The European Union’s Digital Operational Resilience Act (DORA) is a regulation aimed at enhancing the digital resilience of financial institutions. It requires, amongst other things, organizations to implement effective and prudent ICT-risk management practices, improve application resilience through testing and planning, and have crisis communication plans in place.

Ardoq helps organizations meet these requirements by identifying, documenting, and managing the impact of this regulatory change. Ardoq also complements and enhances incident management practices by modeling the existing IT Service Management (ITSM) practice and any other relevant framework, such as NIST or ISO27001. If your organization already has these standards or regulations in Ardoq, you will be able to identify and understand where you fulfill DORA requirements or where there may be gaps.

Ardoq’s integration with CMDB tools such as ServiceNow enables you to import information about critical ICT incidents, and assess an incident's impact on the organization. Additionally, Ardoq allows IT and Security leaders to report, communicate, and present important communications about DORA compliance.

Introduction to EU DORA

The Digital Operational Resilience Act (DORA) is a European Union regulation aimed at enhancing the digital operational resilience of the financial sector. It establishes a unified regulatory framework for managing information and communication technology (ICT) risks by financial entities and their third-party ICT service providers. DORA is part of the EU’s broader Digital Finance Package, which aims to support the financial sector's digital transformation while ensuring its safety and resilience.

DORA was adopted by the European Parliament and the Council of the European Union in 2022. The regulation entered into force on January 16, 2023, and will become fully applicable on January 17, 2025. During this period, financial entities and third-party ICT service providers must take steps to comply with the requirements outlined in DORA.

DORA will specifically focus on 20 types of regulated EU financial entities. These include banks, investment, pension providers, and providers of other financial services such as credit or payment, credit ratings, electronic money institutions, investment firms, and crypto-asset service providers.

DORA aims to address risks affecting information and communication technology (ICT) by establishing a framework for enhanced operational resilience across the financial sector—including holistic cyber risk management, incident reporting, and coordination among financial entities and regulatory authorities.

For an introduction to the Digital Operational Resilience Act see: Understanding DORA: The EU's Digital Operational Resilience Act

Where Ardoq Adds Value

Ardoq supports organizations across all five areas included in DORA.

ICT Risk Management and Governance
- Ardoq helps you document and manage ICT risk management practices. This includes documenting regulations, assessments, policies, procedures, and controls outlined in DORA.
- Ardoq can be used to establish and maintain an up-to-date governance structure where business capabilities, risks, controls, vendors, and applications all have identified owners.
ICT Incident Management and Reporting:
- Ardoq allows EAs to model and visualize the ITSM process, demonstrating the incident management process.
- Ardoq can document and supplement information held in other systems like an ITSM tool or CMDB
- Ardoq can pull in information from an ITSM tool on applications to assist in the reporting requirements of critical ICT-related incidents to competent authorities.
Digital Operational Resilience Testing:
- While Ardoq is not a system for testing applications, technologists and Enterprise Architects can use it to document and summarize information about the latest resilience tests carried out on applications that support critical capabilities.
- Ardoq can also notify identified application owners that periodic assessments are due to be carried out.
- Ardoq can also document the through process modeling or other testing methods that align with DORA requirements.
Information Sharing:
- Ardoq can model relevant processes to facilitate DORA requirements around information sharing and cyber threats and vulnerabilities to enhance collective resilience.
Oversight of Third-Party Providers:
- Organizations can model and document DORA-related information in Ardoq around Critical third-party ICT service providers, as these must be subject to rigorous oversight.
- Architects and compliance personnel can use Ardoq to assess and ensure providers comply with DORA’s requirements and facilitate regular reviews of 3rd party performance and risk management practices.

Purpose and Value

Addressing DORA with Ardoq

Achieving DORA compliance allows an organization to set out objectives to strengthen the organization's operational resilience, ensuring financial stability. By focusing on these objectives and the related outcomes, leadership can ensure that the organization meets regulatory requirements and enhances its overall risk management capabilities, builds stakeholder trust, and maintains a competitive edge in the market.

