ICT risk under DORA: mapping controls to regulatory requirements
DORA's ICT risk management framework, set out in Articles 5–16 of Regulation (EU) 2022/2554, requires financial entities to implement a comprehensive governance and control structure for managing ICT risk. The Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS) developed by the joint ESA committee provide granular detail on how the high-level requirements in the main regulation should be implemented. For firms that already operate under ISO 27001, NIST CSF, or the PRA's operational resilience framework, DORA represents an additional layer of specificity rather than a wholly new paradigm — but the mapping exercise required to demonstrate compliance against DORA's specific requirements is not trivial.
The ICT risk management framework pillar requires firms to have an ICT risk management framework approved by the management body, covering governance and organisation, ICT strategy and risk appetite, ICT asset management, ICT risk identification and assessment, ICT protection and prevention, detection of ICT anomalies, ICT response and recovery, backup and recovery testing, and communication procedures. The management body — which in the DORA context means the board or equivalent — must be actively involved in approving the framework and must receive regular reporting on ICT risks. Board members who are not technology specialists must be adequately informed and trained to fulfil this oversight role.
The incident classification and reporting pillar requires firms to classify ICT-related incidents according to criteria set out in the Commission Delegated Regulation supplementing DORA. Major incidents — those meeting defined thresholds of affected users, data integrity impact, criticality of services affected, or reputational or financial loss — must be reported to competent authorities using a standardised template within tight timelines (four hours for initial notification, 72 hours for intermediate report, one month for final report). Firms must also report significant cyber threats that have not yet caused a major incident but have the potential to do so. This threat intelligence reporting obligation is novel and requires firms to establish internal processes for identifying and escalating significant threats before they materialise.
DORA's ICT third-party risk management requirements (Articles 28–44) are among the most operationally demanding elements. Firms must maintain a register of all ICT third-party service providers, classify arrangements as supporting or non-supporting critical or important functions (CIF), and ensure that CIF contracts contain mandatory provisions covering service levels, audit rights, business continuity and exit rights. Existing contracts must be brought into compliance with the mandatory provisions by 17 January 2026. For firms with large numbers of legacy supplier agreements, this contractual remediation exercise is substantial.
Implementation prioritisation
EU-regulated entities implementing DORA should prioritise: governance documentation (framework, risk appetite, board reporting); ICT asset inventory and classification; incident classification and reporting procedures; and CIF contract inventory and gap analysis. Threat-led penetration testing (TLPT) obligations for significant entities and the ICT register submission to competent authorities are medium-term priorities. Firms that have not begun DORA implementation should engage specialist support immediately given the volume of work required.