By Het Mehta
| Control ID | Control Area | Requirement Description | Implementation Steps | Priority | Status | Owner/Department |
|---|---|---|---|---|---|---|
| Pillar 1: ICT Risk Management (Art. 5-16) | ||||||
| DORA-RM-001 | Governance & Framework | Establish, maintain, and review a comprehensive, documented ICT risk management framework. (Art. 6.1) | 1. Define scope, objectives, and risk tolerance. 2. Document policies, procedures, protocols. 3. Ensure Board/Management Body approval & oversight. 4. Assign clear roles & responsibilities. 5. Review/update framework annually or upon major changes/incidents. | High | Risk/Compliance/Board | |
| DORA-RM-002 | Identification | Identify, classify, and adequately document all business functions, supporting information assets, and ICT system interdependencies. (Art. 8.1-8.4) | 1. Map business processes to ICT assets (hardware, software, data, networks). 2. Identify dependencies (internal & external). 3. Classify functions/assets based on criticality (impact assessment). 4. Maintain a dynamic inventory/register. | High | Business Units/IT Ops/Risk | |
| DORA-RM-003 | Risk Assessment | Conduct regular risk assessments on all ICT systems and assets, considering evolving cyber threats. (Art. 8.5) | 1. Define risk assessment methodology. 2. Identify threats and vulnerabilities. 3. Analyze likelihood and impact. 4. Document findings and risk levels. 5. Perform assessments at least annually and upon significant changes. | High | Risk/IT Security | |
| DORA-RM-004 | Protection & Prevention | Implement security policies, procedures, protocols, and tools to ensure resilience, continuity, and data/system integrity. (Art. 9) | 1. Implement measures for: Network security, endpoint security, data security (encryption, DLP), access control (IAM, PAM), physical security, change management, secure coding, patch management. 2. Conduct security awareness training. | High | IT Security/CISO | |
| DORA-RM-005 | Detection | Implement mechanisms to promptly detect anomalous activities and potential ICT incidents. (Art. 10) | 1. Deploy SIEM, IDS/IPS, EDR, network monitoring tools. 2. Define alert thresholds, correlation rules, and response procedures. 3. Monitor logs and events continuously. 4. Regularly test detection capabilities (e.g., simulated attacks). | High | SOC/IT Security | |
| DORA-RM-006 | Response & Recovery | Establish and implement ICT response and recovery plans, including ICT business continuity (BCP) and disaster recovery (DR) plans. (Art. 11, 12) | 1. Develop incident response plan (IRP). 2. Conduct BIA to define RTO/RPO. 3. Develop BCP/DR plans for critical functions. 4. Implement backup solutions (tested regularly). 5. Define crisis communication procedures. | High | Incident Response/BCM/IT Ops | |
| DORA-RM-007 | Backup & Restoration | Implement and test backup policies, restoration procedures, and redundant ICT infrastructure. (Art. 12) | 1. Define backup scope, frequency, retention. 2. Ensure backups are segregated and protected. 3. Regularly test restoration procedures to meet RTO/RPO. 4. Consider redundant/diverse systems and data centers where appropriate. | High | IT Operations/BCM | |
| DORA-RM-008 | Learning & Evolving | Implement processes for monitoring, learning, and evolving from internal/external incidents and threats. (Art. 14) | 1. Conduct post-incident reviews & root cause analysis (RCA). 2. Monitor threat intelligence sources. 3. Analyze near misses. 4. Incorporate lessons learned into framework, policies, tests, and training. 5. Track remediation actions. | Medium | Risk/IT Security/IR Team | |
| DORA-RM-009 | Communication | Establish communication plans for internal stakeholders and external parties (authorities, clients, public) during crises/incidents. (Art. 14) | 1. Identify communication needs for different scenarios. 2. Define roles, responsibilities, and channels. 3. Prepare communication templates. 4. Ensure plans cover internal staff, management, authorities, media, clients etc. | Medium | Communications/Legal/IR Team | |
| Pillar 2: ICT-Related Incident Management, Classification & Reporting (Art. 17-23) | ||||||
| DORA-IR-001 | Incident Management Process | Establish and implement an ICT-related incident management process to detect, manage, and resolve incidents. (Art. 17.1) | 1. Define process stages (detection, analysis, containment, eradication, recovery, post-incident). 2. Assign roles and responsibilities (IR Team, SOC). 3. Implement incident tracking system. 4. Train relevant staff. | High | IR Team/SOC | |
