DORAedge Documentation
  • Feature Descriptions
  • Regulatory Overview
    • Chapter I: Scope & Descoping (Articles 1-4)
    • Chapter II: ICT Risk Management (Articles 5-16)
    • Chapter III: Incident Reporting (Articles 17-23)
    • Chapter IV: Digital Operational Resilience Testing (Articles 24-27)
    • Chapter V: Managing of ICT third-party risk (Articles 28-44)
    • Chapter VI: Information-sharing Arrangements (Article 45)
    • Chapter VII: Competent Authorities (Articles 46-56)
      • Competent Authorities
    • Chapter VIII: Delegate Acts (Article 57)
    • Chapter IX: Transitional and Final Provisions (Articles 58-64)
  • Exportable Documents in DORAedge
  • Resource Center
    • IT Security Overview
    • Terms & Conditions
    • Data Processing Agreement (DPA)
Powered by GitBook
On this page
  1. Regulatory Overview

Chapter II: ICT Risk Management (Articles 5-16)

Streamline your ICT risk management and compliance operations through DORAedge by easily implementing a comprehensive ICT governance and control framework.

DORAedge helps financial entities meet their regulatory compliance obligations, from defining roles and responsibilities to tracking ICT risks, response plans, and business continuity policies. With built-in features for monitoring, documenting, and auditing your ICT risk management framework, DORAedge ensures compliance with both regulatory requirements and internal governance practices.

References to the legal text are seamlessly integrated, alongside relevant system features, to help you stay aligned with the highest standards of digital operational resilience.

Article 5: Governance and Organisation

DORAedge is built on a foundation of controls designed to meet the governance requirements outlined in this Article. It enables financial entities to track and implement relevant policies and procedures. The platform provides a clear overview of which controls have been completed, with the ability to export these for internal review or external audits. For entities lacking in-house policies, DORAedge’s Legal and Compliance partners are available to help develop these at a reasonable cost. DORAedge also supports the governance framework required for reviewing policies, ensuring compliance with regulatory requirements.

How DORAedge Assists:

  • Provides a framework for control tracking and policy management.

  • Supports policy review and oversight.

  • Offers access to legal and compliance expertise for policy development.

Article 6: ICT Risk Management Framework

Sections 6.1-4 DORAedge enables entities to map their internal and external IT and communication networks, covering both in-house systems and outsourced services. The platform supports the identification of risks at the contract, provider, and aggregate levels, helping organizations understand dependencies and weaknesses in their supply chain and risk framework. Automated reviews ensure that these risks are assessed and addressed as required by the regulation.

How DORAedge Assists:

  • Comprehensive mapping of ICT networks and providers.

  • Automated risk assessments and reviews to ensure ongoing compliance.

Section 6.5 DORAedge tags each entity and provider with their respective Competent Authority. This enables financial entities to easily send reports to the authority upon request or as part of their annual reporting requirements.

How DORAedge Assists:

  • Simplifies reporting to Competent Authorities with automated tagging and submission.

Sections 6.6-10 DORAedge offers tooling for tracking gaps in risk management frameworks, including control tracking, risk identification, contractual relationship definitions, and incident logging. While the implementation of a digital operational resilience strategy is the responsibility of the financial entity and its advisors, DORAedge facilitates the accountability and communication needed to ensure these strategies are effective.

How DORAedge Assists:

  • Comprehensive tracking of risk management frameworks and controls.

  • Enhances accountability and communication within the organization for effective risk management.

Article 7: ICT Systems, Protocols, and Tools

DORAedge requires the input of vendor information for safe handling when adding contracts. Your team’s assessment of vendor suitability ensures compliance with this Article. The system provides reminders for regular reviews, ensuring that this information is up to date.

How DORAedge Assists:

  • Frameworks for vendor suitability assessment.

  • Automated reminders for regular reviews of vendor contracts and suitability.

Article 8: Identification

DORAedge automates the documentation and classification of ICT-supported business functions, assets, and third-party dependencies. The platform continuously monitors these elements to help identify and manage cyber threats, vulnerabilities, and risk exposures. With scalable features built on proportionality, DORAedge ensures compliance with mandatory reviews, updates, and risk assessments for legacy systems and infrastructure changes.

How DORAedge Assists:

  • Automated documentation, classification, and monitoring of ICT assets.

  • Supports identification and management of cyber threats and risks.

  • Ensures compliance with required reviews and updates.

