GRC tools and compliance with the DORA regulation

10.06.2025

Spis treści

The DORA regulation is a major challenge for the European financial market. In more than 100 pages of the document and in another 10 supplementary texts of two packages of Regulatory Technical Standards (RTS), the European legislator has set an extensive and elaborate task for financial players. Although difficult and complex, the challenge is manageable, especially with the right tools.

The Financial Sector Digital Operational Resilience Act unifies the approach to the provision of ICT services at the European Union level. Prior to its introduction, diverse laws and regulations across member states could affect the competitiveness of financial entities from different countries. The lack of uniformity in legislation made it difficult to adequately understand and monitor risks, including those arising from concentrated reliance on ICT service providers. DORA introduces an appropriate oversight framework, enabling continuous monitoring of the activities of key ICT service providers for financial entities while ensuring the confidentiality and security of customer data.

The text of DORA was published in the Official Journal of the European Union on January 16, 2023. The first part of the RTS prepared by the European Supervisory Authorities (ESA) was presented on January 17, 2024. The second part of the RTS was published on July 17.

The DORA regulation became effective for all covered entities on January 17, 2025. From that point on, all financial entities will have to comply with the new regulations on digital operational resilience. The ESA also began active oversight activities in 2025, including designating critical third-party providers and monitoring their compliance with DORA. Staggering the entry of DORA into law according to this timetable aimed to ensure a smooth transition and have prepare the financial sector for the new requirements, minimizing operational risks and strengthening digital security.

Given the timeline outlined, it is useful to have a work plan for implementing DORA in the organization. The work must include gathering documentation, mapping assets, safeguards, processes, and then moving on to activities related to appropriate risk management. We have prepared a schedule for you to download to help you think through the next steps in preparing for DORA.

Liability for non-compliance with DORA

According to Article 5 sec. 2(a) of DORA, the inalienable responsibility for managing a financial entity’s ICT third-party risk and ensuring digital operational resilience lies with the board of directors. These individuals have a number of obligations imposed on them that they must fulfill in order to ensure compliance with DORA. These include training and putting in place appropriate processes and procedures or tools. The result of these activities should be an increased awareness of ICT risks in management and the organization as a whole, and the development of good cybersecurity hygiene practices.

Governance, Risk and Compliance tools

The use of GRC (Governance, Risk, and Compliance) tools may grow faster than ever in the near future. Every representative of the financial sector, with the exception of microenterprises and a few specific cases from January 17, 2025, must meet high requirements for digital operational resilience, ICT vulnerability testing and ICT provider management. As the regulatory environment is changing and may change in the coming years, a tool that addresses the challenges of dynamically managing compliance with the regulatory environment is critical for financial entities.

ICT providers management is specific in DORA requirements. This requires compliance with specific requirements for maintaining a register of ICT suppliers.

Departments within an organization that use GRC tools

Risk, compliance and control (GRC) management tools are designed for various departments within an organization, such as compliance, risk management, internal audit, information security management, operations management or IT. These activities include monitoring and managing regulatory compliance, managing business risks, controlling business processes, and ensuring that organizational activities are consistent with the highest ethical and operational standards. As a result, GRC tools are relevant to many areas of an organization’s operations to ensure compliance, minimize risk and effectively manage operations.

GRC – an organizational approach that complies with DORA

GRC is a structured approach to managing in the areas of both compliance, security and IT in line with business objectives, managing risks and meeting regulatory requirements. As Article 5(1) of DORA indicates, financial entities must have an internal governance and control framework that ensures effective and prudent management of all ICT third-party risks. By integrating different perspectives such as compliance, security, and IT into a single model, companies can reduce wasted time and resources, increase efficiency, minimize the risk of non-compliance, and share information more effectively among stakeholders.

Proper implementation of GRC as an integrated ICT risk management system in accordance with DORA brings many benefits, including

Elimination of redundant or duplicative activities;
More efficient and consistent implementation of business processes;
Faster and more efficient communication and information sharing;
More effective integration of activities in the organization and elimination of “silos”;
Conducting operations in compliance with legal regulations;
Reducing risks in various aspects of operations.

To effectively implement DORA, organizations must approach risk management holistically. There is a reason why Article 5.1 indicates the need to manage all ICT risks. This requires cyclical risk analysis across the organization, management of documentation, creation of cyber resilience strategies and monitoring of cyber threats. A dedicated GRC tool can significantly facilitate this process by enabling centralization of information, documents and descriptions, making it easier to test and update systems.

Managing DORA compliance from a single cockpit

In many organizations, risk analysis is scattered across different people and departments, leading to inconsistent data and a lack of a holistic, multidimensional view of risk. This situation makes it difficult to manage ICT risks and present a complete risk assessment to the FSC.

RIG DORA is a type of GRC application that precisely meets the needs of financial entities arising from the DORA regulation. Building GRC software that represents a holistic approach required:

Knowledge of the specifics of European Union standards and security standards from the ISO family,
Development of a risk assessment methodology consistent with the Asset-Based Approach required by DORA
Understanding the needs of compliance, security and IT departments
Translation of the above elements into a system – at the end.

RIG DORA allows you to visualize the ICT security level of a financial entity on a single dashboard by aggregating the data entered into the tool by different departments of the organization. In this way, anyone managing the organization can see what level of security the entity has achieved. Managing the risk by estimating, planning and analyzing its level is exactly what the Supervision Authority will control.

The implementation of RIG DORA in an organization leads to the optimization of key processes, such as document creation, risk management and implementation of legal obligations. These activities increase the transparency of workflows, promote cooperation by eliminating information barriers, and effectively manage various risks through their ability to measure and predict results. This is another aspect that will be subject to DORA compliance monitoring.

With the DORA Register of Information, organizations can build a complete, compliant database of ICT service providers, contractual relationships, and critical functions. This automated structure supports all key RTS reporting fields and helps streamline ongoing supervision and internal audits.

A DORA implementation that will work for the long term

With RIG DORA, it is possible to systematically manage risks in one place and guide the user step-by-step through the entire process. This allows management and other responsible parties to obtain a complete risk assessment of all the company’s ICT assets. Document archives, risk analysis and risk response plans are all available in one place, making continuous risk monitoring much easier. Investing in a system that ensures both accountability to the Supervision Authority and robust risk management can be an important milestone for the entire organization.

Similar entries from the category

10.06.2025
- Automation
- Risk control
Tenable and RIG DORA – Technical and business cybersecurity

Discover how Tenable and RIG DORA combine technical and business cybersecurity to meet DORA and NIS2 requirements and manage ICT risk.

Read more
22.05.2025
- Automation
ICT provider vs. its subcontractors

Learn what responsibilities does DORA impose on the ICT provider regarding subcontractors and the risk of long supply chains.

Read more
19.05.2025
- Automation
- ICT providers
DORA Register of information – 7 key points to do it right

The register of information should be maintained and updated, as it may be subject to inspection by the authorities at any time.

Read more