Ardoq enables organizations to record and show compliance with DORA by assisting organizations in addressing Risk Management, Reporting around Incident Management and understanding the true impact of significant incidents, capturing operational resilience plans on relevant components and orchestrating testing processes, highlighting processes to share information with external bodies, create and orchestrate evaluation and understanding of third party suppliers and ensuring good governance through the enforcement of ownership and accountability of applications and capabilities as well as canvasing relevant information in real-time.

The primary stakeholders who benefit from addressing EU DORA, and other Regulatory Requirements in Ardoq, are those responsible for ensuring continuous business operations. These individuals are likely already involved in the organization's risk management activities.

The key benefits by role include:

CFO, COO, CIO, and CISO
Head of Risk and Compliance
Capability owners or related business stakeholders
Application owners and other roles that are accountable for applications

CEOs are also relevant stakeholders because they want to ensure regulatory compliance in their organization. However, they don't usually participate in addressing requirements.

Role	Objective	Outcome
CFO / COO	Implement robust ICT risk management and resilience practices to prevent and mitigate disruptions. Meet all regulatory requirements to avoid penalties and legal issues. Build trust with investors, customers, and other stakeholders by demonstrating strong operational resilience. Ensure that critical business functions remain operational even during ICT disruptions. Enhance governance structures to ensure accountability and effective oversight of ICT risk management. Manage the costs associated with implementing and maintaining compliance with DORA.	Minimize financial losses and operational downtime due to ICT incidents. Full compliance with DORA, reducing the risk of regulatory fines and enhancing the organization's risk profile. Consistent revenue streams and customer retention, even in the face of potential disruptions. Optimized spending on ICT risk management and compliance initiatives, balancing cost and benefit. Increased investor confidence, potentially leading to a higher valuation and better access to capital. Optimized spending on ICT risk management and compliance initiatives, balancing cost and benefit.
CIOs / CISOs	Implement robust ICT risk management and resilience practices to prevent and mitigate disruptions. Reduce the overall level of risk in the enterprise to minimize the impact of risk events.	Identify opportunities to improve operational resilience
Risk and Compliance	Create a risk library for all risks relating to the DORA Critical applications. Support the technical side of the organization's risk management practice Implement relevant control frameworks like DORA, ISO, NIST, etc. Report on areas of compliance and non-compliance	All relevant risks are entered into a risk register (library) Relevant controls are known to the business Controls are matched to the risks Risks are communicated to relevant application owners to plan the deployment of controls
Capability Owners	Determine if the capability is critical to the organization Determine if the capability is exposed to DORA regulation Understand the relationship between the capabilities and the supporting applications.	Provide data on each capability Plan and implement relevant controls to bring risk to tolerable levels
Applications Owners	Quantify the acceptable level of risk for each managed application Reduce the overall level of risk to the managed applications through the implementation of relevant controls	Provide data on each application Plan and implement relevant controls to bring risk to tolerable levels

Armed with Ardoq, CIO’s, CISOs, Compliance Teams, Business Stakeholders and Enterprise Architects can collaborate and enable the organization to achieve DORA regulatory compliance.

The Value of Addressing DORA With Ardoq

Ardoq’s strength is providing up-to-date insights from complex, interconnected, and dynamic information that is updated across the company. Its unique combination of capabilities can make a valuable contribution to tackling EU DORA and other similar regulations, standards, and frameworks.