Article 9: Protection and Prevention

Section 9.1 DORAedge identifies the necessary controls for compliance with this Article. While the entity must design and implement specific policies and procedures, DORAedge offers a platform for storing, reviewing, and approving documents, streamlining compliance oversight.

How DORAedge Assists:

  • Provides document storage and review tools.

  • Facilitates compliance oversight with streamlined document approval processes.

Section 9.4 DORAedge includes pre-configured roles and permissions to manage access to data, ensuring appropriate levels of entry, editing, review, and approval for users.

How DORAedge Assists:

  • Offers role-based access control for secure data management and approval processes.

Article 10: Detection

DORAedge serves as an incident management platform with Automated Collection Points to monitor and recognize incidents. The platform integrates with external server monitoring tools to automatically generate incident reports in DORAedge.

How DORAedge Assists:

  • Provides an automated incident management and recognition system.

  • Integrates with external tools for server monitoring and incident reporting.

Article 11: Response and Recovery

Sections 11.1-2 Business continuity plans can be stored, reviewed, and approved within DORAedge as policies. However, defining and implementing these plans, and measuring their effectiveness, remains the responsibility of the entity and its advisors.

How DORAedge Assists:

  • Stores and tracks business continuity plans for compliance with annual review and approval requirements.

Section 11.3 DORAedge helps implement ICT response and recovery plans, ensuring that these are regularly reviewed and internally audited. The platform provides comprehensive tools for managing audit cycles and maintaining audit trails for compliance oversight.

How DORAedge Assists:

  • Tracks review and audit cycles for response and recovery plans.

  • Maintains detailed audit trails for compliance oversight.

Section 11.5 DORAedge includes a robust Risk Scenario module, allowing organizations to identify and assess risk scenarios. While DORAedge does not include a full Business Impact Analysis (BIA), it provides the necessary data and tools to help financial entities conduct their own assessments, simplifying the process and improving resilience.

How DORAedge Assists:

  • Risk Scenario module for identifying and assessing risk scenarios.

  • Provides data for conducting Business Impact Analysis.

Article 12: Backup, Restoration, and Recovery Procedures

DORAedge supports the storage and management of IT backup policies, procedures, and business continuity plans. While defining and implementing these plans is the responsibility of the entity, DORAedge ensures they are regularly reviewed and kept up to date.

How DORAedge Assists:

  • Stores and tracks IT backup and continuity plans.

  • Ensures policies are reviewed and updated within required timeframes.

Article 13: Learning and Evolving

DORAedge logs and tracks critical information on an entity’s digital operations, identifying risks and gaps in the existing network and risk framework. By centralizing accountability and transparency, DORAedge helps organizations enhance their risk posture and strengthen operational resilience.

How DORAedge Assists:

  • Centralizes accountability and transparency across digital operations.

  • Tracks historical and real-time data to improve risk posture and resilience.

Article 14: Communication

DORAedge enables entities to maintain and review communication policies, but the responsibility for developing a proper communication plan remains with the financial entity and its advisors. The platform stores and tracks these policies to ensure they are reviewed and updated regularly.

How DORAedge Assists:

  • Stores and tracks communication policies for regular review.

  • Helps ensure compliance with internal and external communication requirements.

Tabular formatting of above:

Article # and Description
DORAedge coverage

5 - Governance and organisation

Broadly, DORAedge is built on a foundation of controls to meet the requirements of each Article. For a series of the controls in DORAedge, these may be satisfied through the development and implementation of relevant policies and procedures. Controls will show as completed or not yet completed, and this overview is exportable. If a Financial Entity does not have proper policies in place, and do not want to build these in-house, DORAedge's Legal and Compliance partners can help to develop these at reasonable costs. DORAedge as a platform providers the governance framework for reviewing policies as required by the regulation.

6.1-4 - ICT risk management framework

After fully mapping out their internal and external Information Technology and Communication network - both in-house systems and outsourced providers for critical and non-critical services, the entities may map risks both on a contract and provider level, as well as in aggregate to understand dependencies and weaknesses in their current supply chain and risk framework. In addition the system automatically makes sure these are reviewed and assessed as required by the regulation

6.5 - ICT risk management framework

The system tags each entity and provider to one or multiple Competent Authority and can be easily sent to them directly if requested or to achieve annual reporting requirements. In

6.6-10 - ICT risk management framework

DORAedge offers a tooling for tracking the gaps in and effectiveness of an entity's risk management framework with control tracking, risk identification, contractual relationship definitions, incident logging and reporting, etc. However, the implementation of a digital operational resilience strategy that mirrors the complexity and scope of the organization is left to their own discretion and that of their external legal and compliance advisors. With provider and contract owners, as well as the ability to log and share incidents will lead to great accountability and knowledge sharing in organizations that might otherwise not have the appropriate risk framework and communication channels in place to appropriate capture and share information that can be used to mitigate and prevent future risks.

