Dejan KosuticThe DORA regulation is pretty specific on what needs to be implemented in order to ensure cybersecurity and resilience of IT systems. The problem is that there are many requirements, and it is hard to conclude what needs to be covered with which documents.
This article maps each relevant requirement from DORA with documents that are the best suited to cover those requirements.
The DORA regulation specifies more than 100 different cybersecurity and resilience requirements, which can be covered with 30 to 40 policies, procedures, plans, and similar documents.
List of documents to comply with DORA
Before you start reading the list below, a couple of notes:
* “Smaller” financial organizations are the following entities (these are the ones that must go for the simplified ICT risk management framework according to DORA Article 16):
- small and non-interconnected investment firms
- small payment institutions exempted by the decision of Member States according to Directive (EU) 2015/2366
- specific credit institutions defined in Directive 2013/36/EU (if Member States did not exclude them completely from DORA)
- small electronic money institutions exempted by the decision of Member States according to Directive 2009/110/EC
- small institutions for occupational retirement provision.
** “Microenterprises” are those financial entities that employ fewer than 10 persons and have an annual turnover and/or annual balance sheet total that does not exceed 2 million euros.
| Requirements | References | Which financial entities | Usually documented through |
| Set clear roles and responsibilities for all ICT-related functions | DORA Article 5(2)(c) CDR 2024/1774 Title II |
All except smaller* | Each document listed in this column must define clear roles and responsibilities for all specified activities |
| Establish appropriate governance arrangements | DORA Article 5(2)(c) CDR 2024/1774 Title II |
All except smaller | ICT Risk Management Policy + all documents listed in this column |
| Set and approve digital operational resilience strategy; the ICT risk management framework shall include a digital operational resilience strategy setting out how the framework shall be implemented, and shall include methods to address ICT risk and attain specific ICT objectives | DORA Article 5(2)(d); Article 6(8) CDR 2024/1774 Title II |
All except smaller | Digital Operational Resilience Strategy |
| Approve, oversee and periodically review the implementation of ICT business continuity policy | DORA Article 5(2)(e) CDR 2024/1774 Title II |
All except smaller | Business Continuity Policy |
| Approve, oversee and periodically review the implementation of ICT response and recovery plans | DORA Article 5(2)(e) CDR 2024/1774 Title II |
All except smaller | Incident Response Plan + Activity Recovery Plan + Disaster Recovery Plan |
| Approve and periodically review ICT internal audit plan | DORA Article 5(2)(f) CDR 2024/1774 Title II |
All except smaller | Internal Audit Program |
| Allocate and periodically review the appropriate budget | DORA Article 5(2)(g) CDR 2024/1774 Title II |
All except smaller | Digital Operational Resilience Strategy |
| Approve and periodically review policy on arrangements regarding the use of ICT services provided by ICT third-party service providers | DORA Article 5(2)(h) CDR 2024/1774 Title II |
All except smaller | Supplier Security Policy |
| Reporting channels related to ICT third-party service providers: arrangements concluded, planned material changes, and their impact on critical or important functions | DORA Article 5(2)(i) CDR 2024/1774 Title II |
All except smaller | Supplier Security Policy |
| Establish a role in order to monitor the arrangements concluded with ICT third-party service providers on the use of ICT services, or designate a member of senior management as responsible for overseeing the related risk exposure | DORA Article 5(3) CDR 2024/1774 Title II |
All except smaller and microenterprises** | ICT Risk Management Policy + Supplier Security Policy |
| Members of the management body of the financial entity must actively keep up to date with sufficient knowledge and skills to understand and assess ICT risk and its impact on the operations | DORA Article 5(4) CDR 2024/1774 Title II |
All except smaller | Security Policy for Human Resources + Training and Awareness Plan |
| The ICT risk management framework shall include at least strategies, policies, procedures, ICT protocols and tools that are necessary to duly and adequately protect all information assets and ICT assets | DORA Article 6(2) CDR 2024/1774 Title II |
All except smaller | ICT Risk Management Policy + all documents listed in this column |
| Minimise the impact of ICT risk by deploying appropriate strategies, policies, procedures, ICT protocols and tools | DORA Article 6(3) CDR 2024/1774 Title II |
All except smaller | ICT Risk Management Policy + all documents listed in this column |
| Assign the responsibility for managing and overseeing ICT risk to a control function | DORA Article 6(4) CDR 2024/1774 Title II |
