List of documents required by the DORA regulation

The DORA regulation is pretty specific on what needs to be implemented in order to ensure cybersecurity and resilience of IT systems. The problem is that there are many requirements, and it is hard to conclude what needs to be covered with which documents.

This article maps each relevant requirement from DORA with documents that are the best suited to cover those requirements.

The DORA regulation specifies more than 100 different cybersecurity and resilience requirements, which can be covered with 30 to 40 policies, procedures, plans, and similar documents.

List of documents required by the DORA regulation - Advisera

List of documents to comply with DORA

Before you start reading the list below, a couple of notes:

* “Smaller” financial organizations are the following entities (these are the ones that must go for the simplified ICT risk management framework according to DORA Article 16):

  • small and non-interconnected investment firms
  • small payment institutions exempted by the decision of Member States according to Directive (EU) 2015/2366
  • specific credit institutions defined in Directive 2013/36/EU (if Member States did not exclude them completely from DORA)
  • small electronic money institutions exempted by the decision of Member States according to Directive 2009/110/EC
  • small institutions for occupational retirement provision.

** “Microenterprises” are those financial entities that employ fewer than 10 persons and have an annual turnover and/or annual balance sheet total that does not exceed 2 million euros.

Requirements References Which financial entities Usually documented through
Set clear roles and responsibilities for all ICT-related functions DORA Article 5(2)(c)
CDR 2024/1774 Title II
All except smaller* Each document listed in this column must define clear roles and responsibilities for all specified activities
Establish appropriate governance arrangements DORA Article 5(2)(c)
CDR 2024/1774 Title II
All except smaller ICT Risk Management Policy + all documents listed in this column
Set and approve digital operational resilience strategy; the ICT risk management framework shall include a digital operational resilience strategy setting out how the framework shall be implemented, and shall include methods to address ICT risk and attain specific ICT objectives DORA Article 5(2)(d); Article 6(8)
CDR 2024/1774 Title II
All except smaller Digital Operational Resilience Strategy
Approve, oversee and periodically review the implementation of ICT business continuity policy DORA Article 5(2)(e)
CDR 2024/1774 Title II
All except smaller Business Continuity Policy
Approve, oversee and periodically review the implementation of ICT response and recovery plans DORA Article 5(2)(e)
CDR 2024/1774 Title II
All except smaller Incident Response Plan + Activity Recovery Plan + Disaster Recovery Plan
Approve and periodically review ICT internal audit plan DORA Article 5(2)(f)
CDR 2024/1774 Title II
All except smaller Internal Audit Program
Allocate and periodically review the appropriate budget DORA Article 5(2)(g)
CDR 2024/1774 Title II
All except smaller Digital Operational Resilience Strategy
Approve and periodically review policy on arrangements regarding the use of ICT services provided by ICT third-party service providers DORA Article 5(2)(h)
CDR 2024/1774 Title II
All except smaller Supplier Security Policy
Reporting channels related to ICT third-party service providers: arrangements concluded, planned material changes, and their impact on critical or important functions DORA Article 5(2)(i)
CDR 2024/1774 Title II
All except smaller Supplier Security Policy
Establish a role in order to monitor the arrangements concluded with ICT third-party service providers on the use of ICT services, or designate a member of senior management as responsible for overseeing the related risk exposure DORA Article 5(3)
CDR 2024/1774 Title II
All except smaller and microenterprises** ICT Risk Management Policy + Supplier Security Policy
Members of the management body of the financial entity must actively keep up to date with sufficient knowledge and skills to understand and assess ICT risk and its impact on the operations DORA Article 5(4)
CDR 2024/1774 Title II
All except smaller Security Policy for Human Resources + Training and Awareness Plan
The ICT risk management framework shall include at least strategies, policies, procedures, ICT protocols and tools that are necessary to duly and adequately protect all information assets and ICT assets DORA Article 6(2)
CDR 2024/1774 Title II
All except smaller ICT Risk Management Policy + all documents listed in this column
Minimise the impact of ICT risk by deploying appropriate strategies, policies, procedures, ICT protocols and tools DORA Article 6(3)
CDR 2024/1774 Title II
All except smaller ICT Risk Management Policy + all documents listed in this column
Assign the responsibility for managing and overseeing ICT risk to a control function DORA Article 6(4)
CDR 2024/1774 Title II
All except smaller and microenterprises ICT Risk Management Policy
Ensure appropriate segregation and independence of ICT risk management functions, control functions, and internal audit functions DORA Article 6(4)
CDR 2024/1774 Title II
All except smaller ICT Risk Management Policy
The ICT risk management framework shall be documented and reviewed DORA Article 6(5)
CDR 2024/1774 Title II
