How do you distribute responsibility? How do you stop DORA work from living in a spreadsheet nobody updates? How do you ensure that management and the board can demonstrate what is actually being done?
That is what this article is about.
DORA is not a project — it is a governance programme
The most common mistake is treating DORA compliance as a one-off project with an end date. That is understandable: the regulation came into force at a specific point, and many organisations mobilised to be "ready" by January 2025.
But DORA is designed as an ongoing governance programme. The requirements around incident reporting, third-party monitoring, and the register of information are not boxes you tick once — they are processes that must function continuously, be updated when circumstances change, and be verifiable by the supervisory authority at any time.
That means organisations that built their DORA compliance as a project often find themselves with something that is not sustainable. The documentation exists, but nobody owns it. The register was created, but is not being maintained. The incident process is described, but has never been tested.
The five pillars — and where the work actually stalls
DORA is built around five areas: ICT risk management, incident reporting, resilience testing, third-party risk, and information sharing. Most organisations have a reasonable picture of what each area requires. What is harder is making them work together in practice.
There are three areas where we consistently see organisations get stuck.
The register of information. The register of information is technically a documentation requirement, but in practice it is a data quality problem. The register must reflect reality — which vendors are in use, which functions they support, how dependencies are structured. That requires procurement, IT, legal, and the business to communicate with each other, and for that information to be kept current when contracts are signed, amended, or terminated. It does not work as an annual exercise.
Incident classification. DORA requires organisations to determine whether an incident is "major" within very tight timeframes — the initial notification must be submitted within four hours of classification. That presupposes that the classification criteria are understood, that the process is defined in advance, and that the right people can be activated quickly. A process that only exists in a document will not hold under pressure.
Accountability at management level. DORA places clear responsibility at leadership level. It is not sufficient for the compliance function to own the programme — management must be able to demonstrate that they understand and actively govern ICT risks. That requires reporting structures, escalation paths, and a clear picture of how information flows upward in the organisation.
What a structured programme actually looks like
A sustainable DORA programme has three characteristics that distinguish it from a one-off project.
Clear ownership. Every requirement area has a named owner with the mandate to drive the work. That does not mean the compliance function owns everything — the register of information is often best owned by procurement or IT, the incident process by the security function, with compliance as the coordinating party.
Processes tied to events, not to the calendar. Register updates happen when contracts are signed, not once a year. The incident process is activated by actual events, not by an annual report. That requires DORA requirements to be embedded in existing workflows, not running parallel to them.
Documentation that can be demonstrated. The supervisory authority can request to see how an organisation manages its DORA compliance. That means documentation must be current, traceable, and legible — not merely existing. An audit trail showing who changed what and when is more valuable than a perfect document with no history.
What management needs to be able to show
A question that comes up regularly in our customer dialogues is how to present DORA status to the board. Supervisory authorities expect management to actively govern ICT risks, not simply delegate them. That means the board needs an ongoing view of compliance status, open action points, and how the organisation is managing its critical third-party dependencies.
That is difficult to deliver from a spreadsheet. It requires a structure that produces that picture continuously, not just ahead of a board meeting.
Want to see what a structured DORA programme looks like in practice?
Hy5 operationalises DORA compliance in one connected system — from the register of information and incident management to continuous status reporting for management and the board. Used by financial organisations to manage DORA without parallel manual processes.
Hy5 dramatically increases speed and reliability in compliance work. Across the entire company.
