2) Information Security
resilience, continuity and availability of CDR All except smaller Policy + all documents
ICT systems, in particular for those 2024/1774 listed in this column
supporting critical or important Title II
functions
Develop and document an
information security policy defining DORA Article
rules to protect the availability, 9(4)(a)
Information Security
authenticity, integrity and CDR All except smaller
Policy
confidentiality of data, information 2024/1774
assets and ICT assets, including those Title II
of their customers
Establish a sound network and
infrastructure management structure
using appropriate techniques,
DORA Article
methods and protocols; design the
9(4)(b)
network connection infrastructure in a
CDR All except smaller Network Security Policy
way that allows it to be
2024/1774
instantaneously severed or
Title II
segmented in order to minimise and
prevent contagion, especially for
interconnected financial processes
Implement policies that limit the
physical or logical access to DORA Article
information assets and ICT assets, and 9(4)(c)
establish to that end a set of policies, CDR All except smaller Access Control Policy
procedures and controls that address 2024/1774
access rights and ensure a sound Title II
administration thereof
Copyright © 2025 Advisera Expert Solutions Ltd. All rights reserved. 17
Which financial Usually documented
Requirements References
entities through
DORA Article
9(4)(d)
Implement policies and protocols for
CDR All except smaller Authentication Policy
strong authentication mechanisms
2024/1774
Title II
Implement documented policies,
procedures and controls for ICT DORA Article
change management; the ICT change 9(4)(e) ICT Change
management process shall be CDR All except smaller Management
approved by appropriate lines of 2024/1774 Procedure
management and shall have specific Title II
protocols in place
DORA Article
Have appropriate and comprehensive 9(4)(f) Vulnerability and Patch
documented policies for patches and CDR All except smaller Management
updates 2024/1774 Procedure
Title II
Have in place mechanisms to
promptly detect anomalous activities, DORA Article
including ICT network performance 10(1)
Logging and
issues and ICT-related incidents, and CDR All except smaller
Monitoring Procedure
to identify potential material single 2024/1774
points of failure; all detection Title II
mechanisms must be regularly tested
Detection mechanisms must enable
multiple layers of control, define alert
DORA Article
thresholds and criteria to trigger and
10(2)
initiate ICT-related incident response Logging and
CDR All except smaller
processes, including automatic alert Monitoring Procedure
2024/1774
mechanisms for relevant staff in
Title II
charge of ICT-related incident
response
Devote sufficient resources and DORA Article
capabilities to monitor user activity, 10(3)
Logging and
the occurrence of ICT anomalies and CDR All except smaller
Monitoring Procedure
ICT-related incidents, in particular 2024/1774
cyber-attacks Title II
Put in place a comprehensive ICT DORA Article
business continuity policy, which may 11(1)
ICT Business Continuity
be adopted as a dedicated specific CDR All except smaller
Policy
policy, forming an integral part of the 2024/1774
overall business continuity policy Title II
Copyright © 2025 Advisera Expert Solutions Ltd. All rights reserved. 18
Which financial Usually documented
Requirements References
entities through
Business Impact
Analysis
Methodology + Digital
Implement the ICT business continuity Operational Resilience
policy through dedicated, appropriate Strategy + Crisis
DORA Article
and documented arrangements, Management
11(2)
plans, procedures and mechanisms Plan + Business
CDR All except smaller
aiming to ensure the continuity, Continuity
2024/1774
quickly, appropriately and effectively Plan + Disruptive
Title II
respond to, and resolve, all ICT-related Incident Response
incidents Plan + ICT Disaster
Recovery Plan + Activity
Recovery Plan for
(activity name)
Activate, without delay, dedicated
plans that enable containment DORA Article
measures, processes and technologies 11(2)(c)
Disruptive Incident
suited to each type of ICT-related CDR All except smaller
Response Plan
incident and prevent further damage, 2024/1774
as well as tailored response and Title II
recovery procedures
DORA Article
11(2)(d)
Estimate preliminary impacts, Business Continuity
CDR All except smaller
damages and losses Plan
2024/1774
Title II
Set out communication and crisis DORA Article
management actions that ensure that 11(2)(e)
Crisis Management
updated information is transmitted to CDR All except smaller
Plan
all relevant internal staff and external 2024/1774
stakeholders Title II
DORA Article Disruptive Incident
11(3) Response Plan + ICT
Implement ICT response and recovery
CDR All except smaller Disaster Recovery
plans
2024/1774 Plan + Activity Recovery
Title II Plan for (activity name)
Maintain and periodically test
DORA Article
appropriate ICT business continuity
11(4) ICT Business Continuity
plans, notably with regard to critical or
CDR All except smaller Policy + Exercising and
important functions outsourced or
2024/1774 Testing Plan
contracted through arrangements
Title II
with ICT third-party service providers
DORA Article Business Impact
Conduct a business impact analysis 11(5) Analysis
(BIA) of exposure to severe business CDR All except smaller Methodology + Business
disruptions 2024/1774 Impact Analysis
Title II Questionnaire
Copyright © 2025 Advisera Expert Solutions Ltd. All rights reserved. 19
Which financial Usually documented
Requirements References
entities through
Test the ICT business continuity plans DORA Article
and the ICT response and recovery 11(6)
Exercising and Testing
plans in relation to ICT systems CDR All except smaller
Plan
supporting all functions at least yearly; 2024/1774
test the crisis communication plans Title II
Include in the testing plans scenarios
DORA Article
of cyber-attacks and switchovers
11(6) All except smaller
between the primary ICT Exercising and Testing
CDR and
infrastructure and the redundant Plan
2024/1774 microenterprises
capacity, backups and redundant
Title II
facilities
DORA Article
Regularly review ICT business 11(6)
ICT Business Continuity
continuity policy and ICT response and CDR All except smaller
Policy
recovery plans 2024/1774
Title II
Have a crisis management function,
which, in the event of activation of DORA Article
their ICT business continuity plans or 11(7) All except smaller
Crisis Management
ICT response and recovery plans, must CDR and
Plan
set out clear procedures to manage 2024/1774 microenterprises
internal and external crisis Title II
communications
Keep readily accessible records of DORA Article
activities before and during disruption 11(8) ICT Disaster Recovery
events when their ICT business CDR All except smaller Plan + Activity Recovery
continuity plans and ICT response and 2024/1774 Plan for (activity name)
recovery plans are activated Title II
DORA Article
Report to the competent authorities
11(10) All except smaller
an estimation of aggregated annual Incident Handling
CDR and
costs and losses caused by major ICT- Policy
2024/1774 microenterprises
related incidents
Title II
DORA Article
Develop and document backup
12(1)
policies and procedures, and Backup Policy + Backup
CDR All except smaller
restoration and recovery procedures Restoration Procedure
2024/1774
and methods
Title II
DORA Article
Testing of the backup procedures and
12(2)
restoration and recovery procedures Backup Restoration
CDR All except smaller
and methods must be undertaken Procedure
2024/1774
periodically
Title II
Copyright © 2025 Advisera Expert Solutions Ltd. All rights reserved. 20
Which financial Usually documented
Requirements References
entities through
DORA Article
When restoring backup data using
12(3)
own systems, use ICT systems that are Backup Restoration
CDR All except smaller
physically and logically segregated Procedure
2024/1774
from the source ICT system
Title II
DORA Article
Maintain redundant ICT capacities
12(4)
equipped with resources, capabilities Digital Operational
CDR All except smaller
and functions that are adequate to Resilience Strategy
2024/1774
ensure business needs
Title II
In determining the recovery time and
DORA Article Business Impact
recovery point objectives for each
12(6) Analysis
function, take into account whether it
CDR All except smaller Methodology + Digital
is a critical or important function and
2024/1774 Operational Resilience
the potential overall impact on market
Title II Strategy
efficiency
DORA Article
When recovering from an ICT-related
12(7)
incident, perform necessary checks, Incident Handling
CDR All except smaller
including any multiple checks and Policy
2024/1774
reconciliations
Title II
Have in place capabilities and staff to
DORA Article
gather information on vulnerabilities
13(1)
and cyber threats, ICT-related Logging and
CDR All except smaller
incidents, in particular cyber-attacks, Monitoring Procedure
2024/1774
and analyse the impact they are likely
Title II
to have
Put in place post ICT-related incident
reviews after a major ICT-related DORA Article Incident Handling
incident disrupts their core activities, 13(2) Policy + Post Incident
analysing the causes of disruption and CDR All except smaller Review Form +
identifying required improvements to 2024/1774 Procedure for
the ICT operations or within the ICT Title II Corrective Actions
business continuity policy
On a continuous basis incorporate into
the ICT risk assessment process
lessons derived from the digital
DORA Article
operational resilience testing and from
13(3); Article
real life ICT-related incidents, along Risk Management
13(5)
with challenges faced upon the All except smaller Methodology + Incident
CDR
activation of ICT business continuity Handling Policy
2024/1774
plans and ICT response and recovery
Title II
plans; senior ICT staff shall report at
least yearly to the management body
on the findings
Copyright © 2025 Advisera Expert Solutions Ltd. All rights reserved. 21
Which financial Usually documented
Requirements References
entities through
Monitor the effectiveness of the
implementation of their digital
operational resilience strategy, map
the evolution of ICT risk over time,
Digital Operational
analyse the frequency, types, DORA Article
Resilience Strategy +
magnitude and evolution of ICT- 13(4)
Risk Management
related incidents, in particular cyber- CDR All except smaller
Methodology +
attacks and their patterns, with a view 2024/1774
Information Security
to understanding the level of ICT risk Title II