All except smaller and microenterprises | ICT Risk Management Policy |
| Ensure appropriate segregation and independence of ICT risk management functions, control functions, and internal audit functions | DORA Article 6(4) CDR 2024/1774 Title II |
All except smaller | ICT Risk Management Policy |
| The ICT risk management framework shall be documented and reviewed | DORA Article 6(5) CDR 2024/1774 Title II |
All except smaller | ICT Risk Management Policy |
| The ICT risk management framework shall be subject to internal audit by auditors on a regular basis | DORA Article 6(6) CDR 2024/1774 Title II |
All except smaller and microenterprises | ICT Risk Management Policy + Internal Audit Procedure |
| Internal auditors shall possess sufficient knowledge, skills and expertise in ICT risk, as well as appropriate independence | DORA Article 6(6) CDR 2024/1774 Title II |
All except smaller and microenterprises | Internal Audit Procedure |
| Establish a formal follow-up process, including rules for the timely verification and remediation of critical ICT audit findings | DORA Article 6(7) CDR 2024/1774 Title II |
All except smaller | Internal Audit Procedure + Procedure for Corrective Actions |
| Identify, classify and adequately document all ICT supported business functions, roles and responsibilities, the information assets and ICT assets supporting those functions, and their roles and dependencies in relation to ICT risk | DORA Article 8(1) CDR 2024/1774 Title II |
All except smaller | Asset Management Procedure + IT Asset Register |
| On a continuous basis, identify all sources of ICT risk, in particular the risk exposure to and from other financial entities, and assess cyber threats and ICT vulnerabilities relevant to their ICT supported business functions, information assets and ICT assets | DORA Article 8(2) CDR 2024/1774 Title II |
All except smaller | Risk Management Methodology + Risk Assessment Table / Risk Register |
| Review on a regular basis, and at least yearly, the risk scenarios impacting them. | DORA Article 8(2) CDR 2024/1774 Title II |
All except smaller | Risk Management Methodology + Risk Assessment Table / Risk Register |
| Perform a risk assessment upon each major change in the network and information system infrastructure, in the processes or procedures affecting their ICT supported business functions, information assets or ICT assets | DORA Article 8(3) CDR 2024/1774 Title II |
All except smaller and microenterprises | Risk Management Methodology + Risk Assessment Table / Risk Register |
| Identify all information assets and ICT assets, including those on remote sites, network resources and hardware equipment, and map those considered critical | DORA Article 8(4) CDR 2024/1774 Title II |
All except smaller | Asset Management Procedure + IT Asset Register |
| Map the configuration of the information assets and ICT assets and the links and interdependencies between the different information assets and ICT assets | DORA Article 8(4) CDR 2024/1774 Title II |
All except smaller | Asset Management Procedure + IT Asset Register |
| Identify and document all processes that are dependent on ICT third-party service providers, and identify interconnections with ICT third-party service providers that provide services that support critical or important functions | DORA Article 8(5) CDR 2024/1774 Title II |
All except smaller | Asset Management Procedure + IT Asset Register |
| For the purposes of paragraphs 1, 4 and 5 of Article 8, maintain relevant inventories and update them periodically and every time any major change as referred to in paragraph 3 occurs | DORA Article 8(6) CDR 2024/1774 Title II |
All except smaller | Asset Management Procedure + IT Asset Register |
| On a regular basis, and at least yearly, conduct a specific ICT risk assessment on all legacy ICT systems and, in any case before and after connecting technologies, applications or systems | DORA Article 8(7) CDR 2024/1774 Title II |
All except smaller and microenterprises | Risk Management Methodology + Risk Assessment Table / Risk Register |
| Continuously monitor and control the security and functioning of ICT systems and tools | DORA Article 9(1) CDR 2024/1774 Title II |
All except smaller | Monitoring Procedure |
| Design, procure and implement ICT security policies, procedures, protocols and tools that aim to ensure the resilience, continuity and availability of ICT systems, in particular for those supporting critical or important functions | DORA Article 9(2) CDR 2024/1774 Title II |
All except smaller | ICT Risk Management Policy + all documents listed in this column |
| Develop and document an information security policy defining rules to protect the availability, authenticity, integrity and confidentiality of data, information assets and ICT assets, including those of their customers | DORA Article 9(4)(a) CDR 2024/1774 Title II |
All except smaller | ICT Risk Management Policy |