All except smaller ICT Risk Management Policy
The ICT risk management framework shall be subject to internal audit by auditors on a regular basis DORA Article 6(6)
CDR 2024/1774 Title II
All except smaller and microenterprises ICT Risk Management Policy + Internal Audit Procedure
Internal auditors shall possess sufficient knowledge, skills and expertise in ICT risk, as well as appropriate independence DORA Article 6(6)
CDR 2024/1774 Title II
All except smaller and microenterprises Internal Audit Procedure
Establish a formal follow-up process, including rules for the timely verification and remediation of critical ICT audit findings DORA Article 6(7)
CDR 2024/1774 Title II
All except smaller Internal Audit Procedure + Procedure for Corrective Actions
Identify, classify and adequately document all ICT supported business functions, roles and responsibilities, the information assets and ICT assets supporting those functions, and their roles and dependencies in relation to ICT risk DORA Article 8(1)
CDR 2024/1774 Title II
All except smaller Asset Management Procedure + IT Asset Register
On a continuous basis, identify all sources of ICT risk, in particular the risk exposure to and from other financial entities, and assess cyber threats and ICT vulnerabilities relevant to their ICT supported business functions, information assets and ICT assets DORA Article 8(2)
CDR 2024/1774 Title II
All except smaller Risk Management Methodology + Risk Assessment Table / Risk Register
Review on a regular basis, and at least yearly, the risk scenarios impacting them. DORA Article 8(2)
CDR 2024/1774 Title II
All except smaller Risk Management Methodology + Risk Assessment Table / Risk Register
Perform a risk assessment upon each major change in the network and information system infrastructure, in the processes or procedures affecting their ICT supported business functions, information assets or ICT assets DORA Article 8(3)
CDR 2024/1774 Title II
All except smaller and microenterprises Risk Management Methodology + Risk Assessment Table / Risk Register
Identify all information assets and ICT assets, including those on remote sites, network resources and hardware equipment, and map those considered critical DORA Article 8(4)
CDR 2024/1774 Title II
All except smaller Asset Management Procedure + IT Asset Register
Map the configuration of the information assets and ICT assets and the links and interdependencies between the different information assets and ICT assets DORA Article 8(4)
CDR 2024/1774 Title II
All except smaller Asset Management Procedure + IT Asset Register
Identify and document all processes that are dependent on ICT third-party service providers, and identify interconnections with ICT third-party service providers that provide services that support critical or important functions DORA Article 8(5)
CDR 2024/1774 Title II
All except smaller Asset Management Procedure + IT Asset Register
For the purposes of paragraphs 1, 4 and 5 of Article 8, maintain relevant inventories and update them periodically and every time any major change as referred to in paragraph 3 occurs DORA Article 8(6)
CDR 2024/1774 Title II
All except smaller Asset Management Procedure + IT Asset Register
On a regular basis, and at least yearly, conduct a specific ICT risk assessment on all legacy ICT systems and, in any case before and after connecting technologies, applications or systems DORA Article 8(7)
CDR 2024/1774 Title II
All except smaller and microenterprises Risk Management Methodology + Risk Assessment Table / Risk Register
Continuously monitor and control the security and functioning of ICT systems and tools DORA Article 9(1)
CDR 2024/1774 Title II
All except smaller Monitoring Procedure
Design, procure and implement ICT security policies, procedures, protocols and tools that aim to ensure the resilience, continuity and availability of ICT systems, in particular for those supporting critical or important functions DORA Article 9(2)
CDR 2024/1774 Title II
All except smaller ICT Risk Management Policy + all documents listed in this column
Develop and document an information security policy defining rules to protect the availability, authenticity, integrity and confidentiality of data, information assets and ICT assets, including those of their customers DORA Article 9(4)(a)
CDR 2024/1774 Title II
All except smaller ICT Risk Management Policy
Establish a sound network and infrastructure management structure using appropriate techniques, methods and protocols; design the network connection infrastructure in a way that allows it to be instantaneously severed or segmented in order to minimise and prevent contagion, especially for interconnected financial processes DORA Article 9(4)(b)
CDR 2024/1774 Title II
All except smaller Network Security Policy
Implement policies that limit the physical or logical access to information assets and ICT assets, and establish to that end a set of policies, procedures and controls that address access rights and ensure a sound administration thereof DORA Article 9(4)(c)
CDR 2024/1774 Title II
All except smaller Access Control Policy
Implement policies and protocols for strong authentication mechanisms DORA Article 9(4)(d)
CDR 2024/1774 Title II
All except smaller Authentication Policy
Implement documented policies, procedures and controls for ICT change management; the ICT change management process shall be approved by appropriate lines of management and shall have specific protocols in place DORA Article 9(4)(e)
