Control BaselineEU

EU DORA ICT Risk Management Baseline

A control library you can implement, test, and audit.

Built from DORA Chapter II + the Level 2 RTS for ICT risk management tools and simplified framework.

Back to main artifactReview sources
Author
Sorena AI
Published
Feb 23, 2026
Updated
Feb 23, 2026
Sections
9

Structured answer sets in this page tree.

Primary sources
2

Cited legal and guidance references.

Publication metadata
Sorena AI
Published Feb 23, 2026
Updated Feb 23, 2026
Overview

DORA Chapter II expects a coherent ICT risk management framework, not a stack of disconnected policies. The easiest way to ship compliance is to build a control baseline: control -> owner -> acceptance criteria -> evidence. This page provides an implementation-ready baseline you can adapt by proportionality and connect to incident reporting and testing programs.

Section 1

Baseline architecture: how to structure your DORA control library

Build the library around control families that match how systems fail and how supervisors ask questions: inventory -> protect -> detect -> respond -> recover -> learn.

Use one evidence model across all families: logs + reports + approvals + tests.

  • Control statement: what the control does and why it exists.
  • Acceptance criteria: measurable "done looks like" conditions.
  • Evidence: where proof lives and how it's exported (screenshots, tickets, logs, reports).
  • Cadence: how often the control is tested/reviewed.
  • Proportionality: what changes under simplified frameworks or microenterprise approaches.
Section 2

Family 1 - Governance and accountability (management body oversight)

DORA ties ICT risk management to governance: management bodies define, approve and oversee the ICT risk framework and continuity planning.

Treat governance controls as evidence-producing processes (not just policies).

  • Management body approves ICT risk management framework and reviews it periodically.
  • Risk tolerance for ICT risk is defined and tracked with KPIs (availability, recovery, control exceptions).
  • Internal audit/independent review exists for key ICT response and recovery plans (non-microenterprises).
  • RACI exists across ICT risk management, incident reporting, testing, and third-party governance.
Section 3

Family 2 - Inventories and dependency mapping (Article 8 foundation)

Article 8 requires identifying, classifying and documenting ICT-supported business functions, information assets and ICT assets, and their roles/dependencies in relation to ICT risk - and reviewing at least yearly.

This is the root of almost every other DORA control: you can't protect or recover what you can't list.

  • Inventory: ICT-supported business functions and owners; critical or important functions identified.
  • Asset classification: information assets and ICT assets are classified by criticality and data sensitivity.
  • Dependency map: key systems, integrations, and third-party services supporting critical/important functions are documented.
  • Review cadence: inventory and documentation reviewed at least annually (and after major changes).
  • Evidence: CMDB exports, architecture diagrams, service catalog, and third-party dependency register linkage.
Section 4

Family 3 - Protection and prevention (reduce probability of disruption)

Protection controls reduce incident frequency and blast radius. DORA expects safeguards against intrusions and data misuse and preservation of availability, authenticity, integrity and confidentiality of data.

Implement these controls as "standards + enforcement + verification".

  • Identity and access management: least privilege, privileged access controls, review cadence, and strong authentication for sensitive systems.
  • Secure configuration and hardening: baseline configs, drift detection, and environment segregation for critical functions.
  • Change management: risk-based approvals for changes affecting critical functions; rollback plans and change windows.
  • Vulnerability management: scanning, prioritization, patch SLAs, and exception governance for critical systems.
  • Data protection: encryption, key management governance, backup protection, and integrity controls for logs and critical data.
Section 5

Family 4 - Detection and monitoring (reduce time-to-detect)

DORA expects prompt detection of anomalous activities and ICT-related incidents and identification of single points of failure.

Make detection measurable: coverage, alert quality, and time-to-detect.

  • Monitoring coverage: critical functions have telemetry (availability, latency, errors, security signals).
  • Log integrity: critical logs are protected from tampering and retention supports investigations.
  • Alert quality: false positive management, escalation rules, and on-call coverage for critical services.
  • Evidence: monitoring dashboards, alert runbooks, incident timelines, and post-incident review outputs.
Recommended next step

Turn EU DORA ICT Risk Management Baseline into an operational assessment

Assessment Autopilot can take EU DORA ICT Risk Management Baseline from turning this guidance into a repeatable review process to a reusable workflow inside Sorena. Teams working on EU DORA can keep owners, evidence, and next steps aligned without copying this guide into separate documents.

Assessment workflow
Open Assessment Autopilot for EU DORA ICT Risk Management Baseline

Start from EU DORA ICT Risk Management Baseline and turn the guidance into owned tasks, evidence requests, and review checkpoints.

Explore next step
Talk to Sorena
Talk through EU DORA

Review your current process, evidence gaps, and next steps for EU DORA ICT Risk Management Baseline.

Explore next step
Section 6

Family 5 - Response and recovery planning (Articles 11-13)

DORA requires a comprehensive ICT business continuity policy and associated ICT response and recovery plans.

Treat response and recovery as practiced operations: runbooks + exercises + measured outcomes.

  • Business continuity policy exists and covers critical functions; integrates with overall BCP (Article 11).
  • Response and recovery plans exist and are exercised; include containment measures and tailored recovery procedures (Articles 11-12).
  • Testing includes cyber-attack and switchover scenarios between primary and redundant capacity where required.
  • Post-incident reviews occur after major incidents and result in documented improvements (Article 13).
  • Evidence: tabletop exercise reports, restore testing evidence, RTO/RPO achievements, and improvement tracking.
Section 7

Family 6 - Communications and crisis management

DORA incident workflows explicitly include communication plans to staff, stakeholders and media and escalation to senior management and the management body for major incidents.