Ardoq provides value in addressing the EU DORA regulation through:

Comprehensive Risk Management	Ardoq aids organizations in developing and managing ICT risk management frameworks that align with DORA requirements. This includes; Helping to identify and manage ICT risks by mapping business capabilities to regulatory requirements. Assessing the risk levels of various processes and value streams to downstream applications that enable the business capabilities. Documenting and visualizing risk assessments to ensure compliance.
Enhanced Compliance Tracking	Ardoq facilitates tracking and documenting compliance with DORA by: Documenting and visualizing ICT incident management processes. Documenting and recording resilience testing outcomes. Capturing assessments and helping to evaluate third-party vendors through surveys. Supporting the organization's annual audit requirements.
Efficient Resource Allocation	Ardoq enables efficient allocation of resources by: Identifying critical business capabilities and applications. Ensuring risk management practices are robust. This targeted approach helps organizations optimize their spending on the proper ICT risk management and compliance initiatives, balancing cost and benefit.
Improved Information Sharing	Ardoq supports effective communication and information sharing by: Modeling processes to demonstrate how threats and vulnerabilities are communicated. Facilitating collaboration with external bodies, third-party service providers, and industry partners. This enhances collective resilience by ensuring that threat information is shared efficiently and effectively to mitigate risks across the financial sector.
Automated Processes and Accountability	Ardoq leverages automation to: Conduct risk assessments and compliance monitoring. Keep information up-to-date for decision-making. Additionally, Ardoq can enforce ownership and accountability by assigning responsibility for maintaining and updating information related to capabilities, processes, risks, controls, and applications.

Scope

Ardoq enables organizations to directly address ICT Risk Management, Governance, and 3rd Party Oversight. It also assists organizations in modeling the incident management process, however, incident management is usually carried out using ITSM tools like ServiceNow. Ardoq does not replace these tools, but can assist in Incident Management Reporting and information sharing to support all requirements outlined in the DORA regulation.

Ardoq addresses DORA requirements by addressing the following key questions:

Pillar in DORA	Questions Ardoq will help you address
ICT Risk Management & Governance	What Critical capabilities are impacted by DORA regulations? Can I show how I address DORA regulations mapping EA capabilities to DORA Business Functions? (This is a translation question solved in the Rationale) Which capabilities have undergone a business impact assessment? Which capabilities are critical? What applications have undergone a risk assessment Do I perform a risk assessment on applications that support DORA’s Critical Capabilities Who is responsible for DORA impacted Applications? What is the percentage of time we have completed addressing DORA regulations?
ICT Incident Management and Reporting	What is the organization's incident management process? Who owns the incident reporting processes related to DORA? Shine a light on situations in the organization's incident management process where ownership disappears. What applications linked to critical capabilities have had <1 breach or unplanned outage in the last 12 months?
Digital Operational Resilience Testing	Are critical applications tested and have business continuity plans been developed?
Information Sharing	What processes in our organization enable the sharing of information about cyber threats and vulnerabilities to enhance collective resilience?
Oversight of Third-Party Providers	What third parties assist in the delivery/supply of critical capabilities.? Have third-party organizations and related contracts have been vetted through a risk assessment process? Are controls/measures/policies in place to evaluate/monitor Third-Parties?

Rationale

Ardoq’s Approach to DORA

There are many approaches to addressing regulations that may impact your organization. When addressing regulations like the EU's DORA with Ardoq, we recommend that you take a capability-focused approach.

The approach starts by assessing business capabilities to determine their relevance to the DORA regulation. The regulation’s emphasis on understanding business functions and how they are supported within the enterprise drives this approach.

The terminology used in the DORA legislation is then translated into concepts used by Enterprise Architects. This enables you to leverage the existing data in Ardoq and connect components to your current metamodel, saving valuable time and ensuring a holistic approach to risk and compliance.

The legislation focuses on understanding which business functions are identified as financially oriented and exposed to risk. The Ardoq Solution maps ‘functions’ to ‘business capabilities’ (both business and technical).

Metamodel Reference

Ardoq’s approach to addressing DORA regulations benefits from several of Ardoq’s preexisting solutions.