Policy
exposure, in particular in relation to
critical or important functions, and
enhance the cyber maturity and
preparedness
Develop ICT security awareness
programmes and digital operational
resilience training as compulsory
modules in their staff training
schemes; those programmes and
DORA Article
training must be applicable to all Security Policy for
13(6)
employees and to senior Human
CDR All except smaller
management staff, and must have a Resources + Training
2024/1774
level of complexity commensurate to and Awareness Plan
Title II
the remit of their functions; where
appropriate, financial entities must
also include ICT third-party service
providers in their relevant training
schemes
Monitor relevant technological
developments on a continuous basis, DORA Article
also with a view to understanding the 13(7) All except smaller
Information Security
possible impact of the deployment of CDR and
Policy
such new technologies on ICT security 2024/1774 microenterprises
requirements and digital operational Title II
resilience
Have in place crisis communication
DORA Article
plans enabling a responsible
14(1)
disclosure of, at least, major ICT- Crisis Management
CDR All except smaller
related incidents or vulnerabilities to Plan
2024/1774
clients and counterparts as well as to
Title II
the public
DORA Article
Implement communication policies 14(2)
Crisis Management
for internal staff and for external CDR All except smaller
Plan
stakeholders 2024/1774
Title II
Copyright © 2025 Advisera Expert Solutions Ltd. All rights reserved. 22
Which financial Usually documented
Requirements References
entities through
At least one person must be tasked DORA Article
with implementing the 14(3)
Crisis Management
communication strategy for ICT- CDR All except smaller
Plan
related incidents and fulfil the public 2024/1774
and media function for that purpose Title I
Put in place and maintain a sound and
DORA Article
documented ICT risk management Information Security
16(1)(a)
framework that details the Policy + all documents
CDR Only smaller
mechanisms and measures aimed at a listed below in this
2024/1774
quick, efficient and comprehensive column
Title III
management of ICT risk
DORA Article
16(1)(b)
Continuously monitor the security and Logging and
CDR Only smaller
functioning of all ICT systems Monitoring Procedure
2024/1774
Title III
DORA Article
Minimise the impact of ICT risk
16(1)(c) All documents specified
through the use of sound, resilient and
CDR Only smaller for smaller financial
updated ICT systems, protocols and
2024/1774 organizations
tools
Title III
Allow sources of ICT risk and DORA Article
anomalies in the network and 16(1)(d)
Logging and
information systems to be promptly CDR Only smaller
Monitoring Procedure
identified and detected and ICT- 2024/1774
related incidents to be swiftly handled Title III
DORA Article
16(1)(e)
Identify key dependencies on ICT
CDR Only smaller Supplier Security Policy
third-party service providers
2024/1774
Title III
Business Continuity
Ensure the continuity of critical or Plan + Disruptive
DORA Article
important functions, through business Incident Response
16(1)(f)
continuity plans and response and Plan + Activity Recovery
CDR Only smaller
recovery measures, which include, at Plan for (activity
2024/1774
least, back-up and restoration name) + ICT Disaster
Title III
measures Recovery Plan + Backup
Restoration Procedure
DORA Article
Test, on a regular basis, the plans and 16(1)(g)
Exercising and Testing
measures, as well as the effectiveness CDR Only smaller
Plan
of the controls implemented 2024/1774
Title III
Copyright © 2025 Advisera Expert Solutions Ltd. All rights reserved. 23
Which financial Usually documented
Requirements References
entities through
DORA Article
Implement relevant operational
16(1)(h) Exercising and Testing
conclusions resulting from the tests
CDR Only smaller Report + Procedure for
and from post-incident analysis into
2024/1774 Corrective Actions
the ICT risk assessment process
Title III
Develop, according to needs and ICT DORA Article
Security Policy for
risk profile, ICT security awareness 16(1)(h)
Human
programmes and digital operational CDR Only smaller
Resources + Training
resilience training for staff and 2024/1774
and Awareness Plan
management Title III
The ICT risk management framework
must be documented and reviewed DORA Article ICT Business Continuity
periodically and upon the occurrence 16(2) Policy + Logging and
of major ICT-related incidents, and CDR Only smaller Monitoring Procedure +
continuously improved on the basis of 2024/1774 Procedure for
lessons derived from implementation Title III Corrective Actions
and monitoring
Define, establish and implement an
ICT-related incident management
process to detect, manage and notify
ICT-related incidents, including: early
warning indicators; procedures to
identify, track, log, categorise and
classify ICT-related incidents; assign
roles and responsibilities; set out plans DORA Article Incident Handling
All
for communication to staff, external 17(1) and (3) Policy
stakeholders and media and for
notification to clients, and for internal
escalation procedures; ensure that at
least major ICT-related incidents are
reported to relevant senior
management; and establish ICT-
related incident response procedures
Record all ICT-related incidents and DORA Article Incident Handling
All
significant cyber threats 17(2) Policy + Incident Log
Establish appropriate procedures and
processes to ensure a consistent and
integrated monitoring, handling and
Incident Handling
follow-up of ICT-related incidents, to DORA Article
All Policy + Procedure for
ensure that root causes are identified, 17(2)
Corrective Actions
documented and addressed in order
to prevent the occurrence of such
incidents
DORA Article
Classify ICT-related incidents and 18(1) Incident Handling
All
determine their impact CDR Policy
2024/1772
Copyright © 2025 Advisera Expert Solutions Ltd. All rights reserved. 24
Which financial Usually documented
Requirements References
entities through
DORA Article
Classify cyber threats as significant
18(2) Incident Handling
based on the criticality of the services All
CDR Policy
at risk
2024/1772
Report major ICT-related incidents to DORA Article Incident Handling
All
the relevant competent authority 19(1) Policy
On a voluntary basis, notify significant
cyber threats to the relevant
DORA Article Incident Handling
competent authority when the threat All
19(2) Policy
is of relevance to the financial system,
service users or clients
Inform clients about the major ICT-
related incident and about the
measures that have been taken if a DORA Article Incident Handling
All
major ICT-related incident occurs and 19(3) Policy
has an impact on the financial
interests of clients, financial entities
Inform clients that are potentially
affected of any appropriate protection DORA Article Incident Handling
All
measures in the case of a significant 19(3) Policy
cyber threat
Submit the following to the relevant
competent authority: (a) an initial
Incident Initial
notification; (b) an intermediate report,
DORA Article Notification + Incident
followed, as appropriate, by updated All
19(4) Intermediate Report +
notifications every time a relevant
Incident Final Report
status update is available, and (c) a
final report
Establish, maintain and review a
sound and comprehensive digital
operational resilience testing
programme as an integral part of the
ICT risk-management framework for Digital Operational
DORA Article All except
the purpose of assessing Resilience Testing
24(1) microenterprises
preparedness for handling ICT-related Program
incidents, of identifying weaknesses,
deficiencies and gaps in digital
operational resilience, and of promptly
implementing corrective measures
Copyright © 2025 Advisera Expert Solutions Ltd. All rights reserved. 25
Which financial Usually documented
Requirements References
entities through
The digital operational resilience
testing programme shall include a
range of assessments, tests,
methodologies, practices and tools,
such as vulnerability assessments and
scans, open source analyses, network
DORA Article Digital Operational
security assessments, gap analyses,
24(2); Article All Resilience Testing
physical security reviews,
25(1) Program
questionnaires and scanning software
solutions, source code reviews where
feasible, scenario-based tests,
compatibility testing, performance
testing, end-to-end testing and
penetration testing
Ensure that digital operational
Digital Operational
resilience tests are undertaken by DORA Article All except
Resilience Testing
independent parties, whether internal 24(4) microenterprises
Program
or external
Establish procedures and policies to
prioritise, classify and remedy all issues
revealed throughout the performance
of the tests and shall establish internal DORA Article All except Procedure for
validation methodologies to ascertain 24(5) microenterprises Corrective Actions
that all identified weaknesses,
deficiencies or gaps are fully
addressed
Ensure that appropriate tests are
Digital Operational
conducted on all ICT systems and DORA Article All except
Resilience Testing
applications supporting critical or 24(6) microenterprises
Program
important functions, at least yearly
Perform the tests by combining a risk-
based approach with a strategic
planning of ICT testing, by duly
considering the need to maintain a
balanced approach between the scale
Digital Operational
of resources and the time to be DORA Article Only
Resilience Testing
allocated to the ICT testing and the 25(3) microenterprises
Program
urgency, type of risk, criticality of
information assets and of services
provided, as well as any other relevant
factor, including the financial entity’s
ability to take calculated risks
Carry out at least every 3 years
advanced testing by means of Threat-
Led Penetration Testing (TLPT) - cover All except smaller Digital Operational
DORA Article
several or all critical or important and Resilience Testing
26(1) and (2)
functions of a financial entity, and microenterprises Program
perform on live production systems
supporting such functions
Copyright © 2025 Advisera Expert Solutions Ltd. All rights reserved. 26
Which financial Usually documented
Requirements References
entities through
Identify all relevant underlying ICT
systems, processes and technologies
supporting critical or important
Asset Management
functions and ICT services, including
All except smaller Procedure + Asset
those supporting the critical or DORA Article
and Register + Digital
important functions which have been 26(2)
microenterprises Operational Resilience
