The DORA register of information requires location data per ICT service: where the service is provided, where data is stored, where data is processed. At first glance a logical requirement. But anyone who starts populating these fields with more than one country per dimension quickly discovers that the register does not add rows — it … Read more
Modern software applications rely on hundreds of third-party libraries and dependencies. A single application might use dozens of open-source packages, each with its own nested dependencies. When a vulnerability emerges in any one of these components, it can cascade through your entire technology stack in hours. Log4j demonstrated the pattern clearly: a transitive library in … Read more
When a group entity purchases ICT services and provides them to your financial entity, your reporting approach depends entirely on whether you report individually or at consolidated level. This distinction fundamentally changes how you structure your register of information. The problem: same setup, different reporting Consider this common scenario: Group Holding owns 100% of Financial … Read more
If you're working with non-EU ICT service providers that don't have a Legal Entity Identifier, you face a practical compliance challenge. The Implementing Technical Standards (ITS) on the DORA register of information requires LEI for all legal persons established outside the EU, but many providers simply don't have one. This article explains the regulatory workaround … Read more
The Problem: When Technology and Regulation Collide The DORA register of information is central to the new European legislation for digital operational resilience. Financial institutions must map and report their complete ICT supplier landscape. However, there's a fundamental problem: the register's technical data model doesn't support a risk-based approach, while DORA specifically prescribes this. Binary … Read more
Recording ICT supplier contracts is a fundamental DORA requirement. But there's significant confusion about which contracts are actually in scope. This guide cuts through the complexity to give you clear, actionable answers about what needs to be in your DORA information register. 1. Which contracts are in scope? The simple answer: Every contract with a … Read more
Defining business functions is a central requirement under the Digital Operational Resilience Act (DORA). As part of building your ICT risk management framework, you must identify the business functions your organization performs, determine their criticality, and map their dependencies. This exercise is essential because functions are the anchor point for risk assessment, impact analysis, and … Read more
Business functions are the cornerstone of your entire ICT risk management framework. Think of it as creating a blueprint of your organization, you need to know what you do (functions), what's essential (criticality), and what each function needs to operate (dependencies). Without this map, you're managing ICT risks blindfolded. 1. What are business functions? In … Read more
Good News for Small Financial Entities: Your DORA Compliance path is simpler than you might think If you're a board member of a small financial entity facing DORA compliance, here's something crucial you need to know: if you qualify as a microenterprise, your compliance burden is substantially lighter. Yet many organizations rush past this opportunity, … Read more
Many organizations are using Excel to set up and manage their DORA Register of Information (RoI) but Excel simply isn’t built for this task. The problem lies in the complexity of relational data. DORA expects strict links between entities, contracts, services, and providers. Excel offers none of the built-in safeguards to maintain this structure. Excel’s … Read more
