Dora documents list
Examples of documents required by the DORA regulation
The DORA Regulation imposes a number of new obligations in the area of digital operational resilience for entities in the financial sector in the European Union. It requires the development of various types of documents relating to operational risk management, digital operational resilience testing, third-party risk management in the ICT industry, and information exchange. The following types of documents are required by the DORA Regulation:
Operational risk management
- ICT risk management policy in accordance with the requirements of the regulation
- Special strategies, including business continuity policy, internal and external audit plans, cyber resilience strategies
- Testing digital operational resilience
Business continuity plan testing
- Penetration tests simulating a cyber attack
- ICT system failure tests
Third-party risk management in the ICT industry
- Exchange of information
Identification, review, and adjustment of agreements concerning the use of external ICT service providers
- Procedures for the exchange of information, including the types of information and methods of exchange, as well as procedures for dealing with security breaches
These rules aim to make the EU financial sector more resilient to cyberattacks and ICT disruptions, and to protect customers from the negative effects of ICT incidents.
The risk management framework consists of 18 strategic documents.
There are 18 policies, registers, reports, and programs, which contain many components. To control the entire risk management framework, you need to know what each one contains.
You can print out the implementation material we have prepared and check off which policies you have already developed. You can see how many new documents still need to be prepared.