outsourced or contracted to ICT third-
Testing Program
party service providers, and assess
which critical or important functions
need to be covered by the TLPT
Take the necessary measures and
All except smaller
safeguards to ensure the participation DORA Article
and Supplier Security Policy
of ICT third-party service providers in 26(3)
microenterprises
the TLPT
Apply effective risk management
controls to mitigate the risks of testing
Digital Operational
of any potential impact on data, DORA Article
All Resilience Testing
damage to assets, and disruption to 26(5)
Program
critical or important functions, services
or operations
Provide to the authority a summary of
the relevant findings, the remediation
Digital Operational
plans and the documentation DORA Article
All Resilience Testing
demonstrating that the TLPT has been 26(6)
Program
conducted in accordance with the
requirements
Only use testers for the carrying out of
TLPT, that: (a) are of the highest
suitability and reputability; (b) possess
technical and organisational
capabilities; (c) are certified by an Supplier Security Policy
accreditation body; (d) provide an DORA Article + Digital Operational
All
independent assurance, or an audit 27(1) Resilience Testing
report, in relation to the sound Program
management of risks associated with
the carrying out of TLPT; (e) are duly
and fully covered by relevant
professional indemnity insurances
Copyright © 2025 Advisera Expert Solutions Ltd. All rights reserved. 27
Which financial Usually documented
Requirements References
entities through
Management of ICT third-party risk
must be implemented in light of the
principle of proportionality, taking into
account: (i) the nature, scale,
complexity and importance of ICT-
related dependencies, and (ii) the risks DORA Article
arising from contractual 28(1)(b)
All Supplier Security Policy
arrangements on the use of ICT CDR
services concluded with ICT third- 2024/1773
party service providers, taking into
account the criticality or importance of
the respective service, process or
function, and the potential impact on
the continuity and availability
Adopt and regularly review a strategy
on ICT third-party risk, taking into DORA Article
All except smaller
account the multi-vendor strategy, 28(2)
and Supplier Security Policy
where applicable; the strategy must CDR
microenterprises
include a policy on the use of ICT 2024/1773
services
The management body must regularly
DORA Article
review the risks identified in respect to All except smaller
28(2)
contractual arrangements on the use and Supplier Security Policy
CDR
of ICT services supporting critical or microenterprises
2024/1773
important functions
Maintain and update a register of
DORA Article
information in relation to all Register of Contractual
28(3)
contractual arrangements on the use All Arrangements +
CDR
of ICT services provided by ICT third- Supplier Security Policy
2024/1773
party service providers
Report at least yearly to the
competent authorities on the number
of new arrangements on the use of ICT
services, the categories of ICT third-
party service providers, the type of DORA Article
contractual arrangements and the ICT 28(3)
All Supplier Security Policy
services and functions which are being CDR
provided; inform the competent 2024/1773
authority in a timely manner about
any planned contractual arrangement
on the use of ICT services supporting
critical or important functions
Copyright © 2025 Advisera Expert Solutions Ltd. All rights reserved. 28
Which financial Usually documented
Requirements References
entities through
Before entering into a contractual
arrangement on the use of ICT
services, financial entities must: (a)
assess whether the contractual
arrangement covers the use of ICT
services supporting a critical or
DORA Article
important function; (b) assess if
28(4)
supervisory conditions for contracting All Supplier Security Policy
CDR
are met; (c) identify and assess all
2024/1773
relevant risks in relation to the
contractual arrangement; (d)
undertake all due diligence on
prospective ICT third-party service
providers; (e) identify and assess
conflicts of interest
Only enter into contractual
DORA Article
arrangements with ICT third-party
28(5)
service providers that comply with All Supplier Security Policy
CDR
appropriate information security
2024/1773
standards
Pre-determine the frequency of audits
and inspections of ICT service
providers, as well as the areas to be DORA Article
audited through adhering to 28(6)
All Supplier Security Policy
commonly accepted audit standards CDR
in line with any supervisory instruction 2024/1773
and on the basis of a risk-based
approach
Verify that auditors, whether internal
or external, or a pool of auditors,
DORA Article
possess appropriate skills and
28(6)
knowledge where contractual All Supplier Security Policy
CDR
arrangements concluded with ICT
2024/1773
third-party service providers entail
high technical complexity
Ensure that contractual arrangements
on the use of ICT services may be
terminated in any of the following
circumstances: (a) significant breach
by the ICT third-party service provider;
(b) circumstances altering the DORA Article
performance of the functions provided 28(7)
All Supplier Security Policy
through the contractual arrangement; CDR
(c) ICT service provider’s evidenced 2024/1773
weaknesses pertaining to its overall
ICT risk management; (d) where the
competent authority can no longer
effectively supervise the financial
entity
Copyright © 2025 Advisera Expert Solutions Ltd. All rights reserved. 29
Which financial Usually documented
Requirements References
entities through
For ICT services supporting critical or
important functions, put in place exit
strategies; exit plans must be
comprehensive, documented and DORA Article
Supplier Security Policy
sufficiently tested and reviewed 28(8)
All + ICT Service Exit
periodically; identify alternative CDR
Strategy
solutions and develop transition plans 2024/1773
enabling to remove the contracted ICT
services and the relevant data from
the IT service provider
Take into account whether the
envisaged conclusion of a contractual
arrangement in relation to ICT services
supporting critical or important
functions would lead to any of the
following: (a) contracting an ICT third-
party service provider that is not easily DORA Article
All Supplier Security Policy
substitutable; or (b) having in place 29(1)
multiple contractual arrangements in
relation to the provision of ICT services
supporting critical or important
functions with the same ICT service
provider or with closely connected ICT
service providers
Weigh benefits and risks that may
arise where the contractual
arrangements on the use of ICT
services supporting critical or
important functions include the
DORA Article
possibility that an ICT third-party All Supplier Security Policy
29(2)
service provider further subcontracts
ICT services supporting a critical or
important function to other ICT third-
party service providers; also consider
the insolvency law provisions
Consider the compliance with EU data
protection rules (GDPR and others)
where contractual arrangements on
the use of ICT services supporting DORA Article
All Supplier Security Policy
critical or important functions are 29(2)
concluded with an ICT third-party
service provider established in a non-
EU country
Copyright © 2025 Advisera Expert Solutions Ltd. All rights reserved. 30
Which financial Usually documented
Requirements References
entities through
Assess whether and how potentially
long or complex chains of
subcontracting may impact their
ability to fully monitor the contracted
functions and the ability of the
DORA Article
competent authority to effectively All Supplier Security Policy
29(2)
supervise the financial entity where
the contractual arrangements on the
use of ICT services supporting critical
or important functions provide for
subcontracting
The contractual arrangements on the
use of ICT services must include at
least the following elements: (a) a clear
and complete description of all
functions and ICT services; (b) the
locations, namely the regions or
countries, where the contracted or
subcontracted functions and ICT
services are to be provided and where
data is to be processed; (c) provisions
on availability, authenticity, integrity
and confidentiality in relation to the
protection of data, including personal
data; (d) provisions on ensuring access,
recovery and return in an easily
DORA Article
accessible format; (e) service level All Supplier Security Policy
30(2)
descriptions, including updates and
revisions thereof; (f) the obligation of
the ICT third-party service provider to
provide assistance to the financial
entity when an ICT incident occurs; (g)
the obligation of the ICT third-party
service provider to fully cooperate with
the competent authorities; (h)
termination rights and related
minimum notice periods; (i) the
conditions for the participation of ICT
third-party service providers in the
financial entities’ ICT security
awareness programmes and digital
operational resilience training
Copyright © 2025 Advisera Expert Solutions Ltd. All rights reserved. 31
Which financial Usually documented
Requirements References
entities through
The contractual arrangements on the
use of ICT services supporting critical
or important functions must include,
in addition to the elements referred to
in paragraph 2, at least the following:
(a) full service level descriptions; (b)
notice periods and reporting
obligations; (c) requirements for the
ICT third-party service provider to
DORA Article
implement and test business All Supplier Security Policy
30(3)
contingency plans and to have in
place ICT security measures, tools and
policies; (d) the obligation of the ICT
third-party service provider to
participate and fully cooperate in the
financial entity’s TLPT; (e) the right to
monitor, on an ongoing basis, the ICT
third-party service provider’s
performance; (f) exit strategies
When negotiating contractual
arrangements, financial entities and
ICT third-party service providers shall DORA Article
All Supplier Security Policy
consider the use of standard 30(4)
contractual clauses developed by
public authorities for specific services
5.2. Common cybersecurity documents not required by DORA
I’m aware that the list above is very extensive; however, DORA did not mention some
documents that are quite common when managing cybersecurity:
• Information Classification Policy — provides clear rules on how to classify
documents and other information, and how to protect those assets according to
classification level.