CDR 2024/1774 Title II
All except smaller Change Management Policy
Have appropriate and comprehensive documented policies for patches and updates DORA Article 9(4)(f)
CDR 2024/1774 Title II
All except smaller Patch Management Policy
Have in place mechanisms to promptly detect anomalous activities, including ICT network performance issues and ICT-related incidents, and to identify potential material single points of failure; all detection mechanisms must be regularly tested DORA Article 10(1)
CDR 2024/1774 Title II
All except smaller Monitoring Procedure
Detection mechanisms must enable multiple layers of control, define alert thresholds and criteria to trigger and initiate ICT-related incident response processes, including automatic alert mechanisms for relevant staff in charge of ICT-related incident response DORA Article 10(2)
CDR 2024/1774 Title II
All except smaller Monitoring Procedure
Devote sufficient resources and capabilities to monitor user activity, the occurrence of ICT anomalies and ICT-related incidents, in particular cyber-attacks DORA Article 10(3)
CDR 2024/1774 Title II
All except smaller Monitoring Procedure
Put in place a comprehensive ICT business continuity policy, which may be adopted as a dedicated specific policy, forming an integral part of the overall business continuity policy DORA Article 11(1)
CDR 2024/1774 Title II
All except smaller Business Continuity Policy
Implement the ICT business continuity policy through dedicated, appropriate and documented arrangements, plans, procedures and mechanisms aiming to ensure the continuity, quickly, appropriately and effectively respond to, and resolve, all ICT-related incidents DORA Article 11(2)
CDR 2024/1774 Title II
All except smaller Business Impact Analysis Methodology + Business Continuity Strategy + Crisis Management Plan + Business Continuity Plan + Incident Response Plan + Disaster Recovery Plan + Activity Recovery Plan
Activate, without delay, dedicated plans that enable containment measures, processes and technologies suited to each type of ICT-related incident and prevent further damage, as well as tailored response and recovery procedures DORA Article 11(2)(c)
CDR 2024/1774 Title II
All except smaller Incident Response Plan
Estimate preliminary impacts, damages and losses DORA Article 11(2)(d)
CDR 2024/1774 Title II
All except smaller Business Continuity Plan
Set out communication and crisis management actions that ensure that updated information is transmitted to all relevant internal staff and external stakeholders DORA Article 11(2)(e)
CDR 2024/1774 Title II
All except smaller Crisis Management Plan
Implement ICT response and recovery plans DORA Article 11(3)
CDR 2024/1774 Title II
All except smaller Incident Response Plan + Disaster Recovery Plan + Activity Recovery Plan
Maintain and periodically test appropriate ICT business continuity plans, notably with regard to critical or important functions outsourced or contracted through arrangements with ICT third-party service providers DORA Article 11(4)
CDR 2024/1774 Title II
All except smaller Maintenance and Review Plan + Business Continuity Testing and Exercising Plan
Conduct a business impact analysis (BIA) of exposure to severe business disruptions DORA Article 11(5)
CDR 2024/1774 Title II
All except smaller Business Impact Analysis Methodology + Business Impact Analysis Questionnaire
Test the ICT business continuity plans and the ICT response and recovery plans in relation to ICT systems supporting all functions at least yearly; test the crisis communication plans DORA Article 11(6)
CDR 2024/1774 Title II
All except smaller Business Continuity Testing and Exercising Plan
Include in the testing plans scenarios of cyber-attacks and switchovers between the primary ICT infrastructure and the redundant capacity, backups and redundant facilities DORA Article 11(6)
CDR 2024/1774 Title II
All except smaller and microenterprises Business Continuity Testing and Exercising Plan
Regularly review ICT business continuity policy and ICT response and recovery plans DORA Article 11(6)
CDR 2024/1774 Title II
All except smaller Maintenance and Review Plan
Have a crisis management function, which, in the event of activation of their ICT business continuity plans or ICT response and recovery plans, must set out clear procedures to manage internal and external crisis communications DORA Article 11(7)
CDR 2024/1774 Title II
All except smaller and microenterprises Crisis Management Plan
Keep readily accessible records of activities before and during disruption events when their ICT business continuity plans and ICT response and recovery plans are activated DORA Article 11(8)
CDR 2024/1774 Title II
All except smaller Disaster Recovery Plan + Activity Recovery Plan
Report to the competent authorities an estimation of aggregated annual costs and losses caused by major ICT-related incidents DORA Article 11(10)
CDR 2024/1774 Title II
All except smaller and microenterprises Incident Management Procedure
Develop and document backup policies and procedures, and restoration and recovery procedures and methods DORA Article 12(1)
CDR 2024/1774 Title II
All except smaller Backup Policy + Backup and Restoration Procedure
Testing of the backup procedures and restoration and recovery procedures and methods must be undertaken periodically DORA Article 12(2)
CDR 2024/1774 Title II
All except smaller Backup and Restoration Procedure
