
Q1. What are the deliverables / work products from the DORA compliance assessment?
A1 You will receive a DORA Audit Report containing two Parts: Part 1 complies with the format as set out in DORA requirements. Part 2 states your level of compliance to your obligations (with scores and RAG status), a list of supporting documents as evidence and a DORA Action Plan. In addition, we provide you with the completed register of information templates for the agreed number of business functions and third-party provider contractual agreements.
Q2 For a mid-sized financial entity how long does the DORA assessment typically take from start to finish?
A2 It depends on the scope of work. At DORACompliant.com we operate on a fixed cost basis for the scope of services as set out in our service catalogue. The duration of work packages range from 2 to 4 months support during the DORA Compliance process. On completion of the work package there will a decision on how to process any outstanding DORA compliance work and we will assist as required based on a new fixed price work package or on a T&M basis.
Q3 Does your organisation need to be DORA compliant?
A3 You should seek expert legal advise on this matter. The DORA Regulation will be relevant for many UK-based financial organisations, either because they (directly, or indirectly through their group) deliver digital based services to clients in the European Union and/or have a EU footprint. Further clarification on the types of financial entities in the DORA scope is set out in Article 2, para 1 and includes: credit institutions, payment institutions etc. Note that there are also size related implications for inclusion or exclusion of financial entities and the extent of expected information provision.
It is possible that your organisation does not need to be DORA compliant and is therefore not subject to DORA audit or potential penalties and fines. However, if your financial organisation interacts with other UK financial organisations that are DORA compliant then your organisation will potentially be seen as a risk and may be recorded as such on the DORA Risk Framework (i.e., you are outside 'the DORA tent'). In this situation your financial organisation may consider taking steps to align with the 'spirit of DORA' and be DORA conformed (i.e., you meet/conform to the DORA financial entity obligations, and may be audited by an independent body) and so potentially be viewed as a somewhat safer business partner (i.e., a guest within 'the DORA tent'), see our DORA-CFX service. It is possible (subject to Legal advice) that you can elect for DORA Compliance to fully align with the wider community of financial entities in the UK and Europe.
Q4 What are the key ICT roles within your organisation required to support the DORA compliance assessment and is there a DORA RACI Matrix?
A4 In addition to non-ICT roles such as: Legal, Compliance and Corporate Risk, there are numerous ICT roles required to contribute to the DORA compliance project. The following ICT roles are set out in the DORA Compliance Engine and map against each of the c250 obligations (as a RACI matrix) for your day one preparation, workload planning and resource allocation:
-
CIO, CISO - providing overall ICT framework (including risk), relevant strategy, policies, ownership and the communications link to board level
-
Business Relationship manager - providing the interface to business functions, set out the names of the business functions and also defining the ICT to business communications channels.
-
Risk and Security Leads - providing information on risk and security operational mechanisms
-
Applications Lead, Enterprise Architect, Infrastructure Lead, Network Lead - providing expertise for Service mapping, resilience related tooling and provision of evidentiary artefacts (e.g., Infrastructure and Applications High Level Design documents)
-
Service and Performance Leads - providing expertise for service mapping, service architecture, tooling, agreements, service levels and provision of evidentiary artefacts (e.g., process / procedure documentation, monthly service reports, ITSM tools High Level Design and alignment to processes)
-
Incident, Major Incident and Communications managers- providing subject matter information and evidentiary artefacts
-
Finance/budget lead - identifying spend against ICT third-party providers to help identify inclusive ICT contractual agreements
-
Supplier/Vendor manager - for collation, preparation and ICT contractual agreements and assistance in relevant data extraction for the register of information.
Q5 How many Articles in the DORA Regulation do financial entities need to specifically record their conformance against?
A5 Within the five pillars (Articles 5 to 45) there are 28 Articles where financial entities have specific obligations. Other Articles within the 5 pillars include regulation on the interworking of DORA oversight boards.
Q6 How is the compliance of financial entities recorded (e.g., yes/no, a number, something else)?
A6 At DORACompliant.com we utilise the the 0 to 5 scoring based on the time proven ITIL service management process maturity framework (ITIL Service Design v3, Appendix H) recognising that different DORA obligations may well be at different points in their maturity progress.