• Mobile Device, Teleworking and Work from Home Policy — specifies the rules for
using laptops, smartphones, and other devices outside of company premises.
• Bring Your Own Device (BYOD) Policy — specifies security aspects if employees are
using their private devices for work.
• Disposal and Destruction Policy — specifies how to dispose of devices and media,
in order to delete all sensitive data and avoid breaking intellectual property rights.
• Physical Security Policy — defines security rules for data centers, archives, and
other areas that need special protection.
• Clear Desk and Clear Screen Policy — defines rules for each employee on how to
protect his/her workspace.
Copyright © 2025 Advisera Expert Solutions Ltd. All rights reserved. 32
DORA Documentation Toolkit
All required policies, procedures, and forms to comply with
the EU regulation
Find out more
6. Which IT companies need to comply with DORA, and how?
DORA is a regulation that is focused on cybersecurity and resilience of financial
organizations in the European Union — however, for these organizations to be safe, DORA
pays special attention to supply chain security, in particular to the IT companies that
provide services to financial organizations.
In effect, such IT companies must comply with certain elements of DORA — the text
below explains which IT companies fall under the scope of DORA, and what exactly is
required of them.
6.1. Which IT companies must comply with DORA?
In its Article 3, DORA specifies the following terms and definitions:
• ICT — “information and communication technology”
• ICT services — “digital and data services provided through ICT systems to one or
more internal or external users on an ongoing basis, including hardware as a
service and hardware services which includes the provision of technical support via
software or firmware updates by the hardware provider, excluding traditional
analogue telephone services”
• ICT third-party service provider — any company (whether independent or part of
a financial group) providing ICT services to financial entities
Therefore, all IT and telecom companies that provide their services to financial entities on
an ongoing basis (with the exception of analogue telephone services) must be compliant
with DORA.
6.2. What must ICT service providers comply with?
All ICT third-party service providers that provide services for financial organizations must
comply with the following:
Compliance with security standards. According to Article 28, financial organizations can
use services only from companies complying with appropriate information security
standards — even through DORA does not say which standards, this will probably go in
the direction of ISO 27001 and the European Cybersecurity Certification Scheme.
Copyright © 2025 Advisera Expert Solutions Ltd. All rights reserved. 33
ISO 27001 Documentation Toolkit
All required policies, procedures, and forms to implement
an ISMS according to ISO 27001
Find out more
Contractual obligations. According to Article 30, financial organizations need to include
the following clauses in contracts with ICT service providers:
• provisions on availability, authenticity, integrity and confidentiality in relation to the
protection of data, including personal data
• provisions on ensuring access, recovery and return in an easily accessible format of
personal and non-personal data processed by the financial entity
• the obligation of the ICT third-party service provider to provide assistance to the
financial entity
• the participation of ICT third-party service providers in the financial entities’ ICT
security awareness programmes and digital operational resilience training
6.3. What are critical ICT service providers?
According to Article 31, a critical ICT third-party service provider is designated as such
according to the following criteria:
• the systemic impact on the stability, continuity or quality of the provision of
financial services
• the systemic character or importance of the financial entities that rely on the
relevant ICT third-party service provider
• the degree of substitutability of the ICT third-party service provider, and
• the reliance of financial entities on the services provided by the relevant ICT third-
party service provider in relation to critical or important functions of financial
entities.
According to Article 3 of DORA, a critical or important function is “a function, the
disruption of which would materially impair the financial performance of a financial entity,
or the soundness or continuity of its services and activities, or the discontinued, defective
or failed performance of that function would materially impair the continuing compliance
of a financial entity with the conditions and obligations of its authorisation, or with its
other obligations under applicable financial services law.”
European Supervisory Authorities (ESAs) — meaning the European Banking Authority
(EBA), European Securities and Markets Authority (ESMA), and European Insurance and
Occupational Pensions Authority (EIOPA) — are the ones that determine for each ICT
third-party service provider whether it is critical or not.
They decide who is critical based on the criteria listed above, and based on a document
that describes these criteria in more detail: CDR 2024/1502 - The criteria for the
designation of ICT third-party service providers as critical for financial entities.
Copyright © 2025 Advisera Expert Solutions Ltd. All rights reserved. 34
6.4. What additional DORA requirements exist for critical ICT service
providers?
On top of the requirements specified above, DORA requires critical ICT service providers to
comply with a lot more:
Oversight by government bodies. Article 31 specifies that critical service providers are
subject to oversight activities by a Lead Overseer, which is appointed by European
Supervisory Authorities (ESAs).
According to Article 33, the purpose of the Lead Overseer is to continually assess whether
such an IT provider has in place “comprehensive, sound and effective rules, procedures,
mechanisms and arrangements to manage the ICT risk which it may pose to financial
entities.”
Paying for the supervision. Article 43 specifies that the supervision comes with a cost,
and that the Lead Overseer calculates this cost every year. According to CDR 2024/1505
The amount of the oversight fees to be charged by the Lead Overseer to critical ICT third-
party service providers and the way in which those fees are to be paid, the minimum
annual fee is 50,000 euros.
Supervision access. According to Article 39, the IT service provider needs to allow the
Lead Overseer to “enter in, and conduct all necessary onsite inspections on, any business
premises, land or property of the ICT third-party service providers, such as head offices,
operation centres, secondary premises, as well as to conduct off-site inspections.”
Supervision elements. According to Article 33, the Lead Overseer must check the
following:
• ICT requirements to ensure the security, availability, continuity, scalability and
quality of services
• ability to maintain at all times high standards of availability, authenticity, integrity
or confidentiality of data
• the physical security contributing to ensuring the ICT security, including the
security of premises, facilities, data centres
• the risk management processes, including ICT risk management policies, ICT
business continuity policy and ICT response and recovery plans
• the governance arrangements, including an organisational structure with clear,
transparent and consistent lines of responsibility and accountability rules enabling
effective ICT risk management
• the identification, monitoring and prompt reporting of material ICT-related
incidents, the management and resolution of those incidents, in particular cyber-
attacks
• the mechanisms for data portability, application portability and interoperability
• the testing of ICT systems, infrastructure and controls
• the ICT audits
• the use of relevant national and international standards applicable to the provision
of its ICT services to the financial entities
Documentation and evidence. According to Article 37, the Lead Overseer may require
the following documentation and evidence: “all relevant business or operational
documents, contracts, policies, documentation, ICT security audit reports, ICT-related
Copyright © 2025 Advisera Expert Solutions Ltd. All rights reserved. 35
incident reports, as well as any information relating to parties to whom the critical ICT
third-party service provider has outsourced operational functions or activities.”
Additional contractual obligations. Article 30 specifies that financial entities must sign
agreements with specific clauses for critical service providers, including:
• precise quantitative and qualitative performance targets within the agreed service
levels
• notice periods and reporting obligations
• implementing and testing business contingency plans
• have in place ICT security measures, tools, and policies that provide an appropriate
level of security for the provision of services by the financial entity
• participate and fully cooperate in the threat-led penetration testing of a financial
entity
• unrestricted rights of access, inspection, and audit by the financial entity
• obligation to fully cooperate during the onsite inspections and audits
• continuing to provide the ICT services during a period of cancellation of the
agreement
• allowing the financial entity to migrate to another ICT third-party service provider
Treatment of non-EU suppliers. Article 31 says that if the critical service provider is based
in a non-EU country, then it must establish a subsidiary within the EU.
Article 36 specifies that the Lead Overseer may exercise the powers “on any premises
located in a third-country which is owned, or used in any way, for the purposes of
providing services to Union financial entities, by a critical ICT third-party service provider.”
Fines and penalties. In its Article 35, DORA is quite specific on fines that critical ICT third-
party service providers need to pay if they are not compliant: This is up to 1% of their
worldwide annual turnover, and the amount of the fine depends on the number of days
that the service provider was not compliant. Further, the Lead Overseer must issue a
public notice that reveals the name of the service provider that was fined.
Article 42 specifies perhaps the worst penalty — a competent authority can require a
financial organization that is a client of an IT service provider that is not compliant with
DORA to stop using their services.
See also: ISO 27001 Implementation Guide: Checklist of Steps, Timing, and Costs Involved.