When restoring backup data using own systems, use ICT systems that are physically and logically segregated from the source ICT system DORA Article 12(3)
CDR 2024/1774 Title II
All except smaller Backup and Restoration Procedure
Maintain redundant ICT capacities equipped with resources, capabilities and functions that are adequate to ensure business needs DORA Article 12(4)
CDR 2024/1774 Title II
All except smaller Business Continuity Strategy
In determining the recovery time and recovery point objectives for each function, take into account whether it is a critical or important function and the potential overall impact on market efficiency DORA Article 12(6)
CDR 2024/1774 Title II
All except smaller Business Impact Analysis Methodology + Business Continuity Strategy
When recovering from an ICT-related incident, perform necessary checks, including any multiple checks and reconciliations DORA Article 12(7)
CDR 2024/1774 Title II
All except smaller Incident Management Procedure
Have in place capabilities and staff to gather information on vulnerabilities and cyber threats, ICT-related incidents, in particular cyber-attacks, and analyse the impact they are likely to have DORA Article 13(1)
CDR 2024/1774 Title II
All except smaller Monitoring Procedure
Put in place post ICT-related incident reviews after a major ICT-related incident disrupts their core activities, analysing the causes of disruption and identifying required improvements to the ICT operations or within the ICT business continuity policy DORA Article 13(2)
CDR 2024/1774 Title II
All except smaller Incident Management Procedure + Post Incident Review Form + Procedure for Corrective Actions
On a continuous basis incorporate into the ICT risk assessment process lessons derived from the digital operational resilience testing and from real life ICT-related incidents, along with challenges faced upon the activation of ICT business continuity plans and ICT response and recovery plans; senior ICT staff shall report at least yearly to the management body on the findings DORA Article 13(3); Article 13(5)
CDR 2024/1774 Title II
All except smaller Risk Assessment Methodology + Incident Management Procedure
Monitor the effectiveness of the implementation of their digital operational resilience strategy, map the evolution of ICT risk over time, analyse the frequency, types, magnitude and evolution of ICT-related incidents, in particular cyber-attacks and their patterns, with a view to understanding the level of ICT risk exposure, in particular in relation to critical or important functions, and enhance the cyber maturity and preparedness DORA Article 13(4)
CDR 2024/1774 Title II
All except smaller Digital Operational Resilience Strategy + Risk Assessment Methodology + ICT Risk Management Policy
Develop ICT security awareness programmes and digital operational resilience training as compulsory modules in their staff training schemes; those programmes and training must be applicable to all employees and to senior management staff, and must have a level of complexity commensurate to the remit of their functions; where appropriate, financial entities must also include ICT third-party service providers in their relevant training schemes DORA Article 13(6)
CDR 2024/1774 Title II
All except smaller Security Policy for Human Resources + Training and Awareness Plan
Monitor relevant technological developments on a continuous basis, also with a view to understanding the possible impact of the deployment of such new technologies on ICT security requirements and digital operational resilience DORA Article 13(7)
CDR 2024/1774 Title II
All except smaller and microenterprises ICT Risk Management Policy
Have in place crisis communication plans enabling a responsible disclosure of, at least, major ICT-related incidents or vulnerabilities to clients and counterparts as well as to the public DORA Article 14(1)
CDR 2024/1774 Title II
All except smaller Crisis Management Plan
Implement communication policies for internal staff and for external stakeholders DORA Article 14(2)
CDR 2024/1774 Title II
All except smaller Crisis Management Plan
At least one person must be tasked with implementing the communication strategy for ICT-related incidents and fulfil the public and media function for that purpose DORA Article 14(3)
CDR 2024/1774 Title I
All except smaller Crisis Management Plan
Put in place and maintain a sound and documented ICT risk management framework that details the mechanisms and measures aimed at a quick, efficient and comprehensive management of ICT risk DORA Article 16(1)(a)
CDR 2024/1774 Title III
Only smaller ICT Risk Management Policy + all documents listed below in this column
Continuously monitor the security and functioning of all ICT systems DORA Article 16(1)(b)
CDR 2024/1774 Title III
Only smaller Monitoring Procedure
Minimise the impact of ICT risk through the use of sound, resilient and updated ICT systems, protocols and tools DORA Article 16(1)(c)
CDR 2024/1774 Title III
Only smaller All documents specified for smaller financial organizations
Allow sources of ICT risk and anomalies in the network and information systems to be promptly identified and detected and ICT-related incidents to be swiftly handled DORA Article 16(1)(d)
CDR 2024/1774 Title III
Only smaller Monitoring Procedure
Identify key dependencies on ICT third-party service providers DORA Article 16(1)(e)
CDR 2024/1774 Title III
Only smaller Supplier Security Policy + Strategy on ICT third-party risk
