DORA: Common Scenarios
Common Scenarios
Practical guidance for applying DORA to real-world situations.
Scenario 1: Ransomware Attack
Question: Our bank detected ransomware at 10am Monday that encrypted core banking systems. What’s our reporting timeline?
Answer: Report within 4 hours of classifying as major (by 2pm Monday at latest):
| Deadline | Action |
|---|---|
| +4h | Initial notification: ransomware detected, systems affected, containment started |
| +72h | Intermediate report: scope, impact on customers, recovery progress |
| +1 month | Final report: root cause, full impact, remediation, lessons learned |
Also: Inform affected customers if services impacted.
Citation: Art 19
Scenario 2: Cloud Provider Selection
Question: We’re selecting a new cloud provider for our trading platform. What DORA requirements apply?
Answer: Full third-party risk assessment required (Art 28-30):
- Pre-contract due diligence — Security posture, certifications, financial stability
- Criticality assessment — Trading platform = critical function
- Contract terms — All Art 30 mandatory terms including:
- SLAs with quantitative targets
- Incident notification provisions
- Audit rights and access
- Exit assistance obligations
- Data location provisions
- Register update — Add to ICT third-party register
- Concentration risk — Assess if over-reliant on provider
Citation: Art 28-30
Scenario 3: TLPT Requirement
Question: We’re a regional bank with €5B in assets. Do we need to do TLPT?
Answer: Depends on competent authority designation.
| Factor | Assessment |
|---|---|
| Designation | Competent authority designates significant entities |
| Criteria | Systemic importance, risk profile, size |
| If designated | TLPT every 3 years mandatory |
| If not designated | Basic testing program sufficient |
Proactive approach: Conduct TLPT voluntarily to demonstrate robust resilience.
Citation: Art 26
Scenario 4: Third-Party Incident
Question: Our cloud provider notified us of a security incident affecting our data. What do we do?
Answer: Assess if it’s a major incident for YOU:
| Step | Action |
|---|---|
| 1. Get details | Request incident information from provider |
| 2. Assess impact | Does it affect your critical functions? Client data? |
| 3. Classify | Is this a major ICT-related incident for your entity? |
| 4. Report | If major, report to competent authority (4h/72h/1mo) |
| 5. Notify clients | If their services/data affected |
| 6. Document | Record incident in register regardless |
Remember: Provider incident may or may not be major for you — assess independently.
Citation: Art 17-19
Scenario 5: Management Training
Question: Our CEO says they don’t need DORA training because they’re not technical. Are they correct?
Answer: No. Management body training is mandatory (Art 5(4)):
Members of the management body… shall actively keep up to date with sufficient knowledge and skills to understand and assess ICT risk.
Training should cover:
- ICT risk landscape relevant to your entity
- Key DORA requirements
- How to interpret ICT risk reports
- Oversight responsibilities
Format: Doesn’t need to be technical certification — tailored briefings sufficient.
Citation: Art 5(4)
Scenario 6: Simplified Framework
Question: We’re a small payment institution with 8 employees. Do we get lighter DORA requirements?
Answer: Potentially yes, if you qualify for simplified framework (Art 16):
| Qualification | Threshold |
|---|---|
| Microenterprise | <10 employees AND <€2M turnover/balance sheet |
| Small and non-complex | Certain investment firms, AIF managers |
| Exempted under PSD2 | Limited network or instrument exemption |
If qualified:
- Simplified ICT risk management framework
- Less prescriptive documentation
- Still must manage ICT risks appropriately
If not qualified: Full DORA requirements apply.
Citation: Art 16
Scenario 7: Sub-Contracting
Question: Our IT managed services provider wants to sub-contract data center services to a third party. What should we require?
Answer: For critical function support, require approval (Art 29):
- Notification — Provider must notify you of material sub-contracting
- Assessment — Assess sub-contractor’s security and risk
- Approval — Prior written approval for critical function support
- Contract terms — Flow-down of security requirements
- Monitoring — Provider remains accountable for sub-contractor
- Termination right — If sub-contracting creates unacceptable risk
Update register to include sub-contractor details.
Citation: Art 29
Scenario 8: Testing Frequency
Question: How often do we need to test our disaster recovery capabilities?
Answer: At least annually for critical systems (Art 24):
| Test Type | Frequency |
|---|---|
| Vulnerability assessments | Regular (risk-based) |
| DR/BCM testing | At least annually |
| Penetration testing | Every 3 years (unless TLPT entity) |
| TLPT | Every 3 years if designated |
Best practice: Test critical systems more frequently, especially after significant changes.
Citation: Art 24-25
Scenario 9: ICT Third-Party Register
Question: What information do we need in our ICT third-party register?
Answer: Comprehensive inventory required (Art 28(3)):
| Field | Detail |
|---|---|
| Provider name | Legal name, entity details |
| Services provided | Description of ICT services |
| Critical function support | Yes/No, which functions |
| Contract details | Start date, duration, termination rights |
| Data processed | Types and sensitivity |
| Data location | Where data stored/processed |
| Sub-contractors | For critical function chains |
| Risk assessment | Risk classification |
| Last review date | When last assessed |
Make available to competent authority on request.
Citation: Art 28(3)
Scenario 10: DORA vs NIS2
Question: We’re a bank. Do we comply with DORA or NIS2?
Answer: DORA takes precedence as lex specialis (Art 1(2)):
| Aspect | DORA | NIS2 |
|---|---|---|
| Incident reporting | 4h/72h/1mo | 24h/72h/1mo |
| Testing | Prescriptive TLPT | General testing |
| Third-party | Detailed contractual requirements | Supply chain security |
| Sector | Financial only | All essential/important |
Practical: Comply with DORA as primary framework. NIS2 generally won’t add obligations for financial entities, but gaps may be filled.
Citation: Art 1(2), Recital 16
Quick Reference Table
| Scenario | Key Rule | Citation |
|---|---|---|
| Incident reporting | 4h/72h/1mo | Art 19 |
| Third-party contracts | Mandatory terms in Art 30 | Art 30 |
| TLPT | Designated entities every 3 years | Art 26 |
| Management training | Mandatory for management body | Art 5(4) |
| Third-party register | Maintain and make available | Art 28(3) |
| Basic testing | Annual for critical systems | Art 24 |
| Exit strategies | Required for critical functions | Art 28(8) |
| Concentration risk | Assess and manage | Art 29 |