Copyright © 2025 Advisera Expert Solutions Ltd. All rights reserved. 36
7. How to organize DORA training and awareness
The DORA regulation is very specific when it comes to training and awareness
requirements — and this is not only for financial organizations, but also for the IT
companies that supply their services to financial entities.
The text below specifies what those DORA requirements are, and suggests how to
organize effective training and awareness according to this EU regulation.
7.1. Training and awareness requirements for financial organizations
To start, what exactly does DORA require? There are several articles in DORA that
prescribe training and awareness for financial organizations:
• Article 5(2) g) requires organization-wide training and awareness: management
bodies of financial entities must “allocate and periodically review the appropriate
budget to fulfil the financial entity’s digital operational resilience needs in respect
of all types of resources, including relevant ICT security awareness programmes
and digital operational resilience training referred to in Article 13(6), and ICT skills
for all staff.”
• Article 5(4) requires training and awareness for senior management: “members of
the management body of the financial entity shall actively keep up to date with
sufficient knowledge and skills to understand and assess ICT risk and its impact on
the operations of the financial entity, including by following specific training on a
regular basis, commensurate to the ICT risk being managed.”
• Article 13(6) requires training and awareness for both senior management, and all
the employees — financial entities must “develop ICT security awareness
programmes and digital operational resilience training as compulsory modules in
their staff training schemes. Those programmes and training shall be applicable to
all employees and to senior management staff, and shall have a level of complexity
commensurate to the remit of their functions.”
• Article 16(1) point (h) requires training and awareness as a consequence of testing
and incidents: “implement, as appropriate, relevant operational conclusions
resulting from the tests referred to in point (g) and from post-incident analysis into
the ICT risk assessment process and develop, according to needs and ICT risk
profile, ICT security awareness programmes and digital operational resilience
training for staff and management.”
• Article 19 (b) in “CDR 2024-1774 Technical standards specifying ICT risk
management tools, methods, processes, and policies and the simplified ICT risk
management framework” requires the whole staff of financial organizations to be
informed about security documentation, reporting channels for anomalous
behavior, and returning all the assets upon termination of employment.
• Article 28 in “CDR 2024-1774 Technical standards specifying ICT risk management
tools, methods, processes, and policies and the simplified ICT risk management
framework” requires the organization, as part of simplified ICT risk management, to
allocate and review “at least once a year the budget necessary to fulfil the financial
entity’s digital operational resilience needs in respect of all types of resources,
including relevant ICT security awareness programmes and digital operational
resilience training and ICT skills for all staff.”
Copyright © 2025 Advisera Expert Solutions Ltd. All rights reserved. 37
7.2. Training and awareness requirements for IT suppliers
As mentioned earlier, DORA specifies that ICT suppliers of financial organizations also
need to go for training and awareness — basically, this training needs to be arranged by
the financial organization:
• Article 13(6) says that “where appropriate, financial entities shall also include ICT
third-party service providers in their relevant training schemes in accordance with
Article 30(2), point (i).”
• Article 30(2) point (i) goes a step further and says that “the contractual
arrangements on the use of ICT services shall include at least the following
elements: … the conditions for the participation of ICT third-party service providers
in the financial entities’ ICT security awareness programmes and digital operational
resilience training in accordance with Article 13(6).”
• Article 19 (b), in “CDR 2024-1774 Technical standards specifying ICT risk
management tools, methods, processes, and policies and the simplified ICT risk
management framework” similarly to the requirement listed for financial
organizations, requires the whole staff of ICT third-party service providers to be
informed about security documentation, reporting channels for anomalous
behavior, and returning all the assets upon termination of employment.
7.3. Which topics should be covered in DORA training & awareness?
When defining topics for training and awareness, the best approach is to go through each
DORA article and determine which of them need to be covered with training or
awareness.
However, since different DORA requirements are relevant to different employees, the best
approach is to group employees and define which articles, i.e., topics, are the best suited
for them.
In general, you could go with the following groups:
• Topics for senior management
• Topics for security managers
• Topics for mid-level management
• Topics for IT employees
• Topics for all other employees
• Topics for IT service providers
In the table below, you can see how to map DORA requirements (and requirements of
some Commission Delegated Regulations) to particular target groups.
Senior Security Mid-level IT All other IT service
Training topics
management managers management employees employees providers
What is the DORA
regulation? (all
✓ ✓ ✓ ✓ ✓ ✓
relevant DORA
articles)
Copyright © 2025 Advisera Expert Solutions Ltd. All rights reserved. 38
Senior Security Mid-level IT All other IT service
Training topics
management managers management employees employees providers
What are the main
requirements
specified in DORA? ✓ ✓ ✓
(all relevant DORA
articles)
What are DORA
Commission
Delegated ✓ ✓ ✓
Regulations? (all
published CDRs)
DORA
implementation
✓ ✓
steps (all relevant
DORA articles)
Which IT providers
need to comply with ✓ ✓ ✓ ✓
DORA?
What must ICT
service providers
comply with?
✓ ✓ ✓
(Articles 28, 30, 31,
33, 35, 37, 39, 42, and
43)
Why should ICT
suppliers go for ISO
✓ ✓
27001 and ISO 22301
because of DORA?
Relationship
between ISO 27001,
✓ ✓
ISO 22301, and
DORA
DORA vs. NIS 2 vs.
✓ ✓ ✓ ✓
GDPR vs. CER
Governance
responsibilities for
✓ ✓ ✓
senior management
(Article 5)
Key elements of an
ICT risk
management
✓ ✓ ✓
framework (Article 6;
CDR 2024/1774
Articles 2 and 3)
Copyright © 2025 Advisera Expert Solutions Ltd. All rights reserved. 39
Senior Security Mid-level IT All other IT service
Training topics
management managers management employees employees providers
Basic concepts of
risk assessment and
treatment (Article 8; ✓ ✓
CDR 2024/1774
Articles 3 and 31)
Review of the ICT
risk management
framework (Article 6 ✓ ✓ ✓
paragraph 5; CDR
2024/1774 Article 27)
Internal audit of the
ICT risk
management ✓ ✓ ✓
framework (Article 6
paragraph 6)
Follow-up and
corrective actions
(Article 6 paragraph
7; Article 13 ✓ ✓ ✓
paragraph 3 and 5;
Article 17 paragraph
2)
Defining the digital
operational
resilience strategy ✓ ✓ ✓
(Article 6 paragraph
8)
Encryption and
cryptography
(Article 7; CDR ✓ ✓ ✓
2024/1774 Articles 6
and 7)
Identifying ICT-
supported business
functions, roles and
responsibilities, and ✓ ✓ ✓
assets (Article 8;
CDR 2024/1774
Articles 4 and 5)
Copyright © 2025 Advisera Expert Solutions Ltd. All rights reserved. 40
Senior Security Mid-level IT All other IT service
Training topics
management managers management employees employees providers
Measurement,
monitoring, and
controlling the ICT
systems (Article 9
paragraph 1; Article ✓ ✓ ✓
13 paragraph 4;
Article 16 paragraph
1; CDR 2024/1774
Articles 2, 3, 8, 31)
Policies and
procedures for ICT
operations security
✓ ✓ ✓
(Article 9 paragraph
2; CDR 2024/1774
Article 8)
Capacity and
performance
management
✓ ✓ ✓
(Article 9 paragraph
2; CDR 2024/1774
Article 9)
Data and system
security (Article 9
✓ ✓ ✓
paragraph 2; CDR
2024/1774 Article 11)
Logging
procedures,
protocols, and tools
✓ ✓ ✓
(Article 9 paragraph
2; CDR 2024/1774
Article 12)
Physical and
environmental
security (Article 9 ✓ ✓ ✓
paragraph 2; CDR
2024/1774 Article 18)
Organizing human
resources security
✓ ✓ ✓
(Article 9 paragraph
2)
Human resources
policy (Article 9
✓ ✓ ✓ ✓ ✓ ✓
paragraph 2; CDR
2024/1774 Article 19)
Copyright © 2025 Advisera Expert Solutions Ltd. All rights reserved. 41
Senior Security Mid-level IT All other IT service
Training topics
management managers management employees employees providers
Secure
communications -
secure
transfer/transit of
✓ ✓ ✓
data (Article 9
paragraph 3 point a;
CDR 2024/1774
Article 14)
Handling the risk of
data corruption
✓ ✓ ✓
(Article 9 paragraph
3 point b)
Handling risks
arising from data
management ✓ ✓ ✓ ✓
(Article 9 paragraph
3 point d)
Developing a top-
level information
security policy ✓ ✓ ✓ ✓ ✓
(Article 9 paragraph
4 point a)
Establishing
network and
infrastructure
management
✓ ✓ ✓
structure (Article 9
paragraph 4 point b;
CDR 2024/1774
Article 13)
Policies for limiting
physical and logical
access (Article 9