Ensure the continuity of critical or important functions, through business continuity plans and response and recovery measures, which include, at least, back-up and restoration measures DORA Article 16(1)(f)
CDR 2024/1774 Title III
Only smaller Business Continuity Plan + Incident Response Plan + Activity Recovery Plan + Disaster Recovery Plan + Backup and Restoration Procedure
Test, on a regular basis, the plans and measures, as well as the effectiveness of the controls implemented DORA Article 16(1)(g)
CDR 2024/1774 Title III
Only smaller Business Continuity Testing and Exercising Plan
Implement relevant operational conclusions resulting from the tests and from post-incident analysis into the ICT risk assessment process DORA Article 16(1)(h)
CDR 2024/1774 Title III
Only smaller Exercising and Testing Report + Corrective Actions
Develop, according to needs and ICT risk profile, ICT security awareness programmes and digital operational resilience training for staff and management DORA Article 16(1)(h)
CDR 2024/1774 Title III
Only smaller Security Policy for Human Resources + Training and Awareness Plan
The ICT risk management framework must be documented and reviewed periodically and upon the occurrence of major ICT-related incidents, and continuously improved on the basis of lessons derived from implementation and monitoring DORA Article 16(2)
CDR 2024/1774 Title III
Only smaller Maintenance and Review Plan + Monitoring Procedure + Procedure for Corrective Actions
Define, establish and implement an ICT-related incident management process to detect, manage and notify ICT-related incidents, including: early warning indicators; procedures to identify, track, log, categorise and classify ICT-related incidents; assign roles and responsibilities; set out plans for communication to staff, external stakeholders and media and for notification to clients, and for internal escalation procedures; ensure that at least major ICT-related incidents are reported to relevant senior management; and establish ICT-related incident response procedures DORA Article 17(1) and (3) All Incident Management Procedure
Record all ICT-related incidents and significant cyber threats DORA Article 17(2) All Incident Management Procedure + Incident & Threat Log
Establish appropriate procedures and processes to ensure a consistent and integrated monitoring, handling and follow-up of ICT-related incidents, to ensure that root causes are identified, documented and addressed in order to prevent the occurrence of such incidents DORA Article 17(2) All Incident Management Procedure + Procedure for Corrective Actions
Classify ICT-related incidents and determine their impact DORA Article 18(1)
CDR 2024/1772
All Incident Management Procedure
Classify cyber threats as significant based on the criticality of the services at risk DORA Article 18(2)
CDR 2024/1772
All Incident Management Procedure
Report major ICT-related incidents to the relevant competent authority DORA Article 19(1) All Incident Management Procedure
On a voluntary basis, notify significant cyber threats to the relevant competent authority when the threat is of relevance to the financial system, service users or clients DORA Article 19(2) All Incident Management Procedure
Inform clients about the major ICT-related incident and about the measures that have been taken if a major ICT-related incident occurs and has an impact on the financial interests of clients, financial entities DORA Article 19(3) All Incident Management Procedure
Inform clients that are potentially affected of any appropriate protection measures in the case of a significant cyber threat DORA Article 19(3) All Incident Management Procedure
Submit the following to the relevant competent authority: (a) an initial notification; (b) an intermediate report, followed, as appropriate, by updated notifications every time a relevant status update is available, and (c) a final report DORA Article 19(4) All Incident Initial Notification + Incident Intermediate Report + Incident Final Report
Establish, maintain and review a sound and comprehensive digital operational resilience testing programme as an integral part of the ICT risk-management framework for the purpose of assessing preparedness for handling ICT-related incidents, of identifying weaknesses, deficiencies and gaps in digital operational resilience, and of promptly implementing corrective measures DORA Article 24(1) All except microenterprises Resilience Testing Program
The digital operational resilience testing programme shall include a range of assessments, tests, methodologies, practices and tools, such as vulnerability assessments and scans, open source analyses, network security assessments, gap analyses, physical security reviews, questionnaires and scanning software solutions, source code reviews where feasible, scenario-based tests, compatibility testing, performance testing, end-to-end testing and penetration testing DORA Article 24(2); Article 25(1) All Resilience Testing Program
Ensure that digital operational resilience tests are undertaken by independent parties, whether internal or external DORA Article 24(4) All except microenterprises Resilience Testing Program
Establish procedures and policies to prioritise, classify and remedy all issues revealed throughout the performance of the tests and shall establish internal validation methodologies to ascertain that all identified weaknesses, deficiencies or gaps are fully addressed DORA Article 24(5) All except microenterprises Procedure for Corrective Actions