Application Lifecycle Management and Business Capability Modeling which are crucial for overseeing your organization's development, deployment, and ongoing support of applications and capabilities
Business Capability Realization which focuses on the practical implementation and achievement of business goals, and
Organizational Patterns and Application Risk Management

Ardoq recommends creating the DORA regulations and subsequent requirements in a workspace along with other such regulations in a similar method deployed in the Application Risk Management. Ardoq also recommends building an assessments workspace where DORA assessments for Capabilities, Applications, and third parties can be documented.

Additionally, DORA requirements can be addressed through a common framework or standard such as ISO27001 or ITIL. Those specific requirements can be referenced to the irrelevant control requirements addressed in those frameworks.

Ardoq's DORA Implementation Guide provides more information on how to implement DORA in Ardoq.

Modeling Regulation & Requirements

To model regulatory requirements for DORA we build on the concepts developed as part of Application Risk Management. Specifically, Ardoq recommends using the Information Artifact and Requirement Component.

ICT Risk Management & Governance

Ardoq enables you to address the EU DORA requirements for Risk Management and Governance in the following way:

Perform Capability Assessments to determine which capabilities are subject to DORA regulations and requirements - implementing an assessment of the capabilities to assess each capability's applicability and DORA criticality. This is accomplished through a predefined Ardoq survey.

Above: The image shows how Ardoq can identify DORA Critical Capability subject to the regulation.

Once DORA Critical Capabilities have been identified, Applications that realize the critical business capabilities (see business capability solution) can be assessed to determine whether those supporting applications are in scope of the DORA requirements. For example, by assessing applications to understand if they supply, store, or process financial data.
Identified applications can then go through the Ardoq Application Risk Management process to identify and reduce the enterprise's risk levels.
In delivering the application risk management processes, relevant controls can be added to the control library and deployed to the in-scope applications.
This process is iterative and should be regularly reviewed and repeated to ensure changes are recorded and that new capabilities/applications are continually assessed.

ICT Incident Management and Reporting with Ardoq

Ardoq enables you to address some of the incident management requirements in the following ways:

Leverage Existing CMDB Data:

Integrate data from ITSM tools (e.g., ServiceNow) into Ardoq.
Copy key data points related to major incidents to highlight their impact on critical applications.
Maintain an accurate inventory of IT assets and services by combining CMDB data with Ardoq’s enterprise view.

2. Heat Mapping and Analysis:

Incorporate incident data into Ardoq to create heat maps and analyze outages affecting DORA critical applications.
Use a ‘Dora Criticality’ field on capabilities to highlight and quickly identify vulnerabilities.
Develop visualizations to identify patterns and support proactive risk mitigation.
Ensure regular reporting and thorough assessment of significant incidents for compliance with DORA.

3. Model Regulatory Reporting Processes:

Document the entire regulatory reporting process within Ardoq.
Include incident reporting workflows, compliance checks, and steps for submitting reports to authorities.
Standardize the approach to regulatory compliance to ensure timely and accurate reporting.
Enhance organizational transparency and accountability, building trust with stakeholders and regulatory bodies.

The Diagram shows a sample process modeled in Ardoq to address Regulatory Reporting.

By following these steps, organizations can effectively manage and report ICT incidents, ensuring compliance with DORA and improving operational resilience.

Addressing Requirements for Digital Operational Resilience Testing

Ardoq enables organizations to address requirements for digital resilience testing by providing a structured approach to capability assessment, application evaluation, risk mitigation, and continuity planning.

Carry Out Capability Assessment

Identify all critical leaf node capabilities (L3 and lower) under DORA.
Map out business capabilities essential for financial operations and resilience.
Use Ardoq’s survey functionality to assess the relevance and criticality of each capability.

The diagram visualizes the card payment assessment and its relationship to the Card payment capability

Application Assessment for Critical Capabilities

Assess applications supporting critical capabilities using the DORA Application assessment component.
Survey application owners to evaluate each application’s role, data handled, and associated risks.
Use Ardoq’s Application Risk Management use case to identify and document relevant controls.