✓ ✓ ✓ ✓
paragraph 4 point c;
CDR 2024/1774
Article 21)
Identity
management and
strong
authentication
✓ ✓ ✓
mechanisms (Article
9 paragraph 4 point
d; CDR 2024/1774
Article 20)
ICT project
management (CDR ✓ ✓ ✓ ✓
2024/1774 Article 15)
Copyright © 2025 Advisera Expert Solutions Ltd. All rights reserved. 42
Senior Security Mid-level IT All other IT service
Training topics
management managers management employees employees providers
ICT change
management
(Article 9 paragraph ✓ ✓ ✓ ✓
4 point e; CDR
2024/1774 Article 17)
Vulnerability, patch
management, and
updates (Article 9
✓ ✓ ✓
paragraph 4 point f;
CDR 2024/1774
Article 10)
ICT systems
acquisition,
development, and ✓ ✓ ✓ ✓
maintenance (CDR
2024/1774 Article 16)
Mechanisms to
promptly detect
anomalous activities ✓ ✓ ✓ ✓
(Article 10; CDR
2024/1774 Article 23)
Implementing an
ICT business
continuity policy
(Article 11
✓ ✓ ✓ ✓ ✓ ✓
paragraphs 1, 2, and
4; Article 9
paragraph 2; CDR
2024/1774 Article 24)
Implementing ICT
response and
recovery plans
✓ ✓ ✓ ✓
(Article 11 paragraph
3; CDR 2024/1774
Article 26)
Business impact
analysis, RTO, and
RPO (Article 11 ✓ ✓
paragraph 5; Article
12 paragraph 6)
Testing business
continuity and
recovery plans
✓ ✓ ✓ ✓ ✓
(Article 11 paragraph
6; CDR 2024/1774
Article 25)
Copyright © 2025 Advisera Expert Solutions Ltd. All rights reserved. 43
Senior Security Mid-level IT All other IT service
Training topics
management managers management employees employees providers
Crisis management
and crisis
communication
✓ ✓ ✓
plans (Article 11
paragraph 7; Article
14)
Emergency
communications
✓ ✓ ✓ ✓
(Article 11 paragraph
7; Article 14)
Managing backup
and restoration
(Article 12 ✓ ✓ ✓
paragraphs 1, 2, 3,
and 7)
Secondary
processing site
✓ ✓ ✓
(Article 12
paragraphs 4 and 5)
Threat intelligence
(Article 13 paragraph ✓ ✓ ✓
1)
Post-incident
reviews (Article 13 ✓ ✓ ✓
paragraph 2)
Organizing security
training and
✓ ✓ ✓ ✓
awareness (Article 13
paragraph 6)
Monitoring
technological
developments ✓ ✓
(Article 13 paragraph
7)
Main elements of
the simplified ICT
risk management
✓ ✓ ✓ ✓
framework (Article
16; CDR 2024/1774
Title III)
Copyright © 2025 Advisera Expert Solutions Ltd. All rights reserved. 44
Senior Security Mid-level IT All other IT service
Training topics
management managers management employees employees providers
Main elements of
the incident
management
✓ ✓ ✓ ✓
process (Article 17;
CDR 2024/1774
Article 22)
Classification of ICT
incidents and
threats (Article 18; ✓ ✓ ✓
CDR 2024/1772
Articles 1 to 10)
Reporting of major
incidents and cyber ✓ ✓
threats (Article 19)
Main elements of
digital operational
✓ ✓ ✓
resilience testing
(Article 24)
Resilience testing of
ICT tools and ✓ ✓ ✓
systems (Article 25)
Key elements of
Threat-Led
Penetration Testing ✓ ✓ ✓
- TLPT (Articles 26
and 27)
Main elements of
management of ICT
third-party risk
✓ ✓ ✓ ✓
(Article 28; CDR
2024/1773 Articles 1
to 4)
Monitoring,
inspection, and
audit of the ICT
third-party service
provider (Article 28 ✓ ✓ ✓
paragraph 6; Article
30 paragraph 3
points a and e; CDR
2024/1773 Article 9)
Exit strategies for
ICT services (Article
✓ ✓ ✓ ✓
28 paragraph 8; CDR
2024/1773 Article 10)
Copyright © 2025 Advisera Expert Solutions Ltd. All rights reserved. 45
Senior Security Mid-level IT All other IT service
Training topics
management managers management employees employees providers
Assessment of risks
of ICT service
providers (Article 29; ✓ ✓ ✓ ✓
CDR 2024/1773
Articles 5, 6, and 7)
Clauses to be
included in
contracts with ICT
✓ ✓ ✓
service providers
(Article 30; CDR
2024/1773 Article 8)
Who are critical ICT
service providers?
(Article 31; CDR ✓ ✓ ✓
2024/1502 Articles 2,
3, 4, 5, and 6)
The roles of Lead
Overseer and
competent
authorities for
✓ ✓
critical ICT service
providers (Articles
33, 35, 36, 37, 38, 39,
42, and 43)
Penalties and fines
(Articles 50, 51, and ✓ ✓ ✓ ✓
54)
7.4. Security awareness topics for all employees
When it comes to awareness, DORA’s articles 5, 13, 16, and 30 require ICT security
awareness programs for all employees — not only for financial entities, but also for ICT
service providers.
Since DORA did not specify what the content of such awareness programs should be,
below you will find a list of suggested topics that could be suitable for a company-wide
cybersecurity awareness program:
• Basic cyber hygiene practices
• Backup basics
• Basics of authentication
• Basics of network security
• Insider threats
• Cloud security basics
• Computer malware
• Email security
• Human error
Copyright © 2025 Advisera Expert Solutions Ltd. All rights reserved. 46
• Identity theft
• The mind of a hacker
• Passwords
• Device physical security
• Privacy
• Intellectual property
• Protecting paperwork
• Security of mobile devices
• Social engineering
• Social media
• Remote work
7.5. Options for delivering NIS 2 training
Essentially, you have three potential options for delivering training to a group of people:
1) Instructor-led in-classroom training. This is the traditional way of delivering training —
you place everyone in a room, and the instructor presents all the relevant topics face to
face. This enables attendees to ask questions and allows for some interactivity through
shorter workshops, but organizing such training is difficult.
Pros:
• Training can be adapted according to the needs of the company
• Higher engagement
Cons:
• Probably the most expensive
• Cannot be delivered very often
• Hard to deliver separate training for different target groups
2) Instructor-led online training. This is similar to instructor-led in-classroom training;
however, the main difference is that there is no physical classroom — the training is
delivered through online tools like MS Teams, Zoom, or similar. This still enables attendees
to ask questions and organize short workshops; while organizing such training is easier,
there are still challenges because all attendees must be present at the same time.
Pros:
• Training can be adapted according to the needs of the company
• Easier to organize than in-classroom training
Cons:
• Lower engagement, because attendees tend to ask fewer questions through
online tools
• All attendees must be present at the same time
3) Pre-recorded online training delivered via learning management system (LMS). This
approach is different from the first two options — here, all the videos are pre-recorded and
Copyright © 2025 Advisera Expert Solutions Ltd. All rights reserved. 47
uploaded to LMS software that distributes the videos to attendees and tracks their
attendance (and test results, if needed). This disables direct engagement with the
instructor (although some AI solutions are now addressing this problem), but organizing
such training is far easier.
Pros
• Easy tracking of attendance and test results
• Employees can watch videos at their convenience
• The most budget-friendly option
Cons
• Attendees cannot ask questions, at least not directly to the instructor
7.6. Which training delivery option to choose?
The choice really depends on the type of training:
Regular vs. one-time training. If the training happens only once, then instructor-led
classroom training or instructor-led online training is something that can be organized, as
opposed to training that needs to be delivered regularly (e.g., monthly, quarterly,
annually). For such regular training, pre-recorded online training via LMS is a more
appropriate solution.
Required engagement. If the training covers some very in-depth topics that require high
engagement with the instructor, then instructor-led classroom training or instructor-led
online training is probably a better solution. If the training covers some more general
topics that do not require high engagement, then pre-recorded online training via LMS
will be a more practical solution.
Number of attendees. If the training involves a smaller group of people, then instructor-
led classroom training or instructor-led online training will be manageable. If the training
involves a larger number of people, then pre-recorded online training via LMS will be
easier.
Time zones. If all attendees are in the same time zone, then instructor-led classroom
training or instructor-led online training will be feasible; however, if the attendees are
scattered across different time zones, pre-recorded online training via LMS is a more viable
solution.
7.7. A mixed approach might work the best
Ultimately, you might end up with a mix of the approaches described above — for
selected employees that require one-time training with in-depth knowledge, you might
go with instructor-led training, whereas for regular training that has to be delivered to a
larger number of employees and that does not go into too much depth, pre-recorded
online training via LMS will probably do a good job.
Copyright © 2025 Advisera Expert Solutions Ltd. All rights reserved. 48
8. Penalties and enforcement
8.1. Penalties for financial entities
Unlike NIS 2, DORA does not specify minimum fines for financial entities — rather, it gives
the freedom to Member States to define their own fines in their countries.
However, DORA does specify other penalties for financial entities that can be enacted by
competent authorities:
• Ordering a financial entity to stop activities that are not compliant with DORA.