Ensure that appropriate tests are conducted on all ICT systems and applications supporting critical or important functions, at least yearly DORA Article 24(6) All except microenterprises Resilience Testing Program
Perform the tests by combining a risk-based approach with a strategic planning of ICT testing, by duly considering the need to maintain a balanced approach between the scale of resources and the time to be allocated to the ICT testing and the urgency, type of risk, criticality of information assets and of services provided, as well as any other relevant factor, including the financial entity’s ability to take calculated risks DORA Article 25(3) Only microenterprises Resilience Testing Program
Carry out at least every 3 years advanced testing by means of Threat-Led Penetration Testing (TLPT) – cover several or all critical or important functions of a financial entity, and perform on live production systems supporting such functions DORA Article 26(1) and (2) All except smaller and microenterprises Resilience Testing Program
Identify all relevant underlying ICT systems, processes and technologies supporting critical or important functions and ICT services, including those supporting the critical or important functions which have been outsourced or contracted to ICT third-party service providers, and assess which critical or important functions need to be covered by the TLPT DORA Article 26(2) All except smaller and microenterprises Asset Management Procedure + IT Asset Register + Resilience Testing Program
Take the necessary measures and safeguards to ensure the participation of ICT third-party service providers in the TLPT DORA Article 26(3) All except smaller and microenterprises Supplier Security Policy
Apply effective risk management controls to mitigate the risks of testing of any potential impact on data, damage to assets, and disruption to critical or important functions, services or operations DORA Article 26(5) All Resilience Testing Program
Provide to the authority a summary of the relevant findings, the remediation plans and the documentation demonstrating that the TLPT has been conducted in accordance with the requirements DORA Article 26(6) All Resilience Testing Program
Only use testers for the carrying out of TLPT, that: (a) are of the highest suitability and reputability; (b) possess technical and organisational capabilities; (c) are certified by an accreditation body; (d) provide an independent assurance, or an audit report, in relation to the sound management of risks associated with the carrying out of TLPT; (e) are duly and fully covered by relevant professional indemnity insurances DORA Article 27(1) All Supplier Security Policy + Resilience Testing Program
Management of ICT third-party risk must be implemented in light of the principle of proportionality, taking into account: (i) the nature, scale, complexity and importance of ICT-related dependencies, and (ii) the risks arising from contractual arrangements on the use of ICT services concluded with ICT third-party service providers, taking into account the criticality or importance of the respective service, process or function, and the potential impact on the continuity and availability DORA Article 28(1)(b)
CDR 2024/1773
All Supplier Security Policy
Adopt and regularly review a strategy on ICT third-party risk, taking into account the multi-vendor strategy, where applicable; the strategy must include a policy on the use of ICT services DORA Article 28(2)
CDR 2024/1773
All except smaller and microenterprises Strategy on ICT third-party risk + Supplier Security Policy
The management body must regularly review the risks identified in respect to contractual arrangements on the use of ICT services supporting critical or important functions DORA Article 28(2)
CDR 2024/1773
All except smaller and microenterprises Supplier Security Policy + Strategy on ICT third-party risk
Maintain and update a register of information in relation to all contractual arrangements on the use of ICT services provided by ICT third-party service providers DORA Article 28(3)
CDR 2024/1773
All Register of Contractual Arrangements + Supplier Security Policy
Report at least yearly to the competent authorities on the number of new arrangements on the use of ICT services, the categories of ICT third-party service providers, the type of contractual arrangements and the ICT services and functions which are being provided; inform the competent authority in a timely manner about any planned contractual arrangement on the use of ICT services supporting critical or important functions DORA Article 28(3)
CDR 2024/1773
All Supplier Security Policy
Before entering into a contractual arrangement on the use of ICT services, financial entities must: (a) assess whether the contractual arrangement covers the use of ICT services supporting a critical or important function; (b) assess if supervisory conditions for contracting are met; (c) identify and assess all relevant risks in relation to the contractual arrangement; (d) undertake all due diligence on prospective ICT third-party service providers; (e) identify and assess conflicts of interest DORA Article 28(4)
CDR 2024/1773
All Supplier Security Policy
Only enter into contractual arrangements with ICT third-party service providers that comply with appropriate information security standards DORA Article 28(5)
CDR 2024/1773