| DORA-IR-002 | Incident Classification | Classify ICT-related incidents based on criteria specified in DORA and further detailed by ESAs (RTS). (Art. 18) | 1. Adopt classification criteria (clients/counterparts affected, duration, geographical spread, data losses, criticality of services affected, economic impact). 2. Implement procedures to apply criteria consistently. 3. Determine thresholds for 'major' incidents. | High | IR Team/Compliance | |
| DORA-IR-003 | Major Incident Reporting | Report major ICT-related incidents to the relevant competent authority using specified templates and timelines (initial, intermediate, final). (Art. 19) | 1. Identify competent authority(ies). 2. Understand reporting timelines (e.g., initial within hours). 3. Prepare reporting templates (based on ITS). 4. Establish internal process for timely report creation, approval, and submission. 5. Test the reporting process. | High | Compliance/Legal/IR Team | |
| DORA-IR-004 | Root Cause Analysis (RCA) | Conduct RCA for major ICT-related incidents to identify root causes and required improvements. (Art. 17.4) | 1. Establish RCA methodology. 2. Perform RCA promptly after incident containment/resolution. 3. Document findings and identify corrective actions. 4. Track implementation of improvements. | High | IR Team/IT Security/Risk | |
| DORA-IR-005 | Client Notification | Notify affected clients/counterparts without undue delay if a major incident impacts their financial interests. (Art. 19.3) | 1. Define triggers and criteria for client notification. 2. Prepare communication templates and channels. 3. Coordinate with Legal, Compliance, and Communications. 4. Document notifications made. | High | IR Team/Legal/Comms | |
| DORA-IR-006 | Voluntary Threat Notification | Establish procedures for considering voluntary notification of significant cyber threats to authorities. (Art. 19.4) | 1. Define criteria for 'significant' threats. 2. Establish internal assessment and decision process. 3. Identify appropriate reporting channels. | Medium | IT Security/Threat Intel | |
| Pillar 3: Digital Operational Resilience Testing (Art. 24-27) | ||||||
| DORA-RT-001 | Testing Programme | Establish, maintain, and review a risk-based digital operational resilience testing programme. (Art. 24) | 1. Define scope, methodologies, frequencies for various tests (VA scans, pen tests, BCP/DR tests, performance tests, etc.). 2. Integrate testing into the ICT risk management framework. 3. Document the programme. 4. Ensure tests cover critical systems/functions. | High | IT Security/Risk/Audit | |
| DORA-RT-002 | Basic Resilience Testing | Perform appropriate tests annually (or more frequently) covering critical ICT systems and applications. (Art. 25) | 1. Conduct vulnerability assessments/scans. 2. Perform network security assessments. 3. Test physical security controls. 4. Conduct source code reviews (if applicable). 5. Test BCP/DR plans (tabletop, functional, failover). | High | IT Security/BCM/IT Ops | |
| DORA-RT-003 | Threat-Led Penetration Testing (TLPT) | Perform advanced TLPT at least every 3 years if identified as requiring it (based on criteria in Art. 26). | 1. Determine applicability based on size, profile, criticality. 2. Define scope based on critical functions. 3. Use TIBER-EU or equivalent framework. 4. Select qualified, independent, certified testers. 5. Report findings/remediation to authorities. | High | IT Security/CISO/Compliance | |
| DORA-RT-004 | Remediation & Validation | Prioritize, address, and remediate findings from testing activities and validate fixes. (Art. 25.7) | 1. Develop remediation plans with timelines/owners. 2. Track progress. 3. Validate effectiveness of corrective actions (e.g., re-testing). 4. Report remediation status to management/board. | High | IT Security/IT Ops/AppDev | |
| Pillar 4: ICT Third-Party Risk Management (Art. 28-44) | ||||||
| DORA-TPRM-001 | TPRM Strategy & Policy | Adopt and regularly review a strategy on ICT third-party risk, including for critical providers (CTPPs). (Art. 28.2) | 1. Define overall TPRM strategy and policy. 2. Integrate TPRM into the overall ICT risk framework. 3. Ensure Board approval and oversight. 4. Define roles and responsibilities. | High | Risk/Vendor Mgmt/Board | |
