The Digital Operational Resilience Act (DORA) aims to strengthen the digital operational resilience of the EU’s financial sector by establishing a harmonized, technology-neutral regulatory framework. It applies to a wide range of financial entities—such as banks, investment firms, insurance companies, and payment service providers—as well as their critical ICT service providers. DORA’s core pillars include:

  1. robust internal governance and oversight,
  2. a comprehensive ICT risk management framework,
  3. thorough digital operational resilience testing,
  4. effective management of ICT third-party risk,
  5. streamlined ICT incident reporting.

This playbook serves as a resource for professionals responsible for safeguarding their organization’s digital resilience, including CISOs, Compliance Officers, Risk Managers, and other senior decision-makers. It outlines the key obligations, practices, and procedures needed to comply with DORA’s regulatory framework, ensuring that stakeholders can methodically identify gaps, implement solutions, and drive continuous improvement. By addressing a wide range of operational, governance, and technical considerations, this playbook provides leadership with practical guidance to navigate the evolving landscape of digital operational resilience within the EU’s financial sector.

 

Building a Strong Foundation

Any compliance initiative must begin with a strong foundation. This starts by identifying all relevant DORA-related obligations, technical standards, and guidelines, as well as determining the scope and applicability of DORA requirements, including criteria outlined in Article 161 for simplified ICT risk management frameworks. Applying the proportionality principle ensures that strategies are tailored to the organization’s size, complexity, and risk profile. From the outset, management should endorse the initiative and assemble an implementation team dedicated to overseeing the entire rollout, ensuring smoother progress. Finally, establishing a systematic document management process to maintain DORA-related records sets the stage for ongoing, organized compliance.

 

Establish Internal Governance and Control

Performing a governance gap analysis establishes a baseline for identifying areas that require strengthening. Documenting roles, responsibilities, and formal structures helps senior management, committees, and critical functions—such as risk, compliance, internal audit, and business continuity—operate more effectively. In addition, updating codes of conduct, conflict of interest policies, and internal alert mechanisms ensures that all stakeholders work within a framework of integrity and transparency. This structured approach, supported by periodic executive training sessions and adequate budgetary resources, ultimately fosters a more resilient and cohesive governance environment.

 

Build and Strengthen the ICT Risk Management Framework (ICT RMF)

Conducting a gap analysis on existing ICT Risk Management Frameworks (ICT RMFs) establishes a foundation for setting a clear and tailored ICT and digital operational resilience strategy. This involves defining a customized ICT risk methodology and classifying all ICT assets to ensure comprehensive oversight and management. By identifying critical third-party ICT dependencies, managing legacy systems effectively, and regularly assessing ICT risks, the organization can proactively address potential vulnerabilities. Implementing robust ICT security measures—such as continuous monitoring, anomaly detection, and well-defined incident response plans—fortifies an organization’s defenses against cyber threats. Integrating Identity Governance and Administration (IGA) solutions helps maintain strict control over user access to critical systems and data, ensuring that privileges are aligned with defined roles, responsibilities, and regulatory requirements. Developing comprehensive business continuity functions, including crisis management protocols, backup and recovery processes, and system redundancies, prepares the organization to maintain operations during disruptions. Finally, gathering ongoing threat intelligence, measuring performance through key performance indicators (KPIs), and maintaining clear communication policies for both internal and external stakeholders further enhance the organization’s ability to respond proactively to emerging risks and maintain digital resilience.

 

Incident Management and Reporting

Establishing a clear incident management process requires well-defined procedures that include both root cause analysis and comprehensive reporting frameworks, ensuring that every disruption is thoroughly understood and documented. By integrating processes for timely notification to authorities and promptly informing affected clients of major ICT-related incidents, the organization maintains transparency and compliance with regulatory expectations. In addition, tracking annual costs and losses related to these incidents, and keeping that information readily available, ensures that the organization can promptly respond to competent authority requests and continuously refine its resilience strategies.

 

Digital Operational Resilience Testing (DORT)

Implementing a continuous testing program allows for ongoing scrutiny of the organization’s ICT environment, ensuring vulnerabilities are promptly identified and mitigated. By conducting annual evaluations of critical ICT systems, regularly performing vulnerability assessments, and organizing threat-led penetration tests (TLPTs), the organization maintains a proactive stance against emerging threats. Meticulous documentation of results, remediation plans, and proof of adherence to DORA testing guidelines further demonstrates a structured, diligent approach to sustaining digital operational resilience.