• Defining any measure (including fines) to make sure financial entities are
compliant with DORA.
• Issuing public notices that can reveal the names of non-complying financial
entities, as well as persons in charge.
8.2. Penalties for critical ICT third-party service providers
DORA is quite specific on fines that critical ICT third-party service providers need to pay if
they are not compliant: This is up to 1% of their worldwide annual turnover, and the
amount of the fine depends on the number of days that the service provider was not
compliant.
The Lead Overseer (the body that supervises critical service providers) must issue public
notice that reveals the name of the service provider that was fined. The competent
authority can require a financial organization that is a client of a non-compliant service
provider to stop using their services.
8.3. Which government bodies enforce DORA?
DORA does not bring any novelties when it comes to enforcement — in its Article 46 it
refers to existing regulations that specify which competent authorities are in charge of
supervising particular types of financial organizations.
According to regulations referenced in Article 46, for the majority of financial entities that
need to be compliant with DORA, EU Member States designate competent authorities
that supervise and enforce financial regulations.
There are a couple of exceptions, where EU authorities directly supervise and enforce
financial regulations:
• For credit institutions classified as significant - the European Central Bank (ECB)
• For securitisation repositories - the European Securities and Markets Authority
(ESMA)
8.4. The role of European Supervisory Authorities (ESAs)
The European Banking Authority (EBA), European Securities and Markets Authority
(ESMA), and European Insurance and Occupational Pensions Authority (EIOPA) have
several tasks according to DORA, including defining guidelines and regulatory technical
standards (which will be published as Commission Delegated Regulations), defining
which ICT third-party service providers are critical, appointing Lead Overseers for critical
service providers, etc.
Copyright © 2025 Advisera Expert Solutions Ltd. All rights reserved. 49
ESAs publish various materials related to DORA and other activities on their websites; you
can find them here:
• European Banking Authority (EBA)
• European Securities and Markets Authority (ESMA)
• European Insurance and Occupational Pensions Authority (EIOPA)
Copyright © 2025 Advisera Expert Solutions Ltd. All rights reserved. 50
9. Relationship to other standards and regulations
9.1. How is DORA related to ISO 27001 and ISO 22301?
DORA does not mention cybersecurity standards like ISO 27001 (nor any other standard
from the ISO27k series), or business continuity standards like ISO 22301.
However, when reading DORA’s Chapter II ICT risk management and CDR 2024-1774
Technical standards specifying ICT risk management tools, methods, processes, and
policies and the simplified ICT risk management framework, it becomes obvious that
many concepts were taken from ISO 27001, ISO 27002, ISO 27005, and ISO 22301.
Therefore, financial entities will find it useful to use those standards to comply with
DORA’s risk management requirements.
For IT suppliers, DORA Article 28 specifies that “Financial entities may only enter into
contractual arrangements with ICT third-party service providers that comply with
appropriate information security standards.” Since ISO 27001 is the most popular
information security standard worldwide, the certification against this standard will most
probably become even more popular.
9.2. How is DORA related to NIS 2?
The full title of NIS 2 is “Directive (EU) 2022/2555 on measures for a high common level of
cybersecurity across the Union.”
Although NIS 2 and DORA were both published on the same day (December 27, 2022),
there are big differences between them:
DORA NIS 2
Regulation (directly applicable to financial Directive (companies comply with
Type
institutions) local legislation that is published)
Organizations that are considered
Applies to Financial institutions
essential and important entities
Besides cybersecurity measures, the emphasis is Emphasis on cybersecurity
Protection
also on overall resilience of financial institutions. measures
Effective
January 17, 2025 October 18, 2024
from
9.3. Must financial organizations comply with NIS 2?
NIS 2 lists “banking” and “financial market infrastructures” as sectors that need to be
compliant with NIS 2 — however, according to NIS 2 Article 4, DORA and other sector-
specific regulations have priority over NIS 2.
In effect, any financial entities that are in the scope of DORA do not need to comply with
NIS 2.
Copyright © 2025 Advisera Expert Solutions Ltd. All rights reserved. 51
The reason why banking and financial market infrastructures are listed in NIS 2 is that this
allows competent authorities in charge of NIS 2 to more easily exchange information
about such financial entities.
9.4. What is the difference between DORA and the EU GDPR?
The full title of the EU GDPR is “Regulation (EU) 2016/679 on the protection of natural
persons with regard to the processing of personal data and on the free movement of such
data (General Data Protection Regulation).”
Even though both DORA and the GDPR focus on protection of data, each has a different
angle:
DORA EU GDPR
Regulation (directly applicable to
Type Regulation (directly applicable to all companies)
financial institutions)
Any organization that processes personal data,
Applies to Financial institutions
including financial institutions
The focus is on protecting any data Cybersecurity measures apply to personal data
Protection in ICT systems and achieving digital only; there is also a legal aspect of protection of
resilience. personal data.
Effective
January 17, 2025 May 25, 2018
from
9.5. What is the difference between DORA and the Critical Entities
Resilience Directive (CER)
The full title of CER is “Directive (EU) 2022/2557 on the resilience of critical entities.”
Although DORA and CER (as well as NIS 2) were published on the same day (December 27,
2022), they each have a different scope:
DORA CER
Regulation (directly
Directive (companies comply with local
Type applicable to financial
legislation that is published)
institutions)
Organizations that are considered critical
Applies to Financial institutions
according to Member State decision
Besides resilience, the
Protection emphasis is also on Emphasis on resilience and business continuity
cybersecurity measures.
October 18, 2024; however, critical entities need
Effective
January 17, 2025 to become compliant within 10 months from
from
the day they are designated as critical.
Copyright © 2025 Advisera Expert Solutions Ltd. All rights reserved. 52
10. What are DORA Commission Delegated Regulations?
The text of the DORA regulation is pretty lengthy, but nevertheless it doesn't specify all the
requirements — it has prescribed that certain details will be further specified in
Commission Delegated Regulations (CDRs) and Commission Implementing Regulations
(CIRs).
Commission Delegated Regulations and Commission Implementing Regulations (CIRs)
are regulatory technical standards published by the EU Commission that further specify
certain rules for DORA — they can be considered as appendices to DORA. Such CDRs and
CIRs are proposed by European Supervisory Authorities, and then published by the EU
Commission.
10.1. Which DORA CDRs have been published?
At the time this white paper was updated (February 2025), the following CDRs were
published:
• CDR 2024/1502 - The criteria for the designation of ICT third-party service providers
as critical for financial entities — related to DORA Article 31
• CDR 2024/1505 - The amount of the oversight fees to be charged by the Lead
Overseer to critical ICT third-party service providers and the way in which those
fees are to be paid — related to DORA Article 43
• CDR 2024/1772 - The criteria for the classification of ICT-related incidents and cyber
threats, setting out materiality thresholds and specifying the details of reports of
major incidents — related to DORA Article 18
• CDR 2024/1773 - Regulatory technical standards specifying the detailed content of
the policy regarding contractual arrangements on the use of ICT services
supporting critical or important functions provided by ICT third-party service
providers — related to DORA Article 28
• CDR 2024/1774 - Regulatory technical standards specifying ICT risk management
tools, methods, processes, and policies and the simplified ICT risk management
framework — related to DORA Article 15 and Article 16
• CIR 2024/2956 – Templates for the register of information for contractual
arrangements — related to DORA Article 28(9)
10.2. Explanation of DORA CDRs and CIRs
Let’s analyze each of these regulations in more detail:
CDR 2024/1502 - The criteria for the designation of ICT third-party service providers as
critical for financial entities specifies:
• European Supervisory Authorities must use a set of criteria to decide whether an
ICT third-party service provider is critical.
• Those criteria include: systemic impact, systemic character and importance,
criticality or importance of the functions, and degree of sustainability.
See also: Which IT companies need to comply with DORA, and how?
Copyright © 2025 Advisera Expert Solutions Ltd. All rights reserved. 53
CDR 2024/1505 - The amount of the oversight fees to be charged by the Lead Overseer to
critical ICT third-party service providers and the way in which those fees are to be paid
specifies:
• Lead Overseers must calculate the oversight fees based on their overall cost of
supervision.
• The minimum annual oversight fee is €50,000 per critical ICT third-party service
provider.
• Oversight fees are paid once a year.
CDR 2024/1772 - The criteria for the classification of ICT-related incidents and cyber
threats, setting out materiality thresholds and specifying the details of reports of major
incidents specifies:
• Financial entities need to take into account various aspects of an incident when
deciding if it is a major incident.
• Those aspects include: number of clients affected, number of financial
counterparts affected, amount of transactions affected, reputational impact,
duration and service downtime, geographical spread, data losses, criticality of
services affected, and economic impact.
• Financial entities must classify threats, and decide if threats are significant based
on several criteria.
CDR 2024/1773 - Regulatory technical standards specifying the detailed content of the
policy regarding contractual arrangements on the use of ICT services supporting critical or
important functions provided by ICT third-party service providers specifies:
• When creating the policy for contractual arrangements on the use of ICT services,
financial entities must take into account overall risk profile and complexity, and
include several elements in the policy.
