JDA Advisory

DORA Implementation in Financial Institutions

DORA Implementation in Financial Institutions – Gain an advantage through effective DORA implementation.

Discover the key benefits and exceptional value of our DORA regulation implementation services, designed to support your compliance and security – DORA Implementation in Financial Institutions

DORA Implementation in Financial Institutions – Expertise in DORA audits.

Professional audits enable precise assessment of compliance with DORA and identify areas needing improvement, ensuring operational security.

DORA Implementation in Financial Institutions – Comprehensive training for teams.

Training tailored to the needs of the organisation helps to understand DORA requirements and implement best practices, enhancing employee skills.

Support during the implementation process.

We offer personalised support at every stage of DORA implementation, ensuring a smooth and effective compliance with all regulatory requirements.

Our DORA Implementation Services Offerings

Find out how our audits, training, and support can help your company meet the requirements of the DORA regulation.

DORA Compliance Audit

We conduct a detailed analysis to assess the degree of compliance with your organisation’s regulatory requirements.

Specialist Training

We organise dedicated training sessions that will prepare your team for the effective implementation of DORA.

Implementation Support

We offer comprehensive advisory services and support in implementing compliance processes with DORA regulations.

How is the implementation of DORA carried out?

We present a detailed process for implementing the DORA regulations to facilitate compliance and ensure your organisation meets the requirements.

Stage One: Compliance Audit

We conduct a comprehensive audit that identifies areas requiring adjustment to meet DORA requirements, creating a foundation for further action.

Second stage: Training and support

We deliver specialised training and provide expert support to prepare the team for effective regulatory compliance.

Stage Three: Implementation and Monitoring

We implement dedicated solutions and monitor their effectiveness, ensuring continuous compliance with DORA regulations.

DORA ICT Risk Management and ICT Operational Resilience, aligned with the Digital Operational Resilience Act (EU 2022/2554) and the Regulatory Technical Standards (RTS) & Implementing Technical Standards (ITS).

DORA ICT Implementation Methodology (End‑to‑End)

Aligned with Articles 5–15, 17–23, 26–30, 32–33, 41–43 of DORA + RTS/ITS

Implementation follows six major phases, each with clear deliverables and milestones.

PHASE 1 — Initiation & Governance Setup

Objectives
  • Establish governance for DORA implementation.
  • Define scope, roles, responsibilities, and oversight.
  • Identify critical ICT services and dependencies.
Key Activities
  • Appoint DORA Programme Lead and Steering Committee.
  • Define DORA implementation scope (ICT, suppliers, processes).
  • Identify critical functions (per Article 3(22)).
  • Map internal/external stakeholders.
  • Approve project plan and communication plan.
Deliverables
  • DORA Programme Charter
  • Governance & RACI Matrix
  • Scope Statement (ICT, suppliers, services)
  • Stakeholder Register
Milestone

M1: DORA implementation formally launched

PHASE 2 — Gap Assessment & Regulatory Mapping

Objectives
  • Assess current maturity vs DORA Articles + RTS/ITS.
  • Identify gaps in ICT risk management, incident reporting, testing, and supplier oversight.
Key Activities
  • Perform DORA gap analysis across:
    • ICT risk management (Art. 5–15)
    • ICT incident management (Art. 17–23)
    • Digital operational resilience testing (Art. 24–27)
    • ICT third‑party risk management (Art. 28–30)
    • Information sharing (Art. 41–43)
  • Map existing controls to RTS/ITS requirements.
  • Identify regulatory obligations by entity type (financial entity, ICT provider).
Deliverables
  • Gap Assessment Report
  • Regulatory Mapping Matrix
  • Prioritised Remediation Roadmap
Milestone

M2: Gap analysis completed and roadmap approved

PHASE 3 — ICT Risk Management Framework (Core DORA Requirements)

Objectives
  • Build or enhance the ICT Risk Management Framework (IRMF).
  • Implement mandatory policies, processes, and governance.
Key Activities
  • Develop/upgrade:
    • ICT Risk Management Policy
    • ICT Asset Inventory & Classification
    • ICT Change Management
    • ICT Project & Architecture Governance
    • Logging & Monitoring Framework
    • ICT Business Continuity & Disaster Recovery
    • ICT Security Controls (access, network, data, identity)
  • Implement risk assessment methodology aligned with DORA.
  • Define KRIs, KPIs, and reporting dashboards.
Deliverables
  • ICT Risk Management Framework
  • ICT Asset Inventory
  • Updated ICT Policies & Procedures
  • Risk Assessment Methodology
Milestone

M3: ICT Risk Management Framework implemented

PHASE 4 — ICT Incident Management & Reporting (RTS/ITS)