 

Third-Party Risk Management (ICT TPRM)

Establishing comprehensive policies for managing ICT third-party risks involves classifying providers according to criticality, determining appropriate oversight mechanisms, and ensuring transparency throughout the supply chain. Maintaining an up-to-date register of all contractual arrangements and fulfilling reporting obligations reinforces accountability while embedding resilience requirements within contracts strengthens the organization’s defense against potential disruptions. By incorporating thorough due diligence procedures into procurement processes, carefully planning exit strategies, and continuously monitoring third-party performance, the organization creates a robust, adaptable framework that safeguards its digital operational resilience over time.

 

Information-Sharing Arrangements

Engaging in voluntary information-sharing arrangements to exchange cyber threat intelligence strengthens the organization’s collective security posture and increases awareness of emerging risks. Proactively notifying authorities of these collaborations and maintaining thorough documentation of each partnership ensures that the information-sharing efforts remain transparent, accountable, and aligned with regulatory expectations.

 

Continuous Improvement and Final Steps

Reviewing and adjusting the ICT Risk Management Framework (ICT RMF) each year and readily reporting updates to authorities upon request ensures the organization remains aligned with evolving standards. Completing a final gap analysis confirms full compliance, revealing opportunities for refinement and strengthening of safeguards. Committing to ongoing enhancements, evidence-based corrective actions, and incremental improvements ensures continued adherence to DORA and fosters a culture of continuous operational resilience.

The latest regulatory text, along with any subsequent Technical Standards, Guidelines, and Recommendations, can be found through the EU’s official legal database (EUR-Lex: https://eur-lex.europa.eu/) and the websites of the European Supervisory Authorities. DORA entered into force on 16 January 2023 and will apply as of 17 January 2025.

 

Checklist for DORA Compliance

This checklist serves as a structured pathway, guiding organizations through understanding requirements, setting strategies, testing resilience, managing third-party risks, and continuously refining their digital operational resilience capabilities in line with DORA’s obligations. By following these steps, entities establish a secure, reliable foundation for long-term digital resilience.


Foundation

  1. Compile and review all DORA requirements and supportive guidelines
  2. Define DORA’s scope and relevance to your organization
  3. Apply proportionality considerations to tailor your approach
  4. Secure management buy-in and form an implementation team
  5. Create and maintain a DORA documentation framework


Governance and Control

  1. Complete a governance gap analysis
  2. Clearly define management roles and responsibilities
  3. Establish committees (Risk, Audit, Cybersecurity, etc.)
  4. Update corporate values, codes of conduct, and conflict of interest policies
  5. Strengthen risk, compliance, and internal audit functions
  6. Develop internal alert systems, new product approval policies, and business continuity functions
  7. Provide regular training and ensure proper resource allocation



ICT RMF

  1. ✔ Conduct a gap analysis of existing ICT risk frameworks
  2. ✔ Set ICT and digital resilience strategies aligned with DORA
  3. ✔ Define ICT risk management methodologies and identify assets
  4. ✔ Assess third-party dependencies, legacy systems, and conduct regular risk assessments
  5. ✔ Enhance ICT security measures, monitoring, and detection processes
  6. ✔ Implement business continuity strategies, crisis management, backups, and redundancies
  7. ✔ Gather threat intelligence, track KPIs, and deliver training and communication plans


Incident Management

  1. ✔ Develop a formal ICT incident management and reporting procedure
  2. ✔ Notify authorities and stakeholders of significant incidents
  3. ✔ Track annual incident-related costs and refine response strategies



Resilience Testing (DORT)

  1. ✔ Establish a resilience testing program
  2. ✔ Test critical ICT systems and applications annually
  3. ✔ Perform vulnerability assessments and regular threat-led penetration tests
  4. ✔ Document remediation measures and submit results as required


Continuous Improvement

  1. ✔ Review the ICT RMF annually and adapt as needed
  2. ✔ Conduct a final gap analysis to confirm compliance
  3. ✔ Continuously refine processes, implement corrective actions, and enhance resilience maturity



Information Sharing

  1. ✔ Engage in voluntary threat intelligence exchanges with peers and authorities
  2. ✔ Document arrangements and notify authorities of participation


Third-Party Risk Management

  1. ✔ Create strategies and policies for ICT third-party risks
  2. ✔ Maintain an up-to-date register of third-party arrangements
  3. ✔ Notify authorities of critical or important third-party functions
  4. ✔ Include necessary resilience clauses in contracts and plan exit strategies
  5. ✔ Conduct extended due diligence and maintain ongoing monitoring


Let's Get
Started

Let us show you how Omada can enable your business.