• Elements that must be included in the policy are: governance arrangements, life
cycle for the adoption and use of contractual arrangements, risk assessment, due
diligence, conflicts of interest, contractual clauses, monitoring of the contractual
arrangements, and exit from and termination of the contractual arrangements.
CDR 2024/1774 - Regulatory technical standards specifying ICT risk management tools,
methods, processes, and policies and the simplified ICT risk management framework
specifies:
• A very detailed list of ICT security policies, procedures, protocols, and tools that
financial entities need to establish.
• These must cover several areas, including ICT risk management, ICT asset
management, encryption and cryptography, ICT operations security, network
security, ICT project and change management, physical and environmental
security, human resources policy, identity management, access control, ICT-related
incident detection and response, ICT business continuity management, and report
on the ICT risk management framework review.
• The CDR specifies separate rules for a simplified ICT risk management framework.
CIR 2024/2956 – Templates for the register of information for contractual arrangements
specifies:
Copyright © 2025 Advisera Expert Solutions Ltd. All rights reserved. 54
• How to rank suppliers in the supply chain
• Which information needs to be included in the register of suppliers
• In its annexes, detailed instructions on how to create the register of suppliers
10.3. Upcoming CDRs
Here are some of the CDRs that are in the process of being published:
• Technical standards on major incident reporting
• Guidelines on oversight cooperation
• Guidelines on the estimation of aggregated costs/losses caused by major ICT-
related incidents
• Regulatory technical standards on the harmonization of conditions enabling the
execution of the oversight activities
• Regulatory technical standards specifying elements related to threat-led
penetration tests
• Regulatory technical standards on the criteria for determining the composition of
the joint examination team
• Regulatory technical standards on subcontracting ICT services supporting critical
or important functions under DORA
So, as you can see, DORA in itself is already pretty specific when it comes to cybersecurity
rules, but together with these CDRs it becomes very demanding with regard to how
cybersecurity needs to be implemented.
Sources:
• DORA regulation
• Series of DORA articles on Advisera.com
Author:
Dejan Kosutic
Leading expert on cybersecurity & information security and the author of several books,
articles, webinars, and courses. As a premier expert, Dejan founded Advisera to help small
and medium businesses obtain the resources they need to become compliant with EU
regulations and ISO standards. He believes that making complex frameworks easy to
understand and simple to use creates a competitive advantage for Advisera's clients, and
that AI technology is crucial for achieving this.
As an ISO 27001, NIS 2, and DORA expert, Dejan helps companies find the best path to
compliance by eliminating overhead and adapting the implementation to their size and
industry specifics.
Copyright © 2025 Advisera Expert Solutions Ltd. All rights reserved. 55
Advisera Expert Solutions Ltd
for electronic business and business consulting
www.advisera.com
Our offices
US Office
1178 Broadway, 3rd Floor #3829
New York NY 10001
United States
EU Office
Zavizanska 12
10000 Zagreb
Croatia, European Union
EMAIL:
support@advisera.com
specifics. Copyright ©2025 Advisera Expert Solutions Ltd. All rights reserved.
Copyright © 2025 Advisera Expert Solutions Ltd. All rights reserved. 56
You might also like
- Stanford University Diving Safety Manual: Hopkins Marine Station of Stanford University Pacific Grove CA 93950No ratings yetStanford University Diving Safety Manual: Hopkins Marine Station of Stanford University Pacific Grove CA 9395063 pages
- Comprehensive Guide to the DORA RegulationNo ratings yetComprehensive Guide to the DORA Regulation57 pages
- The E.U.s Digital Operational Act Cloud Services Financial Companies 08.06.2021No ratings yetThe E.U.s Digital Operational Act Cloud Services Financial Companies 08.06.202134 pages
- DORA_compliance_STREAMline_it__1698573573No ratings yetDORA_compliance_STREAMline_it__169857357317 pages
- DORA - Présentation au 19 09 2022 _ ENNo ratings yetDORA - Présentation au 19 09 2022 _ EN15 pages
- Accenture Digital Operations Resilience Act100% (1)Accenture Digital Operations Resilience Act23 pages
- Unexpected and Non Obvious Requirements of the EU DORA 1720004477No ratings yetUnexpected and Non Obvious Requirements of the EU DORA 172000447721 pages
- Regulation of The European Parliament and The Council-DORANo ratings yetRegulation of The European Parliament and The Council-DORA12 pages
- A_practical_guide_to_unlocking_DORA_business_value_1732509029No ratings yetA_practical_guide_to_unlocking_DORA_business_value_173250902914 pages
- DORA Public Consultation On The Second Batch of Policy Products Overview DocumentNo ratings yetDORA Public Consultation On The Second Batch of Policy Products Overview Document7 pages
- Compliance_with_DORA_and_NIS2_Essential_steps_for_UK_financial_companies-1-5No ratings yetCompliance_with_DORA_and_NIS2_Essential_steps_for_UK_financial_companies-1-55 pages
- The Dora For Mainframe Operational Resilience: Survival GuideNo ratings yetThe Dora For Mainframe Operational Resilience: Survival Guide18 pages
- Digital Operational Resilience Act (DORA)No ratings yetDigital Operational Resilience Act (DORA)12 pages
- DORA Public Consultation Overview DocumentNo ratings yetDORA Public Consultation Overview Document5 pages
- Joachim Wuermeling: Exploring DORA - The Digital Operational Resilience Act and Its Impact On Banks and Their SupervisorsNo ratings yetJoachim Wuermeling: Exploring DORA - The Digital Operational Resilience Act and Its Impact On Banks and Their Supervisors5 pages
- DORA_LEAD_MANAGER_PART_1_Noureddine_Kanzari_1736276022No ratings yetDORA_LEAD_MANAGER_PART_1_Noureddine_Kanzari_1736276022150 pages
- The Rand Report - Defense Task Force 1970 - Computer Security100% (1)The Rand Report - Defense Task Force 1970 - Computer Security80 pages
- Consultation Document On The National Implementation of DORA Regulation For The Financial SectorNo ratings yetConsultation Document On The National Implementation of DORA Regulation For The Financial Sector18 pages
- Ey European Digital Operational Resilience DoraNo ratings yetEy European Digital Operational Resilience Dora14 pages
- Baldrige Excellence Builder: Key Questions For Improving Your Organization's PerformanceNo ratings yetBaldrige Excellence Builder: Key Questions For Improving Your Organization's Performance24 pages
- Appendix: Authorisation of The Higher Educational Institution To Notify Inbound Mobility StudentNo ratings yetAppendix: Authorisation of The Higher Educational Institution To Notify Inbound Mobility Student1 page
- HIMA Whitepaper Evolution-Leak-Detection PDFNo ratings yetHIMA Whitepaper Evolution-Leak-Detection PDF8 pages
- Assignment On: Top 10 Owasp Vulnerability of WebNo ratings yetAssignment On: Top 10 Owasp Vulnerability of Web5 pages
- Digital Operational Resilience Pov (With Appendix) FinalNo ratings yetDigital Operational Resilience Pov (With Appendix) Final11 pages
- 10 Steps To Troubleshoot Wireless Connection ProblemsNo ratings yet10 Steps To Troubleshoot Wireless Connection Problems12 pages
- How To Prepare For The Digital Operational Resilience Act DORA100% (2)How To Prepare For The Digital Operational Resilience Act DORA25 pages
- Dora Overview Emea For Cee 2feb2023 v3 enNo ratings yetDora Overview Emea For Cee 2feb2023 v3 en2 pages
- PCI DSS Version 4.0: A guide to the payment card industry data security standardFrom EverandPCI DSS Version 4.0: A guide to the payment card industry data security standardNo ratings yet
- A concise introduction to the NIS Directive: A pocket guide for digital service providersFrom EverandA concise introduction to the NIS Directive: A pocket guide for digital service providersNo ratings yet
- Network and Information Systems (NIS) Regulations - A pocket guide for digital service providersFrom EverandNetwork and Information Systems (NIS) Regulations - A pocket guide for digital service providersNo ratings yet
- Disaster Recovery and Business Continuity: A quick guide for organisations and business managersFrom EverandDisaster Recovery and Business Continuity: A quick guide for organisations and business managersNo ratings yet
- The Impact of the General Data Protection Regulation (GDPR) on the Online Advertising MarketFrom EverandThe Impact of the General Data Protection Regulation (GDPR) on the Online Advertising MarketNo ratings yet
- Network and Information Systems (NIS) Regulations - A pocket guide for operators of essential servicesFrom EverandNetwork and Information Systems (NIS) Regulations - A pocket guide for operators of essential servicesNo ratings yet
- The EU Data Protection Code of Conduct for Cloud Service Providers: A guide to complianceFrom EverandThe EU Data Protection Code of Conduct for Cloud Service Providers: A guide to complianceNo ratings yet