Objectives
  • Implement DORA‑compliant incident classification and reporting.
  • Ensure readiness for 24h early warning and 72h reporting.
Key Activities
  • Implement:
    • ICT Incident Management Policy
    • Incident classification (major/significant)
    • Incident register
    • Reporting templates (RTS/ITS)
    • Communication & escalation matrix
  • Conduct incident response exercises.
Deliverables
  • Incident Management Procedure
  • Incident Classification Matrix
  • Reporting Templates (Early Warning, Intermediate, Final)
  • Exercise Reports
Milestone

M4: Incident management & reporting fully operational

PHASE 5 — Digital Operational Resilience Testing (DORT)

Objectives
  • Implement proportionate testing aligned with DORA Articles 24–27.
  • Prepare for TLPT (Threat‑Led Penetration Testing) if applicable.
Key Activities
  • Implement annual testing programme:
    • Vulnerability assessments
    • Penetration testing
    • Scenario‑based testing
    • Table‑top exercises
    • Disaster recovery tests
  • For entities in scope:
    • Prepare for TLPT (aligned with TIBER‑EU).
Deliverables
  • Annual Testing Plan
  • Test Reports
  • TLPT Readiness Assessment (if applicable)
Milestone

M5: Digital operational resilience testing programme operational

PHASE 6 — ICT Third‑Party Risk Management (TPRM)

Objectives
  • Implement DORA‑compliant supplier lifecycle management.
  • Ensure contracts meet mandatory DORA requirements.
Key Activities
  • Build or enhance:
    • Supplier classification (critical vs non‑critical)
    • Due diligence process
    • Ongoing monitoring
    • Exit strategies
  • Update contracts to include:
    • SLA/KPI requirements
    • Incident reporting obligations
    • Audit & access rights
    • Sub‑outsourcing conditions
    • Data location requirements
Deliverables
  • TPRM Framework
  • Supplier Register
  • Updated Contract Templates
  • Monitoring & Reporting Procedures
Milestone

M6: DORA‑compliant TPRM framework implemented

PHASE 7 — Reporting, Training & Certification Readiness

Objectives
  • Ensure organisation is fully compliant and audit‑ready.
  • Train staff and management.
Key Activities
  • Conduct DORA readiness assessment.
  • Prepare evidence package.
  • Conduct training for:
    • ICT teams
    • Incident responders
    • Management
    • Procurement
  • Support supervisory inspections.
Deliverables
  • DORA Readiness Report
  • Evidence Package
  • Training Records
Milestone

M7: DORA compliance achieved

Typical DORA Implementation Schedule (6–12 Months)

MonthPhaseKey Milestones
1Phase 1Governance & scope defined
1–2Phase 2Gap analysis + roadmap
2–4Phase 3ICT Risk Management Framework
3–5Phase 4Incident management & reporting
4–7Phase 5Resilience testing programme
5–9Phase 6TPRM implementation
9–12Phase 7Readiness + supervisory preparation

Small entities: 4–6 months Mid‑sized entities: 6–9 months Large/complex entities: 9–18 months

DORA ICT Implementation Checklist (Comprehensive)

Below is a full, ready‑to‑use checklist aligned with DORA Articles and RTS/ITS.

1. Governance & ICT Risk Management (Art. 5–15)
  • [ ] ICT Risk Management Framework implemented
  • [ ] ICT governance roles defined
  • [ ] ICT asset inventory maintained
  • [ ] ICT change management implemented
  • [ ] ICT architecture documented
  • [ ] Logging & monitoring implemented
  • [ ] ICT continuity & DRP aligned with DORA
  • [ ] KPIs/KRIs defined
2. ICT Incident Management (Art. 17–23)
  • [ ] Incident classification matrix implemented
  • [ ] Incident register maintained
  • [ ] 24h early warning capability
  • [ ] 72h reporting capability
  • [ ] Final report template implemented
  • [ ] Incident response exercises conducted
3. Digital Operational Resilience Testing (Art. 24–27)
  • [ ] Annual testing plan defined
  • [ ] Vulnerability scans performed
  • [ ] Penetration tests performed
  • [ ] Scenario‑based tests performed
  • [ ] DR tests performed
  • [ ] TLPT readiness assessed (if applicable)
4. ICT Third‑Party Risk Management (Art. 28–30)
  • [ ] Supplier classification implemented
  • [ ] Due diligence process defined
  • [ ] Contract templates updated
  • [ ] Monitoring & reporting implemented
  • [ ] Exit strategies defined
  • [ ] Sub‑outsourcing controls implemented
5. Information Sharing (Art. 41–43)
  • [ ] Threat intelligence sharing policy
  • [ ] Participation in information‑sharing communities
  • [ ] Legal & confidentiality safeguards in place
6. Documentation & Evidence
  • [ ] Supervisory reporting prepared
  • [ ] All policies & procedures documented
  • [ ] Evidence of control operation retained
  • [ ] Audit trails maintained
DORA Act

Start implementing DORA with JDA Advisory today.

We invite you to take advantage of our audits, training, and support, which will help your company meet the requirements of the DORA regulation. Take a step towards full compliance and financial security.

More details…