The diagram demonstrates which applications realize the payment capability.

Implement Risk Mitigation Measures:
- Develop and implement measures to mitigate identified risks.
- Link regulations to controls, policies, and initiatives.
- Establish necessary controls and policies based on Ardoq’s guidance on Application Risk Management.
Develop and Test Business Continuity and Disaster Recovery Plans:
- Create and model Business Continuity Plans (BCP) and Disaster Recovery (DR) for critical applications.
- Manage and detail steps for disruption scenarios.
- Regularly test and update these plans to ensure effectiveness.
Monitor and Review Annually:
- Establish routine monitoring and annual review processes for ongoing compliance and resilience.
- Set up regular assessments and reviews using Ardoq.
- Continuously update documentation and risk management practices in Ardoq to reflect current resilience measures.

For other areas of DORA legislation, Ardoq recommends documenting relevant Incident Management processes and mapping to existing frameworks like ISO27001 / NIST800-53, SOC2, etc., if they apply to your enterprise.

Information Sharing

Ardoq enables organizations to manage DORA requirements for internal and external information sharing in the following ways:

Model Processes for External Information Sharing:

Use Ardoq to create models demonstrating how threats and vulnerabilities are communicated to regulatory bodies, third-party service providers, and industry partners.

Standardize Reporting Procedures:

Establish documented standard procedures within Ardoq for reporting incidents and sharing threat intelligence, which can be communicated internally.
Ensure these procedures facilitate collaboration and enhance collective resilience.

Document and Understand Processes:

Document all information-sharing processes in Ardoq to ensure to make sure you understand and manage DORA requirements.
Foster a collaborative environment where threat information is shared efficiently and effectively.

Mitigate Risks Across the Financial Sector:

Utilize documentation in Ardoq to promote efficient risk mitigation strategies by effectively communicating threat information.

Oversight of Third-Party Providers

Ardoq recommends using the same process to evaluate 3rd party vendors supplying critical applications related to DORA Critical Capabilities as outlined above. This will enable you to track, evaluate, and document the capabilities of service providers of DORA Critical Capabilities.

The steps include:

Perform Capability Assessments to determine which capabilities are subject to DORA regulations and requirements—implementing an assessment of the capabilities to determine the applicability and DORA criticality for each capability. This is accomplished through a predefined Ardoq’s survey.
Once DORA Critical Capabilities have been identified, vendors and 3rd party organizations that supply/support applications that realize the critical business capabilities (see business capability solution) can be assessed to determine whether they meet DORA requirements for 3rd parties and which can, in turn, be captured in assessments in Ardoq. For example, you can assess vendors to understand if they supply, store or process financial data and, if so, whether they meet the requirements outlined by DORA. You can also document relevant information about the organization as required.
Identified applications can then go through the Ardoq Application Risk Management process to identify and reduce the levels of risk in the enterprise.
In delivering the application risk management processes, relevant controls can be added to the control library and deployed to the in-scope applications.
This process is iterative and should be regularly reviewed and repeated to ensure changes are recorded and that new capabilities/applications are continually assessed.

DORA Regulation

Regulations, such as the European Union’s Digital Operational Resilience Act, and other regulations are represented in the same way as Information Artifacts that may be broken down into a more detailed collection of Requirements.

The DORA requirements may be linked directly to other Requirements or Controls indicating which are realizations of the requirements either of adopted frameworks (ISO27001 / NIST800-53) or corporate policies.

Implementing DORA

See https://help.ardoq.com/en/articles/205084-implementing-the-digital-operational-resilience-act-in-ardoq for guidance on how to implement DORA in Ardoq.

Strategy to Execution: Purpose, Scope, and Rationale

Data Lineage Metamodel: Purpose, Scope, & Rationale

Application Risk Management: Purpose, Scope, and Rationale

Technical Debt Management: Purpose, Scope and Rationale

How to Implement the Digital Operational Resilience Act (DORA) in Ardoq