Q7 What are the top challenges in completing a register of information?
A7 We have identified four key challenges and we take the lead or actively contribute to all of these, namely:
a. Obtaining the list of licenced activities and all business functions from the financial entity (Article 8, para 1)
b. Obtaining all of the ICT contractual agreements in place at the financial entity (Article 28, para 3)
c. Creating and agreeing the service mapping outputs with client teams and third-party providers (Article 11, para 5). We know that some financial entities use applications dependency asset tracking software and we are happy to include this information as part of service mapping
d. Creating the register of information (ITS Excel tables) from the service maps (Article 11, para 5) for the agreed number of business functions and third-party provider contractual agreements.
Q8 How to best address these challenges?
A8 You should begin to collate the information in items A7.a and A7.b above as early as possible as both of these activities can be time consuming. Obtaining ICT contractual agreements may require going to different parts of the business for SaaS contracts (i.e., outside of the ICT budget / responsibility) and/or back to third-party and software vendors for duplicate contract agreements as needed.
​
Q9 We do not have budget for external support currently, is it possible to reserve a timeslot with DORACompliant.com for later in the year?
A9 Yes it is. We request a reservation fee of 15% of the agreed study price to guarantee your timeslot. Based on market discussions and their concerns over potential penalties, we anticipate that the last six months of 2024 will be fully booked by early Q2 2024.
​
Q10 How many ISO 27002 2022 control objectives overlap with the DORA?
A10 There are 93 control objectives in ISO27002 of which 17 of them overlap with DORA obligations.
​
Q11 How well does DORA align with ISO31000 Risk Management?
A11 The ISO standard 31000 provides useful general references for principles, framework and process on Risk Management in support of managing the ICT Risk Framework in the context of DORA.
​
Q12 What can our critical / major third-party providers do to assist us to become DORA compliant?
A12 Because of the the scale and complexity of many of their contracts we recommend that they launch their own project to collate their information in readiness for service mapping and entry into the register of information. Our DORA-TPP service enables us to work closely with these third-party providers to align their information with that collected with the financial entity (using the DORA-COMP service) ensuring a seamless set of information for DORA compliance auditing by the competent authority.
Q13 What is the most efficient way to amend existing third-party provider contractual agreements to include the appropriate DORA obligations?
A13 It is unlikely that existing third-party provider contractual agreements will included DORA obligations, for instance in Article 39 para 6 " The critical ICT third-party service provider shall submit to on-site inspections ordered by decision of the Lead Overseer". We have created a specific project accelerator ("TPP DORA Obligations") containing the third-party provider obligations as set out within the DORA Regulation. The TPP DORA Obligations content can be presented as a Contract Change or as new schedule to be included in the third-party provider ICT contract, subject to appropriate change control.
​
Q14 How is compliance assessed against complex requirements such as Article 6 paragraph 2?
A14 We have metadata against against each component and financial entity obligation of DORA including indicators on the level of complexity. For obligations that have complex conformance requirements we unpack them into their constituent parts and provide compliance scores at the granular level and then calculate the overall compliance score for that complex requirement.
Q15 How does the DORACompliant.com pricing model work for the services defined in the Service Catalogues?
A15 We offer a fixed price service for a fixed scope. This enables budget predictability for a large part of the overall work. Your DORA Audit Report will include the compliance scores against the c250 obligations of financial entities, a DORA Action Plan and a completed register of information for a given number of business functions and third-party provider contractual agreements. Please contact Martin, at mboyle@doracompliant.com, for more information on out price plans.
​
Q16 Can DORACompliant.com provide assistance in the operational resilience remedial project work?
A16 Yes. This may be with our consultants or from a trusted partner such as Horizon 7.
​
Q17 Our Legal team inform us that we are not subject to DORA Regulation, however our Board is seeking information on the extent to which we comply with DORA, what should we do?
A17 If you were to work with us using the DORA-CFX (Conformance) service, we would create a DORA Conformance Report which follows the same path as our DORA-Comp (Compliance) service and provides you with a score (and RAG status) against each of the c250 obligations of financial entities. The main difference between the two services is the burden of documentary proof is less for conformance than audited compliance and there is no register of information for conformance.