Innovation, Agility and Resilience - DNA of the fittest!

Strategy, AI, Digital transformation, Operational Resilience, Cyber Security, Process automation, Risk management and Compliance are your focus domains for value creation. AI supported disruption and geopolitical uncertainty - new reality. Agile organizations see all that as opportunities. People, Processes and Planet are changing at a faster pace as any time before. Sustainability, Artificial Intelligence and new business models are shaping the future. Without efficient utilization of "Digital" most businesses are at risk. Quick fix, systematic transformation or independent sparring partner to CX team - your call. We provide tailored Advisory Services for your Sustainable Growth.

IT Governance

DORA Q&A update 02

The purpose of this post is share the facts & links about DORA to community.

DORA act

  • Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance)

RTS published and sent to the EU Commission – first batch on 17th of January 2024:

  • JC 2023 83 – RTS on criteria for the classification of ICT-related incidents
    • JC_2023_83_-_Final_Report_on_draft_RTS_on_classification_of_major_incidents_and_significant_cyber_threats.pdf
  • JC 2023 84 – RTS on the policy on ICT services supporting critical or important functions provided by ICT third-party service providers (Was replaced with JC(2024) 1531).
    • JC_2023_84_-_Final_report_on_draft_RTS_to_specify_the_policy_on_ICT_services_supporting_critical_or_important_functions.pdf
  • JC 2023 85 – Implementing Technical Standards (ITS) to establish the templates for the register of information
    • JC_2023_85_-_Final_report_on_draft_ITS_on_Register_of_Information.pdf
  • JC 2023 86 – RTS on ICT risk management framework and on simplified ICT risk management framework (Was replaced with JC(2024) 1532.)
    • JC_2023_86_-_Final_report_on_draft_RTS_on_ICT_Risk_Management_Framework_and_on_simplified_ICT_Risk_Management_Framework.pdf

Final Reports – draft RTS submitted to the European Commission on 17th July 2024:

Final Reports – draft RTS submitted to the European Commission on 26th July 2024:

  • JC 2024 53 – Final Report RTS .. to assess when subcontracting ICT services supporting critical or important functions
    • Draft Regulatory Technical Standards to specify the elements which a financial entity needs to determine and assess when subcontracting ICT services supporting critical or important functions as mandated by Article 30(5) of Regulation (EU) 2022/2554;
    • JC 2024-53_Final report DORA RTS on subcontracting.pdf

The set of guidelines include:

  • Guidelines on the estimation of aggregated costs/losses caused by major ICT-related incidents; and
    • JC 2024 34 Joint Guidelines on the estimation of aggregated annual costs and losses caused by major ICT-related incidents under Regulation (EU) 2022/2554. EBA site;
    • JC 2024 34 Joint Guidelines pdf
  • Guidelines on oversight cooperation.

https://www.eba.europa.eu/publications-and-media/press-releases/esas-published-second-batch-policy-products-under-dora

Update to DORA regulation – Supplementing Regulation (EU) 2022/2554:

Criteria for the designation of ICT third-party service providers as critical for financial entities

  • Commission Delegated Regulation (EU) 2024/1502 of 22 February 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council by specifying the criteria for the designation of ICT third-party service providers as critical for financial entities. (EU) 2024/1502.

Criteria for the classification of ICT-related incidents and cyber threats, setting out materiality thresholds and specifying the details of reports of major incidents

IT Governance – how to do it right?

We can say that IT Governance is just a puzzle whitin the Corporate Governance.

But how important part is it? And how to do it right?

What are the factors influencing the need to focus on raising the IT Governance maturity?

During our recent diagnostic project we were asked to identify the opportunities for improvements in an organization that is continuously missing the deadlines in executing tasks supporting strategic objectives. As such strategy execution was at least from the timeline perspective at risk.

Key challenges we identified were:

  • Strong influence of external environment on priorities.
  • Individual plans and tasks not connected with the strategic plans and projects.
  • Poor visibility or not reliable indicators (performance, risk …).
  • Obsolete and not fit for purpose: service, task and project management platforms.
  • Low morale, burnout signs within IT and some other functions.
  • Bad scores in measuring organizational climate, no systematic focus on organizational culture.
  • IT Strategy not formalized.
  • Mission and Vison of the IT teams not clear.

It was clear that the organization was falling behind because key success factors that would allow the organization to follow its strategic objectives in a more sustainable way where not there.

How to fix this?

Simple answer – do the IT Governance right.

There is no recipe to fix it once for all. This is a journey lasting as long as organization is alive.

Need support – let us know and we will put you on track and keep you there!

Copyright © 2026 AREM / Advisory Services for Sustainable Growth / Assurance Risk Enterprise Management