| DORA-TPRM-002 | Register of Information | Maintain and update a register of information on all ICT third-party contractual arrangements. (Art. 28.3) | 1. Identify all ICT TPPs. 2. Collect required info (service, criticality, contract details, data location, sub-outsourcers, CTPP status etc.). 3. Establish/maintain centralized register. 4. Distinguish critical/important functions. | High | Procurement/Vendor Mgmt/Risk | |
| DORA-TPRM-003 | Pre-Contracting Due Diligence | Assess risks before entering into ICT third-party contracts, especially for critical/important functions. (Art. 28.4) | 1. Assess provider's suitability, capabilities, security posture. 2. Evaluate potential conflicts of interest. 3. Assess concentration risk. 4. Review provider's compliance/certifications. | High | Vendor Mgmt/Risk/IT Security | |
| DORA-TPRM-004 | Contractual Requirements (Critical Functions) | Ensure contracts for critical/important functions include specific clauses mandated by DORA. (Art. 30) | 1. Review/update contract templates. 2. Include clauses on: service description, locations, SLAs, security measures, monitoring, audit rights, incident reporting, sub-outsourcing conditions, exit strategies, CTPP cooperation. | High | Legal/Procurement/Vendor Mgmt | |
| DORA-TPRM-005 | Ongoing Monitoring & Audit | Continuously monitor risks and performance of ICT TPPs supporting critical/important functions. Exercise audit rights. (Art. 28.6, 30.3.e) | 1. Define monitoring metrics/frequency. 2. Review provider reports, certs, audit results. 3. Conduct periodic risk assessments. 4. Plan and execute audits/inspections (on-site or documentation-based). | High | Vendor Mgmt/IT Security/Audit | |
| DORA-TPRM-006 | Concentration Risk Assessment | Identify and assess ICT concentration risk at entity and sub-sector level. (Art. 29) | 1. Analyze dependencies on single TPPs or closely connected TPPs. 2. Assess risk of multiple contracts with same CTPP. 3. Consider geographical concentration. 4. Report significant concentration risks to authorities. | High | Risk/Vendor Mgmt | |
| DORA-TPRM-007 | Exit Strategies | Develop, document, and test exit strategies for TPPs supporting critical/important functions. (Art. 28.8) | 1. Define exit scenarios. 2. Plan transition (in-house/alternative provider). 3. Identify challenges/mitigation. 4. Test exit plans periodically (e.g., feasibility analysis, tabletop). | Medium | Vendor Mgmt/IT Ops/Risk | |
| DORA-TPRM-008 | CTPP Oversight Cooperation | Cooperate fully with Lead Overseers during oversight activities related to designated CTPPs. (Art. 31-44) | 1. Identify designated CTPPs used. 2. Respond to information requests from Lead Overseers via competent authority. 3. Facilitate inspections/investigations if required. | High | Compliance/Legal/Vendor Mgmt | |
| DORA-TPRM-009 | Sub-outsourcing Risk | Assess and manage risks related to sub-outsourcing by ICT TPPs, particularly for critical/important functions. (Art. 30.7) | 1. Ensure contracts specify conditions for sub-outsourcing (approval, location). 2. Require TPPs to oversee their sub-outsourcers. 3. Include sub-outsourcing in risk assessments and audit rights. | Medium | Vendor Mgmt/Risk/Legal | |
| Pillar 5: Information Sharing Arrangements (Art. 45) | ||||||
| DORA-IS-001 | Participation in Sharing | Establish arrangements to participate in trusted communities for sharing cyber threat information and intelligence. (Art. 45.1) | 1. Identify relevant communities (e.g., FS-ISAC, national CSIRTs). 2. Define policies/procedures for secure sharing (protecting confidentiality/data). 3. Assign roles for participation. | Medium | IT Security/Threat Intel/Legal | |
| DORA-IS-002 | Notification of Participation | Notify competent authorities upon validation of participation in information sharing arrangements. (Art. 45.5) | 1. Document participation details. 2. Follow authority guidelines for notification. | Low | Compliance/Legal | |
| DORA-IS-003 | Utilizing Shared Information | Implement processes to utilize shared information to enhance digital operational resilience. (Art. 45.4) | 1. Integrate received IoCs/TTPs into detection/prevention tools. 2. Use intelligence for risk assessments and testing scenarios. 3. Adapt defenses based on shared insights. | Medium | IT Security/Threat Intel/Risk | |
| DORA-IS-004 | Protection During Sharing | Ensure information sharing complies with relevant legislation (e.g., GDPR) and protects business confidentiality. (Art. 45.2) | 1. Establish rules of engagement within sharing communities. 2. Implement procedures for anonymization/aggregation where necessary. 3. Obtain legal review of sharing procedures. | Medium | Legal/Compliance/IT Security | |