Maintaining compliance with DORA, RTS, and ITS requires a systematic approach to ICT risk management, incident handling, operational resilience testing, and oversight of third-party providers. Below are practical guidelines in seven key DORA areas to help your organization stay prepared for ongoing challenges.
ICT Risk Management for DORA Compliance
– Maintain and regularly update policies, roles, KRI/KPI, risk appetite, asset inventories, maps of critical/important functions, and a vulnerability register. Reviews should be carried out at least quarterly, with a report submitted to the Management Board.
– Ensure continuous monitoring and logging, conduct backup and recovery testing (BCP/DR), and manage changes and patches. All activities must follow established policies and procedures.
ICT Incidents – Classification, Register, Reporting
– Apply consistent classification criteria, particularly for major ICT-related incidents, and use uniform materiality thresholds.
– Maintain an internal incident and threat register.
– Report to the competent authority within the required timelines
– Initial notification: within 4 hours of incident classification / no later than 24 hours after detection,
– Intermediate report: within 72 hours,
– Final report: within 1 month.
– In Poland, use UKNF channels (DORA Reporting System, incident reporting system; CSIRT KNF as the operational channel). UKNF requires LEI identification in reports.
Operational Resilience Testing
– Establish a testing program and an annual plan covering scans, scenario-based tests, performance tests, and recovery tests. Keep documented results and corrective actions.
– TLPT – if your institution is selected: such tests must be performed at least once every 3 years, with results documented.
ICT Third-Party Providers and Outsourcing
– Apply a clear policy to ICT service contracts supporting critical/important functions (minimum content requirements, accountability, audit rights, access to data/logs, data transfer terms for service termination, and subcontractor chain security).
– Contract portfolio review: quarterly (assess concentration risk and subcontractor changes).
– Contract clause review: at least annually or at contract renewal.
– Maintain a register of ICT contracts and monitor the status of critical ICT providers, including due diligence in supplier selection and oversight.
Governance and Oversight
– Conduct quarterly reviews of risk, remediation status and progress, testing outcomes, incident statuses, and third-party risk exposure.
– Build and maintain competence: have a documented annual training plan for the management board and key functions, and deliver training accordingly.
– Carry out internal audits: every 1–3 years for key DORA areas.
Threat Intelligence Sharing
– Consider participating in voluntary information-sharing initiatives (e.g., ISAC/FS-ISAC, CSIRT), while ensuring compliance with trade secrets, professional obligations, GDPR, and internal/legal requirements.
Current Priorities
– New deadlines and formats for incident reporting – align playbooks and tools accordingly.
– RTS TLPT – if you receive notification from the TLPT authority, initiate preparations in line with RTS.
– ICT contracts register – maintain complete data as required by Art. 28 and monitor announcements from the EC/ESAs and UKNF.
– Monitor RTS/ITS updates and UKNF communications.
Conclusion
Maintaining compliance with DORA, RTS, and ITS requires a structured approach to ICT risk management, incident handling, resilience testing, and supplier oversight. Regular reviews, updated procedures, and close monitoring of regulatory changes are key to ensuring compliance and operational security.
Do you have questions about implementing DORA in your organization?