| Establish a sound network and infrastructure management structure using appropriate techniques, methods and protocols; design the network connection infrastructure in a way that allows it to be instantaneously severed or segmented in order to minimise and prevent contagion, especially for interconnected financial processes | DORA Article 9(4)(b) CDR 2024/1774 Title II |
All except smaller | Network Security Policy |
| Implement policies that limit the physical or logical access to information assets and ICT assets, and establish to that end a set of policies, procedures and controls that address access rights and ensure a sound administration thereof | DORA Article 9(4)(c) CDR 2024/1774 Title II |
All except smaller | Access Control Policy |
| Implement policies and protocols for strong authentication mechanisms | DORA Article 9(4)(d) CDR 2024/1774 Title II |
All except smaller | Authentication Policy |
| Implement documented policies, procedures and controls for ICT change management; the ICT change management process shall be approved by appropriate lines of management and shall have specific protocols in place | DORA Article 9(4)(e) CDR 2024/1774 Title II |
All except smaller | Change Management Policy |
| Have appropriate and comprehensive documented policies for patches and updates | DORA Article 9(4)(f) CDR 2024/1774 Title II |
All except smaller | Patch Management Policy |
| Have in place mechanisms to promptly detect anomalous activities, including ICT network performance issues and ICT-related incidents, and to identify potential material single points of failure; all detection mechanisms must be regularly tested | DORA Article 10(1) CDR 2024/1774 Title II |
All except smaller | Monitoring Procedure |
| Detection mechanisms must enable multiple layers of control, define alert thresholds and criteria to trigger and initiate ICT-related incident response processes, including automatic alert mechanisms for relevant staff in charge of ICT-related incident response | DORA Article 10(2) CDR 2024/1774 Title II |
All except smaller | Monitoring Procedure |
| Devote sufficient resources and capabilities to monitor user activity, the occurrence of ICT anomalies and ICT-related incidents, in particular cyber-attacks | DORA Article 10(3) CDR 2024/1774 Title II |
All except smaller | Monitoring Procedure |
| Put in place a comprehensive ICT business continuity policy, which may be adopted as a dedicated specific policy, forming an integral part of the overall business continuity policy | DORA Article 11(1) CDR 2024/1774 Title II |
All except smaller | Business Continuity Policy |
| Implement the ICT business continuity policy through dedicated, appropriate and documented arrangements, plans, procedures and mechanisms aiming to ensure the continuity, quickly, appropriately and effectively respond to, and resolve, all ICT-related incidents | DORA Article 11(2) CDR 2024/1774 Title II |
All except smaller | Business Impact Analysis Methodology + Business Continuity Strategy + Crisis Management Plan + Business Continuity Plan + Incident Response Plan + Disaster Recovery Plan + Activity Recovery Plan |
| Activate, without delay, dedicated plans that enable containment measures, processes and technologies suited to each type of ICT-related incident and prevent further damage, as well as tailored response and recovery procedures | DORA Article 11(2)(c) CDR 2024/1774 Title II |
All except smaller | Incident Response Plan |
| Estimate preliminary impacts, damages and losses | DORA Article 11(2)(d) CDR 2024/1774 Title II |
All except smaller | Business Continuity Plan |
| Set out communication and crisis management actions that ensure that updated information is transmitted to all relevant internal staff and external stakeholders | DORA Article 11(2)(e) CDR 2024/1774 Title II |
All except smaller | Crisis Management Plan |
| Implement ICT response and recovery plans | DORA Article 11(3) CDR 2024/1774 Title II |
All except smaller | Incident Response Plan + Disaster Recovery Plan + Activity Recovery Plan |
| Maintain and periodically test appropriate ICT business continuity plans, notably with regard to critical or important functions outsourced or contracted through arrangements with ICT third-party service providers | DORA Article 11(4) CDR 2024/1774 Title II |
All except smaller | Maintenance and Review Plan + Business Continuity Testing and Exercising Plan |
| Conduct a business impact analysis (BIA) of exposure to severe business disruptions | DORA Article 11(5) CDR 2024/1774 Title II |
All except smaller | Business Impact Analysis Methodology + Business Impact Analysis Questionnaire |
| Test the ICT business continuity plans and the ICT response and recovery plans in relation to ICT systems supporting all functions at least yearly; test the crisis communication plans | DORA Article 11(6) CDR 2024/1774 Title II |
All except smaller | Business Continuity Testing and Exercising Plan |
| Include in the testing plans scenarios of cyber-attacks and switchovers between the primary ICT infrastructure and the redundant capacity, backups and redundant facilities | DORA Article 11(6) CDR 2024/1774 Title II |