All Supplier Security Policy
Pre-determine the frequency of audits and inspections of ICT service providers, as well as the areas to be audited through adhering to commonly accepted audit standards in line with any supervisory instruction and on the basis of a risk-based approach DORA Article 28(6)
CDR 2024/1773
All Supplier Security Policy
Verify that auditors, whether internal or external, or a pool of auditors, possess appropriate skills and knowledge where contractual arrangements concluded with ICT third-party service providers entail high technical complexity DORA Article 28(6)
CDR 2024/1773
All Supplier Security Policy
Ensure that contractual arrangements on the use of ICT services may be terminated in any of the following circumstances: (a) significant breach by the ICT third-party service provider; (b) circumstances altering the performance of the functions provided through the contractual arrangement; (c) ICT service provider’s evidenced weaknesses pertaining to its overall ICT risk management; (d) where the competent authority can no longer effectively supervise the financial entity DORA Article 28(7)
CDR 2024/1773
All Supplier Security Policy
For ICT services supporting critical or important functions, put in place exit strategies; exit plans must be comprehensive, documented and sufficiently tested and reviewed periodically; identify alternative solutions and develop transition plans enabling to remove the contracted ICT services and the relevant data from the IT service provider DORA Article 28(8)
CDR 2024/1773
All Supplier Security Policy + ICT Service Exit Strategy
Take into account whether the envisaged conclusion of a contractual arrangement in relation to ICT services supporting critical or important functions would lead to any of the following: (a) contracting an ICT third-party service provider that is not easily substitutable; or (b) having in place multiple contractual arrangements in relation to the provision of ICT services supporting critical or important functions with the same ICT service provider or with closely connected ICT service providers DORA Article 29(1) All Supplier Security Policy
Weigh benefits and risks that may arise where the contractual arrangements on the use of ICT services supporting critical or important functions include the possibility that an ICT third-party service provider further subcontracts ICT services supporting a critical or important function to other ICT third-party service providers; also consider the insolvency law provisions DORA Article 29(2) All Supplier Security Policy
Consider the compliance with EU data protection rules (GDPR and others) where contractual arrangements on the use of ICT services supporting critical or important functions are concluded with an ICT third-party service provider established in a non-EU country DORA Article 29(2) All Supplier Security Policy
Assess whether and how potentially long or complex chains of subcontracting may impact their ability to fully monitor the contracted functions and the ability of the competent authority to effectively supervise the financial entity where the contractual arrangements on the use of ICT services supporting critical or important functions provide for subcontracting DORA Article 29(2) All Supplier Security Policy
The contractual arrangements on the use of ICT services must include at least the following elements: (a) a clear and complete description of all functions and ICT services; (b) the locations, namely the regions or countries, where the contracted or subcontracted functions and ICT services are to be provided and where data is to be processed; (c) provisions on availability, authenticity, integrity and confidentiality in relation to the protection of data, including personal data; (d) provisions on ensuring access, recovery and return in an easily accessible format; (e) service level descriptions, including updates and revisions thereof; (f) the obligation of the ICT third-party service provider to provide assistance to the financial entity when an ICT incident occurs; (g) the obligation of the ICT third-party service provider to fully cooperate with the competent authorities; (h) termination rights and related minimum notice periods; (i) the conditions for the participation of ICT third-party service providers in the financial entities’ ICT security awareness programmes and digital operational resilience training DORA Article 30(2) All Supplier Security Policy
The contractual arrangements on the use of ICT services supporting critical or important functions must include, in addition to the elements referred to in paragraph 2, at least the following: (a) full service level descriptions; (b) notice periods and reporting obligations; (c) requirements for the ICT third-party service provider to implement and test business contingency plans and to have in place ICT security measures, tools and policies; (d) the obligation of the ICT third-party service provider to participate and fully cooperate in the financial entity’s TLPT; (e) the right to monitor, on an ongoing basis, the ICT third-party service provider’s performance; (f) exit strategies DORA Article 30(3) All Supplier Security Policy
When negotiating contractual arrangements, financial entities and ICT third-party service providers shall consider the use of standard contractual clauses developed by public authorities for specific services DORA Article 30(4) All Supplier Security Policy

