Requirement
DORA.IM-1.1: The financial entity shall establish, document and implement a comprehensive ICT-related incident management process covering detection, recording, classification, escalation, containment, resolution and post-incident review of all ICT-related incidents (Art. 17(1) DORA).
Guidance
The process should be formally approved, communicated to all relevant staff, and include: incident identification triggers; a centralised incident log; defined severity levels and escalation paths; containment and evidence preservation procedures; resolution documentation; and integration with the major incident reporting process.
Documentation
Implementation
Requirement
DORA.IM-2.1: The financial entity shall clearly define and assign roles and responsibilities for all phases of ICT incident management, including designation of an incident owner, response team members, escalation authorities, and regulatory notification owners (Art. 17(1) DORA).
Guidance
Consider: RACI matrix for incident management phases; named incident response team with defined authority levels; clear criteria for escalating to senior management and the management body; alternates designated for key roles; and regular exercises to test team readiness.
Documentation
Implementation
Requirement
DORA.IM-3.1: The financial entity shall maintain a comprehensive ICT incident log capturing all relevant incident details — including classification, timeline, impact assessment, actions taken, and resolution — with regular management reporting on incident trends and open items (Art. 17(1) DORA).
Guidance
Consider: centralised incident tracking system with mandatory data fields; SLAs for incident resolution by severity; regular management information reporting on incident volumes, trends and key metrics; and use of incident data in the annual ICT risk review.
Documentation
Implementation
Requirement
DORA.IM-4.1: The financial entity shall conduct root cause analysis for significant ICT-related incidents to identify underlying causes, contributing factors and systemic weaknesses, and implement improvements to prevent recurrence (Art. 17(3) DORA).
Guidance
Consider: formal RCA methodology with defined scope and timelines; documentation of RCA findings and contributing factors; tracking of corrective actions to closure; escalation of systemic weaknesses to the management body; and periodic trend analysis to identify recurring themes.
Documentation
Implementation
Maturity Scale
Target: ≥ 3/5 for all categories
Documentation
No process documentation or not formally approved by management.
Implementation
Standard process does not exist. Actions are ad hoc and undocumented.
Documentation
Formally approved process documentation exists but has not been reviewed in the previous 2 years.
Implementation
Ad-hoc process exists and is performed informally. Results are inconsistent.
Documentation
Formally approved process documentation exists; exceptions are documented and approved. Documented & approved less than 5% of activities.
Implementation
Formal process exists and is implemented. Evidence available for most activities. Less than 10% process exceptions.
Documentation
Formally approved process documentation exists; exceptions are documented and approved. Documented & approved less than 3% of activities.
Implementation
Formal process fully implemented. Evidence available for all activities. Detailed metrics captured and reported. Less than 5% process exceptions.
Documentation
Formally approved process documentation exists; exceptions are documented and approved. Documented & approved less than 0.5% of activities.
Implementation
Formal process fully implemented and continually improving. Minimal exceptions (<1%). Process improvements tracked and evidenced.