All except smaller and microenterprises | Business Continuity Testing and Exercising Plan |
| Regularly review ICT business continuity policy and ICT response and recovery plans | DORA Article 11(6) CDR 2024/1774 Title II |
All except smaller | Maintenance and Review Plan |
| Have a crisis management function, which, in the event of activation of their ICT business continuity plans or ICT response and recovery plans, must set out clear procedures to manage internal and external crisis communications | DORA Article 11(7) CDR 2024/1774 Title II |
All except smaller and microenterprises | Crisis Management Plan |
| Keep readily accessible records of activities before and during disruption events when their ICT business continuity plans and ICT response and recovery plans are activated | DORA Article 11(8) CDR 2024/1774 Title II |
All except smaller | Disaster Recovery Plan + Activity Recovery Plan |
| Report to the competent authorities an estimation of aggregated annual costs and losses caused by major ICT-related incidents | DORA Article 11(10) CDR 2024/1774 Title II |
All except smaller and microenterprises | Incident Management Procedure |
| Develop and document backup policies and procedures, and restoration and recovery procedures and methods | DORA Article 12(1) CDR 2024/1774 Title II |
All except smaller | Backup Policy + Backup and Restoration Procedure |
| Testing of the backup procedures and restoration and recovery procedures and methods must be undertaken periodically | DORA Article 12(2) CDR 2024/1774 Title II |
All except smaller | Backup and Restoration Procedure |
| When restoring backup data using own systems, use ICT systems that are physically and logically segregated from the source ICT system | DORA Article 12(3) CDR 2024/1774 Title II |
All except smaller | Backup and Restoration Procedure |
| Maintain redundant ICT capacities equipped with resources, capabilities and functions that are adequate to ensure business needs | DORA Article 12(4) CDR 2024/1774 Title II |
All except smaller | Business Continuity Strategy |
| In determining the recovery time and recovery point objectives for each function, take into account whether it is a critical or important function and the potential overall impact on market efficiency | DORA Article 12(6) CDR 2024/1774 Title II |
All except smaller | Business Impact Analysis Methodology + Business Continuity Strategy |
| When recovering from an ICT-related incident, perform necessary checks, including any multiple checks and reconciliations | DORA Article 12(7) CDR 2024/1774 Title II |
All except smaller | Incident Management Procedure |
| Have in place capabilities and staff to gather information on vulnerabilities and cyber threats, ICT-related incidents, in particular cyber-attacks, and analyse the impact they are likely to have | DORA Article 13(1) CDR 2024/1774 Title II |
All except smaller | Monitoring Procedure |
| Put in place post ICT-related incident reviews after a major ICT-related incident disrupts their core activities, analysing the causes of disruption and identifying required improvements to the ICT operations or within the ICT business continuity policy | DORA Article 13(2) CDR 2024/1774 Title II |
All except smaller | Incident Management Procedure + Post Incident Review Form + Procedure for Corrective Actions |
| On a continuous basis incorporate into the ICT risk assessment process lessons derived from the digital operational resilience testing and from real life ICT-related incidents, along with challenges faced upon the activation of ICT business continuity plans and ICT response and recovery plans; senior ICT staff shall report at least yearly to the management body on the findings | DORA Article 13(3); Article 13(5) CDR 2024/1774 Title II |
All except smaller | Risk Assessment Methodology + Incident Management Procedure |
| Monitor the effectiveness of the implementation of their digital operational resilience strategy, map the evolution of ICT risk over time, analyse the frequency, types, magnitude and evolution of ICT-related incidents, in particular cyber-attacks and their patterns, with a view to understanding the level of ICT risk exposure, in particular in relation to critical or important functions, and enhance the cyber maturity and preparedness | DORA Article 13(4) CDR 2024/1774 Title II |
All except smaller | Digital Operational Resilience Strategy + Risk Assessment Methodology + ICT Risk Management Policy |
| Develop ICT security awareness programmes and digital operational resilience training as compulsory modules in their staff training schemes; those programmes and training must be applicable to all employees and to senior management staff, and must have a level of complexity commensurate to the remit of their functions; where appropriate, financial entities must also include ICT third-party service providers in their relevant training schemes | DORA Article 13(6) CDR 2024/1774 Title II |
All except smaller | Security Policy for Human Resources + Training and Awareness Plan |
