Appearance
DORA
This guide explains how Modulos operationalizes the DORA Regulation (EU) 2022/2554 using both organization-level and AI-system-level framework objects.
Key facts
Type
EU regulation (financial sector)
Primary scope
Digital operational resilience for financial entities
Application date
Applies from 17 January 2025
Core obligations
ICT risk, incident reporting, resilience testing, third-party risk
Modulos objects
OFF-16 (org) and MFF-16 (app)
Practical framing
In Modulos, DORA is executed as an org-and-system model: OFF-16 governs policy and accountability; MFF-16 evidences operational execution on AI systems.
How DORA is modeled in Modulos
| Framework | Project type | Focus | Requirement count |
|---|---|---|---|
OFF-16 (DORA (org)) | Organization | Applicability, management body accountability, ICT risk governance, TPRM governance | 19 (ORF-303 to ORF-321) |
MFF-16 (DORA (app)) | AI system | ICT risk execution, incident workflows, resilience testing, third-party execution | 19 (MRF-275 to MRF-293) |
Coverage domains in this guide
- Applicability and governance: scope, proportionality, accountability model, policy ownership.
- ICT risk and resilience operations: identify, protect, detect, respond, recover workflows.
- Testing and third-party risk: resilience testing, TLPT alignment, contractual safeguards, register duties.
- Oversight readiness: governance readiness for the critical ICT third-party oversight ecosystem (Art. 31-44) where customer operations interface with overseen providers.
- Information sharing and secondary legislation: threat-sharing duties and delegated/implementing act governance.
Relationship with NIS2
NIS2 and DORA are modeled separately in Modulos. Many financial entities need both, but DORA provides the financial-sector operating model while NIS2 remains a broader cybersecurity directive. Keeping both frameworks explicit preserves traceability and avoids hidden assumptions in audits.
Explore DORA in depth
Applicability and governance
Scope determination, proportionality, and management-body accountability
ICT risk and resilience operations
End-to-end ICT risk, continuity, and major-incident execution model
Testing and third-party risk
Resilience testing, TLPT, ICT third-party due diligence, contract, and register workflows
Information sharing and secondary legislation
Threat information-sharing obligations and delegated/implementing act operations
Operationalizing in Modulos
A pragmatic rollout sequence for OFF-16 and MFF-16
Disclaimer
This page is for general informational purposes and does not constitute legal advice.