ICT risk and resilience operations

DORA execution in Modulos covers the full ICT resilience cycle: plan, protect, detect, respond, recover, learn, classify, and report.

Organization-level resilience governance (OFF-16)

Requirement	Topic	Regulation reference
`ORF-367`	ICT systems capacity, availability, and resilience governance	Art. 7
`ORF-368`	ICT asset, function, data, and dependency inventory governance	Art. 8(1), 8(4)-(7)
`ORF-369`	Continuous ICT risk identification, assessment, and vulnerability governance	Art. 8(2), 8(3)
`ORF-370`	ICT protection and prevention governance	Art. 9
`ORF-371`	ICT detection and alert governance	Art. 10
`ORF-372`	ICT response, recovery, and crisis-management governance	Art. 11(1)-(9)
`ORF-373`	Backup, restoration, recovery objectives, and continuity methods governance	Art. 12
`ORF-374`	Post-incident review, learning, and resilience-improvement governance	Art. 13
`ORF-375`	Crisis communication, client disclosure, and public communication governance	Art. 14, 19(3)

Requirement	Topic	Regulation reference
`ORF-376`	ICT-related incident management process governance	Art. 17
`ORF-377`	Major incident classification and materiality assessment governance	Art. 18
`ORF-378`	Major ICT-related incident reporting governance	Art. 19, 20
`ORF-379`	Significant cyber threat voluntary notification governance	Art. 19(2), 20
`ORF-380`	Aggregated annual major-incident costs and losses estimation and reporting governance	Art. 11(10)-(11)
`ORF-381`	Operational or security payment-related incident reporting governance	Art. 19, 20, 23

Requirement	Topic	Regulation reference
`MRF-294`	ICT capacity, availability, and resilience execution	Art. 7
`MRF-295`	ICT asset, function, data, and dependency mapping execution	Art. 8(1), 8(4)-(7)
`MRF-296`	Continuous ICT risk and vulnerability assessment execution	Art. 8(2), 8(3)
`MRF-297`	ICT protection and prevention control execution	Art. 9
`MRF-298`	ICT detection and alert-threshold execution	Art. 10
`MRF-299`	ICT response, recovery, and crisis-operations execution	Art. 11
`MRF-300`	ICT backup, restoration, and recovery execution	Art. 12
`MRF-301`	Post-incident learning and resilience-improvement execution	Art. 13
`MRF-302`	ICT-related incident logging and evidence-handling execution	Art. 17
`MRF-303`	Major incident classification and materiality assessment execution	Art. 18
`MRF-304`	Major ICT-related incident reporting preparation execution	Art. 19, 20

The current DORA incident family is deliberately more explicit than the old framework attempt:

ORF-376 governs the incident-management process itself
ORF-377 governs major-incident classification and materiality
ORF-378 governs staged DORA reporting
ORF-379 keeps voluntary significant-cyber-threat notification separate
ORF-380 preserves the standing capability to estimate annual major-incident costs and losses for entities that are not operating under the Article 16 simplified-framework carve-out for that duty
ORF-381 isolates the Article 23 payment-related reporting cohort

On the app side, MRF-302 to MRF-304 provide the operational evidence path: logging, classification inputs, and reporting-preparation evidence.

critical service and dependency inventories are current and reviewable
anomaly thresholds and escalation paths are documented and tested
continuity and restoration evidence includes test frequency and outcomes
major-incident classification and staged-reporting logic is reproducible
cohort-specific duties such as payment-related reporting are justified through the requirement applicability record

Scope, accountability, and resilience-strategy governance

TLPT, contract, register, and subcontracting model

Practical implementation sequence for OFF-16 and MFF-16

Disclaimer

This page is for general informational purposes and does not constitute legal advice.