Digital Operational Resilience Regulation (DORA)
The Digital Operational Resilience Regulation (DORA) establishes a unified legal framework applicable to all financial market participants in the European Union. In line with the regulation’s objectives, each institution must ensure its information and communication technology (ICT) security, resilience, and compliance with risk management principles. To meet these requirements in practice, financial market participants must maintain structured and regularly updated ICT documentation. Such documentation should cover policies, procedures, instructions, solution descriptions, and other materials that support operational activities.
Documentation should be hierarchical and systematically organized, ranging from overarching principles to detailed process descriptions and their application in day-to-day operations. Supervisory authorities do not mandate a specific format or volume of documentation; the key requirement is that the documentation accurately reflects the institution’s approach and its ability to manage ICT risks, ensure business continuity, and oversee third-party ICT service providers (whether outsourced or not).
Such documentation demonstrates an institution’s readiness to support business processes while meeting the requirements of DORA and other EU and national legislation. The level of detail should be proportionate to the scale and complexity of operations: larger institutions may distribute information across several governance documents and processes, while smaller institutions may consolidate it within integrated policies or procedures.
Supervisory authorities expect financial market participants to maintain this documentation proactively, review it periodically, and update it as necessary to reflect evolving risks, regulatory requirements, and business developments.
Financial market participants must establish a consistent approach to information and ICT security. This framework should define the institution’s approach to ICT risk management and risk tolerance, levels of protection, and the system of internal controls. It must be aligned with the overall risk management strategy and encompass both preventive and response measures. In practice, the framework is typically documented in a high-level ICT security policy approved by the institution’s senior management. This policy serves as the foundation for more detailed procedures, internal rules, and operational descriptions.
A clear approach and well-defined principles provide the basis for systematically managing technology-related risks and meeting regulatory requirements. The framework should not remain static – it must be reviewed and updated regularly to reflect evolving risks and technological developments.
Regulatory references:
- DORA Article 5 – requires institutions to establish an ICT risk management framework, including policies, procedures, and control systems;
- DORA Article 6 – requires senior management to approve and oversee the implementation of the ICT risk management strategy.
To ensure a timely and coordinated response to information and ICT-related incidents, institutions must establish clear procedures for identifying, recording, classifying, and escalating such events, as well as for reporting them to management and the supervisory authority. This process demonstrates that the institution is effectively implementing resilience principles and ensuring transparency in the event of an incident.
In practice, such procedures are usually formalized in a dedicated ICT incident management procedure or a process flow description outlining specific steps, responsibilities, and accountabilities in incident handling. These procedures are developed on the basis of previously defined security principles and form a critical component of the institution’s operational resilience framework. In line with the principle of proportionality, smaller institutions are also expected to define incident management procedures suited to the scale and nature of their operations.
Regulatory references:
- DORA Article 17 – requires institutions to establish processes for recording, classifying, and reporting ICT incidents;
- DORA Article 18 – sets the obligation to report major ICT incidents to the competent authorities;
- Commission Delegated Regulation (EU) 2025/301.
With the increasing role of third-party ICT services in the financial sector, financial market participants must be able to provide a clear view of how external ICT services are integrated into their internal ICT environment and business processes. This information is already essential at the licensing stage, enabling the supervisory authority to assess the resilience, interoperability, and allocation of responsibilities within the technological architecture.
Institutions are expected to maintain internal documentation that illustrates their ICT structure at both the technical level (e.g. platforms, network topology) and the functional level (e.g. service logic, data flows, access rights management).
This documentation must be linked to the institution’s operating models and reflect the actual delivery of services. It also serves as the basis for assessing third-party service management, as it enables the identification of critical dependencies and potential risks arising from such arrangements.
Information on all existing or planned third-party ICT services and assurance of their compliance with DORA requirements forms the foundation for supervisory authorities to evaluate the adequacy of external vendor management mechanisms. This demonstrates that the institution has identified all external ICT providers and governance arrangements and is prepared to implement relevant oversight measures.
Poorly managed outsourcing is a common source of technological incidents and data breaches; therefore, institutions must adopt a structured approach to third-party providers compliance evaluation. This includes determining the level of criticality, defining the scope of data processing or storage, and identifying possible rollback scenarios.
At the licensing stage, it is sufficient for institutions to identify their third-party service providers and assess their criticality as part of the infrastructure description. However, institutions are encouraged to begin systematically organizing supplier information in line with the taxonomy requirements of the third-party service provider register.
Regulatory references:
- DORA Articles 28–30 – set out requirements for the management of third-party ICT services, including supplier due diligence;
- DORA Article 25 – requires contracts with critical service providers to include specific provisions.
Additional Elements Demonstrating Readiness for Long-Term Compliance
Certain elements – such as Business Impact Analysis (BIA) or documentation of internal audit functions – are not mandatory for all financial market participants at the initial licensing stage. However, particularly where a license is sought by an institution already operating in another jurisdiction or forming part of a larger organization, the inclusion of such aspects in documentation is regarded as good practice. These additions serve as a clear signal to the supervisory authority that the institution not only understands the requirements of DORA but is also prepared to implement them in practice.
A Business Impact Analysis allows the identification of critical functions and their dependency on specific ICT resources. Its purpose is to assess the potential impact of various disruptions on the institution’s operations and to prepare appropriate recovery measures in advance. Based on BIA, a Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) are developed, both of which are essential components for meeting DORA’s operational resilience requirements.
Financial market participants that are conduct regular internal audits or self-assessments of their compliance with DORA requirements gain a significant advantage in maintaining long-term compliance. Such reviews provide an independent evaluation of how policies and procedures are applied in practice and allow institutions to identify shortcomings and areas for improvement in a timely manner. Where an institution already has an established internal audit function or makes use of compliance assessments developed by external consultants, this information becomes an important factor in the supervisory authority’s evaluation. Audit activities are typically linked to management oversight mechanisms and serve as evidence of a strong compliance culture within the institution.