Common cybersecurity documents not required by DORA

I’m aware that the list above is very extensive; however, DORA did not mention some documents that are quite common when managing cybersecurity:

  • Information Classification Policy — provides clear rules on how to classify documents and other information, and how to protect those assets according to classification level.
  • Mobile Device, Teleworking and Work from Home Policy — specifies the rules for using laptops, smartphones, and other devices outside of company premises.
  • Bring Your Own Device (BYOD) Policy — specifies security aspects if employees are using their private devices for work.
  • Disposal and Destruction Policy — specifies how to dispose of devices and media, in order to delete all sensitive data and avoid breaking intellectual property rights.
  • Procedures for Working in Secure Areas — defines security rules for data centers, archives, and other areas that need special protection.
  • Clear Desk and Clear Screen Policy — defines rules for each employee on how to protect his/her workspace.

For more information about DORA, download this free white paper: Comprehensive guide to the DORA Regulation.

Advisera Dejan Kosutic

Dejan Kosutic

Leading expert on cybersecurity & information security and the author of several books, articles, webinars, and courses. As a premier expert, Dejan founded Advisera to help small and medium businesses obtain the resources they need to become compliant with EU regulations and ISO standards. He believes that making complex frameworks easy to understand and simple to use creates a competitive advantage for Advisera's clients, and that AI technology is crucial for achieving this.

As an ISO 27001, NIS 2, and DORA expert, Dejan helps companies find the best path to compliance by eliminating overhead and adapting the implementation to their size and industry specifics.
Read more articles by Dejan Kosutic