| Monitor relevant technological developments on a continuous basis, also with a view to understanding the possible impact of the deployment of such new technologies on ICT security requirements and digital operational resilience | DORA Article 13(7) CDR 2024/1774 Title II |
All except smaller and microenterprises | ICT Risk Management Policy |
| Have in place crisis communication plans enabling a responsible disclosure of, at least, major ICT-related incidents or vulnerabilities to clients and counterparts as well as to the public | DORA Article 14(1) CDR 2024/1774 Title II |
All except smaller | Crisis Management Plan |
| Implement communication policies for internal staff and for external stakeholders | DORA Article 14(2) CDR 2024/1774 Title II |
All except smaller | Crisis Management Plan |
| At least one person must be tasked with implementing the communication strategy for ICT-related incidents and fulfil the public and media function for that purpose | DORA Article 14(3) CDR 2024/1774 Title I |
All except smaller | Crisis Management Plan |
| Put in place and maintain a sound and documented ICT risk management framework that details the mechanisms and measures aimed at a quick, efficient and comprehensive management of ICT risk | DORA Article 16(1)(a) CDR 2024/1774 Title III |
Only smaller | ICT Risk Management Policy + all documents listed below in this column |
| Continuously monitor the security and functioning of all ICT systems | DORA Article 16(1)(b) CDR 2024/1774 Title III |
Only smaller | Monitoring Procedure |
| Minimise the impact of ICT risk through the use of sound, resilient and updated ICT systems, protocols and tools | DORA Article 16(1)(c) CDR 2024/1774 Title III |
Only smaller | All documents specified for smaller financial organizations |
| Allow sources of ICT risk and anomalies in the network and information systems to be promptly identified and detected and ICT-related incidents to be swiftly handled | DORA Article 16(1)(d) CDR 2024/1774 Title III |
Only smaller | Monitoring Procedure |
| Identify key dependencies on ICT third-party service providers | DORA Article 16(1)(e) CDR 2024/1774 Title III |
Only smaller | Supplier Security Policy + Strategy on ICT third-party risk |
| Ensure the continuity of critical or important functions, through business continuity plans and response and recovery measures, which include, at least, back-up and restoration measures | DORA Article 16(1)(f) CDR 2024/1774 Title III |
Only smaller | Business Continuity Plan + Incident Response Plan + Activity Recovery Plan + Disaster Recovery Plan + Backup and Restoration Procedure |
| Test, on a regular basis, the plans and measures, as well as the effectiveness of the controls implemented | DORA Article 16(1)(g) CDR 2024/1774 Title III |
Only smaller | Business Continuity Testing and Exercising Plan |
| Implement relevant operational conclusions resulting from the tests and from post-incident analysis into the ICT risk assessment process | DORA Article 16(1)(h) CDR 2024/1774 Title III |
Only smaller | Exercising and Testing Report + Corrective Actions |
| Develop, according to needs and ICT risk profile, ICT security awareness programmes and digital operational resilience training for staff and management | DORA Article 16(1)(h) CDR 2024/1774 Title III |
Only smaller | Security Policy for Human Resources + Training and Awareness Plan |
| The ICT risk management framework must be documented and reviewed periodically and upon the occurrence of major ICT-related incidents, and continuously improved on the basis of lessons derived from implementation and monitoring | DORA Article 16(2) CDR 2024/1774 Title III |
Only smaller | Maintenance and Review Plan + Monitoring Procedure + Procedure for Corrective Actions |
| Define, establish and implement an ICT-related incident management process to detect, manage and notify ICT-related incidents, including: early warning indicators; procedures to identify, track, log, categorise and classify ICT-related incidents; assign roles and responsibilities; set out plans for communication to staff, external stakeholders and media and for notification to clients, and for internal escalation procedures; ensure that at least major ICT-related incidents are reported to relevant senior management; and establish ICT-related incident response procedures | DORA Article 17(1) and (3) | All | Incident Management Procedure |
| Record all ICT-related incidents and significant cyber threats | DORA Article 17(2) | All | Incident Management Procedure + Incident & Threat Log |
| Establish appropriate procedures and processes to ensure a consistent and integrated monitoring, handling and follow-up of ICT-related incidents, to ensure that root causes are identified, documented and addressed in order to prevent the occurrence of such incidents | DORA Article 17(2) | All | Incident Management Procedure + Procedure for Corrective Actions |
| Classify ICT-related incidents and determine their impact | DORA Article 18(1) CDR 2024/1772 |
All | Incident Management Procedure |
