Step-by-step practical guides for DORA compliance
When a group entity purchases ICT services and provides them to your financial entity, your reporting approach depends entirely on whether you report individually or at consolidated level. This distinction fundamentally changes how you structure your register of information. The problem: same setup, different reporting Consider this common scenario: Group Holding owns 100% of Financial … Read more
If you're working with non-EU ICT service providers that don't have a Legal Entity Identifier, you face a practical compliance challenge. The Implementing Technical Standards (ITS) on the DORA register of information requires LEI for all legal persons established outside the EU, but many providers simply don't have one. This article explains the regulatory workaround … Read more
The Problem: When Technology and Regulation Collide The DORA register of information is central to the new European legislation for digital operational resilience. Financial institutions must map and report their complete ICT supplier landscape. However, there's a fundamental problem: the register's technical data model doesn't support a risk-based approach, while DORA specifically prescribes this. Binary … Read more
Defining business functions is a central requirement under the Digital Operational Resilience Act (DORA). As part of building your ICT risk management framework, you must identify the business functions your organization performs, determine their criticality, and map their dependencies. This exercise is essential because functions are the anchor point for risk assessment, impact analysis, and … Read more
The Digital Operational Resilience Act (DORA) requires the use of function identifiers (F keys) in schema 06.01, which seems simple at first — but quickly becomes complex. Managing these identifiers properly is critical for maintaining consistency across linked schemas like 02.02. Understanding function identifiers (F keys) In schema 06.01, each business function must be assigned … Read more
If you're preparing your DORA Register of Information submission, you need to understand the identifier requirements for ICT third-party providers in template B_05.01. The Implementing Technical Standards (ITS) on the DORA register of information requires valid identifiers for all ICT providers you report, including both direct providers and indirect suppliers in the service chain. Which … Read more
The challenge When completing the Digital Operational Resilience Act (DORA) information register, you must specify the type of each contractual arrangement: standalone, overarching, or subsequent/associated. This classification must be recorded in template RT.02.01, column RT.02.01.0020 'Type of contractual arrangement'. But how should you handle this for a typical ICT service where agreements are spread across … Read more
If you're grappling with the Digital Operational Resilience Act (DORA) register, you've probably wondered about the financial data requirements. What exactly do you need to report? And how can you make this data collection work smoothly? This article breaks down the specific reporting requirements, explains why they matter, and offers practical advice to help you … Read more
