From 17 January 2025, the EU’s Digital Operational Resilience Act (DORA) applies to banks, insurers, investment firms, payments/e‑money, market infrastructures and more. The law harmonises five areas: ICT risk management, incident reporting, resilience testing, ICT third‑party risk, and information sharing. If you’re a small or mid‑size financial entity, the fastest way to make this real is to get your document management system (DMS) to capture the evidence regulators and auditors will ask for.
This article shows what to file, where to file it, and when—with references to the official Level‑2 acts now in force.
What changed on 17 January 2025 (and why it matters to your evidence)
- DORA is live. ESMA confirms DORA applied as of 17 January 2025.
- Incident reporting is now time‑boxed. The ESAs’ final report sets three milestones for major ICT‑related incidents:
- Initial notification: within 24 hours of becoming aware; if you classify an incident as major later, you must submit the initial notification within 4 hours after that classification.
- Intermediate report: within 72 hours of submitting the initial notification (not of detection).
- Final report: within one month of the latest updated intermediate report.There is limited relief for weekends/bank holidays, with exceptions for certain systemic entities.
- Incident classification is harmonised. Delegated Regulation (EU) 2024/1772 defines criteria and materiality thresholds for major incidents and significant cyber threats—this underpins when you must report.
- Third‑party register templates exist. Implementing Regulation (EU) 2024/2956 sets standard templates for a Register of Information (RoI) covering contracts, subcontracting chains, identifiers (e.g., LEI/EUID), functions, and impact if services stop.
- When is the register due upstream? The ESAs expect competent authorities to submit RoI data by 30 April 2025, so national supervisors have been collecting it in advance. Keep your RoI complete and exportable.
- Subcontracting scrutiny tightened. Delegated Regulation (EU) 2025/532 specifies what you must determine and assess when subcontracting ICT services supporting critical or important functions.
- TLPT is formalised. Delegated Regulation (EU) 2025/1190 sets the threat‑led penetration testing (TLPT) RTS: who must do it, scope/method, mutual recognition, and when internal testers are allowed. Not every firm will be selected, but those that are need documentary readiness.
The three evidence hubs to build in your DMS
FIRST: Major incident binder (classification → 24h → 72h → 1‑month)
Why: DORA’s RTS/ITS define what you report and when—and supervisors will want to see the paper trail, not just the final form.
What to capture in the DMS:
- Classification memo referencing 2024/1772 criteria and thresholds, plus the decision timestamp (for the “4‑hour after classification” rule).
- Initial notification draft/final with the mandatory fields (e.g., incident reference, detection date/time, basis for “major,” affected Member States), as set out in (EU) 2025/301 and (EU) 2025/302.
- Intermediate and final reports with updates and root‑cause analysis, filed against the same incident ID.
- Approvals, acknowledgements and audit logs (who drafted, who reviewed, when submitted).
How Folderit helps: Audit trails, version history, approval and acknowledgement workflows let you prove who did what and when; export the audit trail if your supervisor asks.
SECOND: ICT third‑party register & contract library
Why: DORA requires a Register of Information at entity/sub‑consolidated/consolidated levels, including subcontractors that underpin critical or important functions. Templates and instructions are in (EU) 2024/2956.
What to capture in the DMS
- A structured register (metadata) aligned to the templates (e.g., B_01.01/B_01.02 lists, contract identifiers, function IDs, LEI/EUID, impact of discontinuation, data location, subcontractors).
- Contractual policy artefacts covering required clauses for critical/important functions per (EU) 2024/1773 (e.g., access/audit, notification, exit, data/geo, subcontracting conditions).
- Subcontracting assessments and approvals following (EU) 2025/532 (chain visibility, change notifications, termination rights if risk > tolerance).
- Export routine to your supervisor’s requested format/timeline so the authority can meet the 30 April 2025 ESA deadline.
How Folderit helps: Use metadata and templates for the register; store contracts and due‑diligence packs; rely on retention automation to keep contracts and change logs for as long as your policy requires.
THIRD: TLPT readiness file (for entities that are identified)
Why: Under (EU) 2025/1190, authorities will identify which entities must perform TLPT; the RTS sets scope/methodology, including when internal testers are allowed and conditions for mutual recognition.
What to capture in the DMS
- Identification notice (why you were selected) and scope rationale.
- Testing pack: rules of engagement, red‑team NDA, intelligence sources, attack scenarios, scoping approvals, fixes, and closure evidence.
- Mutual recognition trail (if relying on a test done in another Member State).
How Folderit helps: Keep all TLPT artefacts together with versioning, approvals, and global audit log for an end‑to‑end story on scope → execution → remediation.
Map DORA measures to DMS capabilities (quick reference)
- ICT risk management framework → file approved policies, risk registers, evidence of reviews; (EU) 2024/1774lists the core elements—make each element auditable.
- Incident reporting → binder with 24h / 72h / 1‑month timeline, templates from (EU) 2025/301 / 2025/302; classification notes per (EU) 2024/1772.
- Third‑party risk → RoI aligned to (EU) 2024/2956 and contractual policy per (EU) 2024/1773; subcontracting assessments per (EU) 2025/532.
- Testing → if designated, keep a TLPT pack per (EU) 2025/1190.
Folderit features to switch on:
SSO (Okta/Entra/Google), approvals, acknowledgements, retention automation, audit trails, version history—these create the evidence auditors expect.
A 30‑day setup plan for smaller teams
Week 1 – Foundations
- Publish/approve the ICT risk policy and incident policy in the DMS; enable SSO and least‑privilege roles.
Week 2 – Registers & templates
- Build the RoI as DMS metadata (fields mirroring 2024/2956 templates): contract ID, provider LEI/EUID, function ID, subcontractors, data location, impact of discontinuation.
- Create incident and supplier folders with required metadata and retention rules.
Week 3 – Incident drill
- Run a tabletop and produce an initial notification, intermediate, and final report (use placeholders) to test the 24h → 72h → 1‑month flow and approvals.
Week 4 – Third‑party & TLPT readiness
- Upload contracts; record subcontracting chains/assessments per 2025/532; add termination/exit plans.
- If your authority has indicated TLPT eligibility, assemble a TLPT readiness file (scope, scenarios, closures).
Frequently asked questions
Do small firms have to do TLPT?
Only if identified under (EU) 2025/1190. The RTS sets criteria for selection and the required methodology; many smaller entities won’t be selected initially. Your supervisor will confirm.
Is DORA’s incident reporting the same as NIS2?
DORA is lex specialis for the financial sector. Timelines are aligned in effect but not identical; under DORA you submit an initial within 24h (or 4h after classification if later), an intermediate within 72h of the initial, and a final within one month of the latest intermediate.
We outsource almost everything—do we still need a register?
Yes. (EU) 2024/2956 requires a maintained Register of Information, including subcontractors that underpin critical/important functions; templates and instructions are published.
When do supervisors need our register?
The ESAs expect competent authorities to submit RoI by 30 April 2025, so many supervisors asked firms to provide data ahead of that date. Keep your DMS export‑ready.
