Contents
- Quick-Check DORA for the Management Body
- Governance & DOR Strategy
- Is there a clearly formulated DOR strategy, approved by the management body, which defines objectives, responsibilities and risk tolerances in measurable terms?
- Does the management body receive a quarterly, KPI-based DORA report covering resilience, risks, incident data, third parties, testing and CIFs?
- Critical or Important Functions (CIFs)
- Inventories & Dependencies
- Third-Party Lifecycle & Risk Analyses
- Subcontracting Chains
- CTPPs, Substitutability & Exit Plans
- Protection & Prevention (Cyber Hygiene)
- Detection & SIEM / Incident Response
- ICT Business Continuity (BCM), RTO/RPO & Resilience Testing
- Incident Reporting Quality & Reporting Framework
- Governance & DOR Strategy
- Executive Summary for the Management Body
Quick-Check DORA for the Management Body
Key questions to avoid critical findings from internal audit, external auditors and BaFin
Governance & DOR Strategy
Is there a clearly formulated DOR strategy, approved by the management body, which defines objectives, responsibilities and risk tolerances in measurable terms?
If NO → typical finding: “Strategy unclear”, “Board accountability not implemented”.
Does the management body receive a quarterly, KPI-based DORA report covering resilience, risks, incident data, third parties, testing and CIFs?
If NO → risk: lack of steering, breach of DORA.
Critical or Important Functions (CIFs)
Is the methodology for identifying critical and important functions clearly documented, process-based and approved by the board?
If NO → typical finding: “CIFs not plausible / incomplete”.
Is there a complete, up-to-date CIF inventory including all supporting systems, data, interfaces and third parties?
If NO → risk: incorrect scope for BCM, SIEM, incident reporting obligations and outsourcing.
Inventories & Dependencies
Is there a complete, regularly reconciled inventory of all functions, processes, ICT assets and data – including dependencies on service providers?
If NO → typical findings: “Inventories incomplete”, “Dependencies not documented”.
Are there data-quality controls (DQ checks) for inventories?
If NO → risk: inconsistent risk assessments, incorrect incident classification.
Third-Party Lifecycle & Risk Analyses
Are systematic risk analyses carried out before contract signature, taking into account ICT, operational, legal, geopolitical and resilience risks in a 360-degree view?
If NO → typical finding: “Due diligence formal, not substantive”.
Is there ongoing monitoring with clear KPIs, audit rights, testing obligations and an annual reassessment?
If NO → risk: finding “Monitoring inadequate”.
Subcontracting Chains
Is full transparency of service providers’ subcontracting chains available (levels 1 to n)?
If NO → typical finding: “Subcontractor data incomplete”.
Are contractual mechanisms in place requiring timely notification of changes to the subcontracting chain?
If NO → risk: missing control path, non-compliance with DORA.
CTPPs, Substitutability & Exit Plans
Have all services of the 19 CTPPs been identified and assessed for substitutability, dependency and CIF relevance?
If NO → risk: “CTPP risks not fully assessed”.
Does a realistically tested exit plan exist for every CIF-relevant CTPP service?
If NO → major gap against DORA, high audit risk.
Protection & Prevention (Cyber Hygiene)
Is vulnerability and patch management fully automated, with defined deadlines and demonstrable adherence?
If NO → typical finding: “Patch management not effective”.
Are segmentation, encryption and privileged-access management documented and tested?
If NO → risk: severe cyber findings in the audit report.
Detection & SIEM / Incident Response
Are all CIF-relevant systems fully integrated into SIEM, including log protection and a use-case framework?
If NO → one of the most frequent detection findings.
Is there demonstrable 24/7 incident-response capability with defined escalation paths?
If NO → risk: delayed incident reporting, breach of DORA.
ICT Business Continuity (BCM), RTO/RPO & Resilience Testing
Are BIA results (RTO/RPO) fully reflected in contingency plans and verifiably achievable through realistic testing?
If NO → typical finding: “BIA not operationalised”.
Are resilience tests (including service providers) conducted and documented annually?
If NO → risk: missing evidence, breach of DORA.
Incident Reporting Quality & Reporting Framework
Are DORA incidents correctly classified, reported on time and subject to internal quality assurance before submission?
If NO → typical finding: “Reporting quality inadequate”.
Is the institution already using the new standard formats/API channels (ESA JSON) for automated reporting?
If NO → higher error rate, increased supervisory criticism.
Executive Summary for the Management Body
If three or more of these ten topics show red flags (“NO”), there is a significant risk of:
- Findings by internal audit
- Serious findings from the statutory external auditor
- Supervisory authority findings during DORA inspections and measures (follow-up inspections, orders, reporting obligations)