This is a control surface: clarity and speed matter during outages.

  • Crisis communications plan exists: internal staff updates, external stakeholder communications, and media handling.
  • Major incident reporting to senior management and the management body is implemented with structured summaries and action plans.
  • Evidence: comms templates, escalation logs, and management briefings tied to incident records.
Section 8

Family 7 - Proportionality and simplified framework (RTS 2024/1774)

DORA expects proportional application of controls and allows simplified frameworks for certain entities. The Level 2 RTS specifies tools, methods, processes and policies and the simplified approach.

The mistake is treating "simplified" as "uncontrolled". Your simplified framework still needs evidence and review cadence.

  • Define what is simplified: which control families are reduced and why the residual risk is acceptable.
  • Keep minimum evidence: inventories, incident records, continuity plans, and periodic reviews.
  • Document supervisory rationale: basis for simplification, approval, and review cadence.
Section 9

Evidence pack checklist (exportable, audit-ready)

If you can't export evidence quickly, you'll end up rebuilding it during supervisory requests or audits.

Use this list as your "evidence readiness" acceptance criteria.

  • ICT risk management policy set + governance approvals and periodic review minutes.
  • Inventories: ICT-supported business functions, information assets, ICT assets, dependency maps (annual review evidence).
  • Control testing results: vuln scans, patch SLAs, access reviews, configuration drift reports, monitoring coverage reviews.
  • Continuity and recovery evidence: response/recovery plans, exercise reports, restore evidence, post-incident review outputs.
  • Linkage to incident reporting (Chapter III) and testing programs (Chapter IV) so evidence is consistent.
Primary sources

References and citations

Regulation (EU) 2022/2554 (DORA) - Official Journal
eur-lex.europa.eu
Referenced sections
  • Chapter II ICT risk management requirements, including the inventory/classification foundation (Article 8) and continuity and response/recovery obligations (Articles 11-13).
Related guides

Explore more topics

DORA Applicability Test | Is EU DORA Applicable to Your Entity?
A step-by-step EU DORA applicability test (Regulation (EU) 2022/2554): determine if you are a covered financial entity under Article 2.
DORA FAQ (EU) - Scope, Deadlines, Reporting, TLPT, RoI, and Third-Party Risk
High-signal answers to the most searched DORA questions: who is in scope, when DORA applies (17 Jan 2025), what "critical or important functions" means.
DORA ICT Third-Party Risk Management + Contract Clauses | Article 28-30 + RTS 2024/1773 + RTS 2025/532
A deep guide to DORA ICT third-party risk: build the third-party risk strategy (Article 28), implement due diligence + ongoing monitoring.
DORA Major ICT Incident Reporting | Articles 17-20 + RTS 2024/1772 + 2025/301
A practical DORA major incident reporting guide: build the Article 17 and 19 workflow, apply RTS 2024/1772 classification and RTS 2025/301 timing rules.
DORA Penalties, Fines, and Enforcement | Articles 50-55 + Oversight Penalty Payments
A practical DORA enforcement guide: how competent authorities' supervisory/investigatory/sanctioning powers work (Article 50).
DORA Register of Information (RoI) - How to Build It | Article 28 + ITS 2024/2956
Build an audit-ready DORA Register of Information (RoI): define scope and relational keys.
DORA Register of Information (RoI) Template Guide | ITS 2024/2956 Annex Templates (B_01-B_07)
A practical guide to the DORA Register of Information templates: understand the ITS schema (Implementing Regulation (EU) 2024/2956).
DORA Testing & TLPT Readiness | Chapter IV + TIBER-EU Execution Guide
A deep DORA testing and TLPT readiness guide: build the Chapter IV testing program, prepare remediation and validation.
DORA vs ISO/IEC 27001:2022 | Mapping Controls, Evidence, and Audit Readiness
A deep DORA vs ISO 27001 comparison: where ISO/IEC 27001:2022 helps satisfy DORA ICT risk management and evidence expectations.
DORA vs NIS2 (EU) | Scope, Reporting, Controls, and Overlap for Financial Entities
A deep comparison of DORA and NIS2: who is in scope, what "security measures" mean, incident reporting differences, governance and enforcement posture.
EU DORA Checklist | DORA Compliance Checklist (Audit-Ready)
An audit-ready EU DORA checklist (Regulation (EU) 2022/2554): scope memo and proportionality, ICT risk management control baseline.
EU DORA Compliance Guide | DORA Implementation Playbook
A practical EU DORA compliance guide (Regulation (EU) 2022/2554): how to set up a DORA program, build an ICT risk management control baseline.
EU DORA Deadlines & Compliance Calendar | Key Dates, RTS/ITS and Cadence
A DORA compliance calendar for Regulation (EU) 2022/2554: publication, entry into force, application date, key RTS and ITS including 2024/2956, 2025/301.
EU DORA Requirements | Obligations by Workstream (ICT Risk, Incidents, TLPT, Third Parties)
A practical breakdown of EU DORA (Regulation (EU) 2022/2554) requirements: ICT risk management framework (Chapter II).
EU DORA Scope & Covered Entities | Who Is In Scope (Article 2)
A practical scoping guide for EU DORA (Regulation (EU) 2022/2554): covered financial entities (Article 2), proportionality and simplified frameworks.