| Classify cyber threats as significant based on the criticality of the services at risk | DORA Article 18(2) CDR 2024/1772 |
All | Incident Management Procedure |
| Report major ICT-related incidents to the relevant competent authority | DORA Article 19(1) | All | Incident Management Procedure |
| On a voluntary basis, notify significant cyber threats to the relevant competent authority when the threat is of relevance to the financial system, service users or clients | DORA Article 19(2) | All | Incident Management Procedure |
| Inform clients about the major ICT-related incident and about the measures that have been taken if a major ICT-related incident occurs and has an impact on the financial interests of clients, financial entities | DORA Article 19(3) | All | Incident Management Procedure |
| Inform clients that are potentially affected of any appropriate protection measures in the case of a significant cyber threat | DORA Article 19(3) | All | Incident Management Procedure |
| Submit the following to the relevant competent authority: (a) an initial notification; (b) an intermediate report, followed, as appropriate, by updated notifications every time a relevant status update is available, and (c) a final report | DORA Article 19(4) | All | Incident Initial Notification + Incident Intermediate Report + Incident Final Report |
| Establish, maintain and review a sound and comprehensive digital operational resilience testing programme as an integral part of the ICT risk-management framework for the purpose of assessing preparedness for handling ICT-related incidents, of identifying weaknesses, deficiencies and gaps in digital operational resilience, and of promptly implementing corrective measures | DORA Article 24(1) | All except microenterprises | Resilience Testing Program |
| The digital operational resilience testing programme shall include a range of assessments, tests, methodologies, practices and tools, such as vulnerability assessments and scans, open source analyses, network security assessments, gap analyses, physical security reviews, questionnaires and scanning software solutions, source code reviews where feasible, scenario-based tests, compatibility testing, performance testing, end-to-end testing and penetration testing | DORA Article 24(2); Article 25(1) | All | Resilience Testing Program |
| Ensure that digital operational resilience tests are undertaken by independent parties, whether internal or external | DORA Article 24(4) | All except microenterprises | Resilience Testing Program |
| Establish procedures and policies to prioritise, classify and remedy all issues revealed throughout the performance of the tests and shall establish internal validation methodologies to ascertain that all identified weaknesses, deficiencies or gaps are fully addressed | DORA Article 24(5) | All except microenterprises | Procedure for Corrective Actions |
| Ensure that appropriate tests are conducted on all ICT systems and applications supporting critical or important functions, at least yearly | DORA Article 24(6) | All except microenterprises | Resilience Testing Program |
| Perform the tests by combining a risk-based approach with a strategic planning of ICT testing, by duly considering the need to maintain a balanced approach between the scale of resources and the time to be allocated to the ICT testing and the urgency, type of risk, criticality of information assets and of services provided, as well as any other relevant factor, including the financial entity’s ability to take calculated risks | DORA Article 25(3) | Only microenterprises | Resilience Testing Program |
| Carry out at least every 3 years advanced testing by means of Threat-Led Penetration Testing (TLPT) – cover several or all critical or important functions of a financial entity, and perform on live production systems supporting such functions | DORA Article 26(1) and (2) | All except smaller and microenterprises | Resilience Testing Program |
| Identify all relevant underlying ICT systems, processes and technologies supporting critical or important functions and ICT services, including those supporting the critical or important functions which have been outsourced or contracted to ICT third-party service providers, and assess which critical or important functions need to be covered by the TLPT | DORA Article 26(2) | All except smaller and microenterprises | Asset Management Procedure + IT Asset Register + Resilience Testing Program |
| Take the necessary measures and safeguards to ensure the participation of ICT third-party service providers in the TLPT | DORA Article 26(3) | All except smaller and microenterprises | Supplier Security Policy |
| Apply effective risk management controls to mitigate the risks of testing of any potential impact on data, damage to assets, and disruption to critical or important functions, services or operations | DORA Article 26(5) | All | Resilience Testing Program |