7 - ICT systems, protocols and tools

For compliance with Article 7 of the regulation, DORAedge requires information about the appropriateness of the vendor for safekeeping when adding a contract. To determine a provider's suitability, we rely on your team's assessment. The system establishes frameworks and sends reminders to review this information at regular intervals.

8 - Identification

DORAedge simplifies compliance with DORA’s ICT risk management by automating the documentation, classification, and continuous monitoring of your ICT-supported business functions, assets, and third-party dependencies. It helps you identify and manage cyber threats, vulnerabilities, and risk exposures in real time, while also streamlining critical asset mapping and third-party provider management. Scalable and built with proportionality in mind, DORAedge ensures you stay compliant with mandatory reviews, updates, and risk assessments for legacy systems and major infrastructure changes—all in one intuitive platform.

9 - Protection and prevention

DORAedge helps identify the necessary controls to comply with this Article. However, the specific policies and procedures for compliance must be designed and implemented by the entity itself. DORAedge provides a platform to store, review, and approve these documents, ensuring compliance oversight remains streamlined and accessible.

9.2 - Protection and prevention

Please see (7)

9.4 - Protection and prevention

DORAedge ships with a set of Roles to address various levels of permissions to enable data entry, editor, review, and approval levels of access.

10 - Detection

Using it's Automated Collection Points, DORAedge can act as a full incident management and recognition platform. If internal processes require monitoring, we recommend partners for server monitoring, that can automatically create incidents in DORAedge

11.1-2 - Response and recovery

A business continuity plan, seen as a Policy in DORAedge, can of course be maintained on the platform for review and annual approval, but the definition, implementation, measuring the success of this plan is up to the interpretation of the entity and their legal and compliance team/advisors.

11.3 - Response and recovery

DORAedge not only helps implement ICT response and recovery plans in line with Article 6(1), but also includes controls to verify that these plans are regularly reviewed and internally audited. The platform ensures that audit requirements are met by providing tools for tracking, storing, and managing review cycles, while maintaining comprehensive audit trails for compliance oversight.

11.5 - Response and recovery

DORAedge empowers your organization with a robust Risk Scenario module, allowing you to identify risk scenarios and treatments that feed directly into your organizational compliance score and risk overview. While the full Business Impact Analysis (BIA) isn’t included in the initial release, DORAedge provides the critical data you need—such as scenario analysis—right at your fingertips. You can easily export this information into a ready-to-use starter pack, simplifying and speeding up your BIA process. Leverage DORAedge to ensure your organization stays resilient and ready for any disruption.

11.6-10 - Response and recovery

Similar to 11.1-2, DORAedge will not carry out testing, but those Policies can be stored on the platform and tied to the relevant controls. DORAedge is the platform to capture relevant documentation for both central storage and reporting to Competent Authorities.

12 - Backup, restoration, and recovery procedures and methods

These Articles can be covered through IT backup policy/procedures and business continuity plans, of which the entity and their legal compliance team/advisors can define and implement, as it pertains to the complexity and scope of the organization. DORAedge can maintain these policies or continuity plans and ensure they are reviewed within the reguired timeframes. In addition, the system helps companies realise which external providers complies with the compatable

13 - Learning and evolving

DORAedge serves as a comprehensive platform to log and track critical information about an entity's digital operations, identifying risks and gaps within their existing network and risk framework. More than just a data repository, DORAedge centralizes accountability and transparency across your supply chain, contracts, dependencies, and risks. By capturing both historical and real-time data in one place, it empowers organizations to enhance their risk posture and operational resilience.

14 - Communication

Entities shall determine, based upon their complexity and scope, the proper communication plan(s) required to appropriately communicate required information on a need-to-know to action-required basis. These policies can be maintained and review in the system, but the entity itself and their legal and compliance team/advisors will need to develop a plan that works best for them.

PreviousChapter I: Scope & Descoping (Articles 1-4)NextChapter III: Incident Reporting (Articles 17-23)

Last updated 6 months ago