DORA in Control: Professional Overview

The “DORA in Control” document describes an industry framework that translates the requirements of the EU Digital Operational Resilience Act (DORA) and related RTS/ITS into a set of 95 practical controls grouped into 8 domains for financial organizations. The goal of the NOREA report is to make DORA practically executable, from the strategic level (governance, risk appetite, digital resilience strategy) down to engineering solutions (SIEM, TLPT, IAM, redundancy, third‑party risk).

From “Security” to Operational Resilience

The authors highlight a shift of focus in the financial sector: from narrow “cybersecurity” to broader digital operational resilience, where not only attack prevention matters but also the ability to withstand, detect, recover from, and adapt to ICT disruptions. DORA is embedded in a wider package of EU acts (NIS2, CER, CRA, Cybersecurity Act) but acts as lex specialis for the financial sector, setting detailed mandatory rules instead of NIS2’s general principles.

Objectives and Architecture of DORA

Regulation (EU) 2022/2554 consolidates fragmented ICT requirements into five core pillars: ICT risk management, incident management and reporting, digital resilience testing, ICT third‑party risk management, and threat information‑sharing. Additional detail is provided via level‑2 legislation (7 RTS and 2 ITS) that cover incident classification, the ICT third‑party services register, TLPT, and subcontracting of critical functions.

Principles, Opportunities, and Implementation Challenges

DORA’s approach is fundamentally proportional and principles‑based: requirements scale according to size, risk profile, and criticality of functions, with specific simplifications for micro‑enterprises. This creates opportunities (stronger customer trust, competitive advantage, demonstrable recoverability) but also serious challenges, such as the need to interpret norms across legal, IT, and business domains and the risk of “checkbox compliance” that fails to address root causes.

The DORA in Control Framework

NOREA has developed a practical framework with 8 domains, 28 sub‑domains, and 95 controls, each directly mapped to DORA articles and RTS/ITS and integrated with the DNB information security maturity model. The framework is designed as a “living” tool with versioning (up to v3.2 in 2025), a visual progress dashboard, and mappings to the DNB Good Practice for Information Security and DNB DORA questionnaires.

Key Domains and Focus Areas

Governance & Risk Management (GRM): Management body accountability, digital resilience strategy, ICT risk framework, residual risk, and an internal ICT audit function.
Operational & Continuity Management (OM/CM): Asset inventory and criticality, change management, OTAP/DTAP, BIA, BCP/DRP, scenario‑based failure testing and provider‑failure simulations.
Incident & Resilience Testing (IM/RT): “Major incident” classification, three‑stage regulatory reporting, process‑driven incident response, a risk‑based test program, and TLPT aligned with TIBER‑like practice.
Third‑Party Risk Management (TPRM): Due diligence, standard and critical contracts, a comprehensive contract register, exit strategies, and full supply‑chain subcontractor management.
Security Management (SM): Network architecture and segmentation, SIEM and logging, data and legacy protection, cryptography, IAM/PAM, physical security, awareness, and vulnerability/patch management.

Four‑Step Path to DORA Readiness

The authors propose embedding DORA into a project structure via four sequential steps: identifying critical/important functions and supporting ICT infrastructure, performing a risk assessment on that infrastructure, running a gap analysis using the DORA in Control framework, and building a roadmap to close gaps and eliminate root causes. A key emphasis is that the management body must directly sponsor and supervise the program and actively manage dependencies on critical third‑party providers across the entire chain.

Practical Value for Financial Institutions

The framework addresses three needs at once: it makes DORA understandable for a broader audience, provides a structure for gap assessments and supervisory reporting, and introduces an engineering view focused on real ICT improvements rather than purely formal compliance. The authors stress that, given the expected supervisory demand for documented gap analyses and roadmaps, DORA in Control is likely to become a de facto standard for regulatory dialogue and demonstration of digital operational resilience.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.