| Provide to the authority a summary of the relevant findings, the remediation plans and the documentation demonstrating that the TLPT has been conducted in accordance with the requirements | DORA Article 26(6) | All | Resilience Testing Program |
| Only use testers for the carrying out of TLPT, that: (a) are of the highest suitability and reputability; (b) possess technical and organisational capabilities; (c) are certified by an accreditation body; (d) provide an independent assurance, or an audit report, in relation to the sound management of risks associated with the carrying out of TLPT; (e) are duly and fully covered by relevant professional indemnity insurances | DORA Article 27(1) | All | Supplier Security Policy + Resilience Testing Program |
| Management of ICT third-party risk must be implemented in light of the principle of proportionality, taking into account: (i) the nature, scale, complexity and importance of ICT-related dependencies, and (ii) the risks arising from contractual arrangements on the use of ICT services concluded with ICT third-party service providers, taking into account the criticality or importance of the respective service, process or function, and the potential impact on the continuity and availability | DORA Article 28(1)(b) CDR 2024/1773 |
All | Supplier Security Policy |
| Adopt and regularly review a strategy on ICT third-party risk, taking into account the multi-vendor strategy, where applicable; the strategy must include a policy on the use of ICT services | DORA Article 28(2) CDR 2024/1773 |
All except smaller and microenterprises | Strategy on ICT third-party risk + Supplier Security Policy |
| The management body must regularly review the risks identified in respect to contractual arrangements on the use of ICT services supporting critical or important functions | DORA Article 28(2) CDR 2024/1773 |
All except smaller and microenterprises | Supplier Security Policy + Strategy on ICT third-party risk |
| Maintain and update a register of information in relation to all contractual arrangements on the use of ICT services provided by ICT third-party service providers | DORA Article 28(3) CDR 2024/1773 |
All | Register of Contractual Arrangements + Supplier Security Policy |
| Report at least yearly to the competent authorities on the number of new arrangements on the use of ICT services, the categories of ICT third-party service providers, the type of contractual arrangements and the ICT services and functions which are being provided; inform the competent authority in a timely manner about any planned contractual arrangement on the use of ICT services supporting critical or important functions | DORA Article 28(3) CDR 2024/1773 |
All | Supplier Security Policy |
| Before entering into a contractual arrangement on the use of ICT services, financial entities must: (a) assess whether the contractual arrangement covers the use of ICT services supporting a critical or important function; (b) assess if supervisory conditions for contracting are met; (c) identify and assess all relevant risks in relation to the contractual arrangement; (d) undertake all due diligence on prospective ICT third-party service providers; (e) identify and assess conflicts of interest | DORA Article 28(4) CDR 2024/1773 |
All | Supplier Security Policy |
| Only enter into contractual arrangements with ICT third-party service providers that comply with appropriate information security standards | DORA Article 28(5) CDR 2024/1773 |
All | Supplier Security Policy |
| Pre-determine the frequency of audits and inspections of ICT service providers, as well as the areas to be audited through adhering to commonly accepted audit standards in line with any supervisory instruction and on the basis of a risk-based approach | DORA Article 28(6) CDR 2024/1773 |
All | Supplier Security Policy |
| Verify that auditors, whether internal or external, or a pool of auditors, possess appropriate skills and knowledge where contractual arrangements concluded with ICT third-party service providers entail high technical complexity | DORA Article 28(6) CDR 2024/1773 |
All | Supplier Security Policy |
| Ensure that contractual arrangements on the use of ICT services may be terminated in any of the following circumstances: (a) significant breach by the ICT third-party service provider; (b) circumstances altering the performance of the functions provided through the contractual arrangement; (c) ICT service provider’s evidenced weaknesses pertaining to its overall ICT risk management; (d) where the competent authority can no longer effectively supervise the financial entity | DORA Article 28(7) CDR 2024/1773 |
All | Supplier Security Policy |
| For ICT services supporting critical or important functions, put in place exit strategies; exit plans must be comprehensive, documented and sufficiently tested and reviewed periodically; identify alternative solutions and develop transition plans enabling to remove the contracted ICT services and the relevant data from the IT service provider | DORA Article 28(8) CDR 2024/1773 |
All | Supplier Security Policy + ICT Service Exit Strategy |
