• Article 5 obliges financial entities to maintain an ICT risk-management framework covering identification, protection, detection, response, and recovery, with board-approved risk tolerance and continuous improvement. CISOs should bind asset inventories, dependency maps, and resilience metrics into a single governance register that feeds supervisory reporting.
• Articles 11-14 set harmonised incident reporting: initial notification “without undue delay” and no later than the end of the business day following classification, intermediate updates as requested, and final reports within one month. Response teams must script regulator notification packs and assign market-specific leads so timelines are never missed.
• Articles 21-24 require advanced testing—threat-led penetration testing every three years for significant institutions, plus scenario-based exercises and remediation verification. Testing leads should prioritise intelligence-led red teaming for critical services and ensure remediation evidence is captured for supervisory reviews.
• Articles 28-30 mandate ICT third-party contract controls, including access, audit rights, termination support, data portability, and subcontractor transparency. Procurement should retrofit master services agreements with the Article 30 minimum clauses and maintain the Article 28 register of critical providers with impact tolerances and exit plans.

Source extracts — ESAs first batch of DORA policy products (January 2024)

• The joint ESMA/EBA/EIOPA package delivers draft regulatory and implementing technical standards for incident reporting, ICT risk management, and third-party registers. Compliance teams must map RTS/ITS data fields into tooling now so go-live on 17 January 2025 does not require manual reconciliation.
• Draft ITS templates define detailed incident-reporting taxonomies (service affected, root cause, impact metrics) and require LEI-based identification. SOC tooling should collect these attributes at detection time to avoid retrofitting reports.
• The policy products introduce proportionality guidance—smaller entities may scale testing obligations but must document rationale. Risk owners should log proportionality decisions and secure board approval before tailoring controls to avoid supervisory findings.