| Take into account whether the envisaged conclusion of a contractual arrangement in relation to ICT services supporting critical or important functions would lead to any of the following: (a) contracting an ICT third-party service provider that is not easily substitutable; or (b) having in place multiple contractual arrangements in relation to the provision of ICT services supporting critical or important functions with the same ICT service provider or with closely connected ICT service providers | DORA Article 29(1) | All | Supplier Security Policy |
| Weigh benefits and risks that may arise where the contractual arrangements on the use of ICT services supporting critical or important functions include the possibility that an ICT third-party service provider further subcontracts ICT services supporting a critical or important function to other ICT third-party service providers; also consider the insolvency law provisions | DORA Article 29(2) | All | Supplier Security Policy |
| Consider the compliance with EU data protection rules (GDPR and others) where contractual arrangements on the use of ICT services supporting critical or important functions are concluded with an ICT third-party service provider established in a non-EU country | DORA Article 29(2) | All | Supplier Security Policy |
| Assess whether and how potentially long or complex chains of subcontracting may impact their ability to fully monitor the contracted functions and the ability of the competent authority to effectively supervise the financial entity where the contractual arrangements on the use of ICT services supporting critical or important functions provide for subcontracting | DORA Article 29(2) | All | Supplier Security Policy |
| The contractual arrangements on the use of ICT services must include at least the following elements: (a) a clear and complete description of all functions and ICT services; (b) the locations, namely the regions or countries, where the contracted or subcontracted functions and ICT services are to be provided and where data is to be processed; (c) provisions on availability, authenticity, integrity and confidentiality in relation to the protection of data, including personal data; (d) provisions on ensuring access, recovery and return in an easily accessible format; (e) service level descriptions, including updates and revisions thereof; (f) the obligation of the ICT third-party service provider to provide assistance to the financial entity when an ICT incident occurs; (g) the obligation of the ICT third-party service provider to fully cooperate with the competent authorities; (h) termination rights and related minimum notice periods; (i) the conditions for the participation of ICT third-party service providers in the financial entities’ ICT security awareness programmes and digital operational resilience training | DORA Article 30(2) | All | Supplier Security Policy |
| The contractual arrangements on the use of ICT services supporting critical or important functions must include, in addition to the elements referred to in paragraph 2, at least the following: (a) full service level descriptions; (b) notice periods and reporting obligations; (c) requirements for the ICT third-party service provider to implement and test business contingency plans and to have in place ICT security measures, tools and policies; (d) the obligation of the ICT third-party service provider to participate and fully cooperate in the financial entity’s TLPT; (e) the right to monitor, on an ongoing basis, the ICT third-party service provider’s performance; (f) exit strategies | DORA Article 30(3) | All | Supplier Security Policy |
| When negotiating contractual arrangements, financial entities and ICT third-party service providers shall consider the use of standard contractual clauses developed by public authorities for specific services | DORA Article 30(4) | All | Supplier Security Policy |
Common cybersecurity documents not required by DORA
I’m aware that the list above is very extensive; however, DORA did not mention some documents that are quite common when managing cybersecurity:
- Information Classification Policy — provides clear rules on how to classify documents and other information, and how to protect those assets according to classification level.
- Mobile Device, Teleworking and Work from Home Policy — specifies the rules for using laptops, smartphones, and other devices outside of company premises.
- Bring Your Own Device (BYOD) Policy — specifies security aspects if employees are using their private devices for work.
- Disposal and Destruction Policy — specifies how to dispose of devices and media, in order to delete all sensitive data and avoid breaking intellectual property rights.
- Procedures for Working in Secure Areas — defines security rules for data centers, archives, and other areas that need special protection.
- Clear Desk and Clear Screen Policy — defines rules for each employee on how to protect his/her workspace.
For more information about DORA, download this free white paper: Comprehensive guide to the DORA Regulation.