Every policy, procedure, register and report your firm needs to meet its DORA ICT incident response obligations — mapped, numbered and ready to adapt
The DORA Incident Response Document Library is a complete, ready-to-use inventory of the documentation a financial entity needs to satisfy its ICT incident response obligations under the EU's Digital Operational Resilience Act (Regulation (EU) 2022/2554). It removes the single hardest part of DORA compliance. That is knowing exactly which documents you need, who owns them, and where each one sits in the incident lifecycle.
Instead of starting from a blank page, you start from a structured library of 146 documents across 13 categories. Every entry is mapped to its specific DORA article, Regulatory Technical Standard (RTS) or Implementing Technical Standard (ITS). Nothing is left to guesswork.
DORA requires financial entities across the EU to prove they can withstand, respond to and recover from ICT-related disruptions. A large part of that proof is documentary. Supervisors do not just want to hear that you have a process. They want to see the approved policies, the classification records, the reporting artefacts and the evidence logs that show the process is real.
This library is the control document for that entire documentation set. It answers a question most firms struggle with. What does a complete DORA incident response documentation set actually look like?
Each of the 146 documents is listed with its purpose, its owner, its format and its regulatory basis. The documents are grouped into thirteen clear categories, and each category explains why it exists, who maintains it, and where its documents fall in the incident timeline. On top of the register itself, the library includes 15 full document profiles for the artefacts DORA makes mandatory, each specified across 22 detailed fields. A separate Excel-ready master register with 18 columns lets you drop the whole set straight into Excel, SharePoint or your GRC platform and run it as your single source of truth.
The library organises everything into thirteen categories that follow the natural shape of an incident, from governance through to lessons learned.
Every document carries a status code so you can see at a glance how strong the requirement is. M marks a document explicitly mandated by DORA or its technical standards. C marks one required in practice to evidence a mandatory obligation. R marks a recommended good-practice document drawn from ISO 27035, NIST SP 800-61 and supervisory expectations.
Each document also carries a lifecycle marker — Before, During or After — showing whether it must be prepared in advance, completed live during an incident, or finished in the post-incident phase. This matters more than it sounds. DORA's four-hour initial notification window leaves no time to design a form once an incident is under way. The blank templates have to exist and be approved beforehand.
DORA is not a light-touch framework. It places responsibility for ICT risk directly on the management body, and it sets hard, unforgiving deadlines for reporting major incidents. An initial notification is due within four hours of an incident being classified as major, and no later than 24 hours after the firm becomes aware of it. An intermediate report follows within 72 hours. A final report is due within one month.
You cannot hit those deadlines while still deciding what your documents should look like. Firms that treat documentation as an afterthought discover the gap at the worst possible moment, during a live incident with a regulator waiting. This library closes that gap in advance.
You stop guessing what you need. The library is a complete, pre-mapped inventory. Every document is tied to a specific article, RTS or ITS, so you can see your obligations and your gaps in one place.
You move faster in a crisis. Because every "during-incident" form already exists as an approved blank template, your team fills in records rather than inventing them. That is the difference between meeting the four-hour clock and missing it.
You are ready for supervisory review. The set is built the way an auditor reads it, starting with governance and flowing through classification, reporting and evidence. When a regulator asks, the answer is already on the shelf.
You run it as a single source of truth. The 18-column master register imports straight into Excel, SharePoint or your GRC tool, giving you one controlled, maintainable view of your entire documentation estate.
You save weeks of work. Rather than building 146 documents from scratch, your team adapts a professionally structured set. The heavy lifting of research, mapping and structure is already done.
The library is designed for financial entities in scope of DORA and the people responsible for their operational resilience. That includes CISOs and information security leaders, risk and compliance officers, operational resilience teams, internal audit, and the management bodies who now carry personal accountability for ICT risk. It also supports the ICT third-party providers who must align with their clients' DORA obligations.
A complete documentation set is a powerful start, but paper alone does not make a firm resilient. The documents have to be understood, owned and rehearsed. This is where preparation turns into genuine readiness.
At Cyber Management Alliance, we help financial entities go beyond the paperwork. Our cyber tabletop exercises put your incident response documentation to the test in realistic scenarios, so you find the gaps in a safe setting rather than during a live event. Our NCSC-Assured Cyber Incident Planning and Response training equips your teams to lead through a crisis with confidence. And our incident response playbook creation and review workshops ensure the playbooks in your library are practical, current and genuinely fit for purpose.
The library gives you the structure. We help you make it real.
** GDPR & Privacy ** We wholeheartedly believe in your and our rights to privacy and in the GDPR. The bottom of the page explains how we use your data.
The DORA Incident Response Document Library is a complete inventory of the 146 documents a financial entity needs to meet its ICT incident response obligations under the EU Digital Operational Resilience Act. It groups every policy, procedure, register, checklist, form, playbook and report into 13 categories, each mapped to its relevant DORA article, RTS or ITS.
DORA is the Digital Operational Resilience Act, Regulation (EU) 2022/2554. It sets rules for how financial entities in the EU manage ICT risk, respond to incidents and report major incidents to regulators. It applies to a wide range of financial entities as well as the critical ICT third-party providers that serve them.
The library includes 146 documents across 13 categories. It also provides 15 full document profiles for the artefacts DORA makes mandatory, each specified across 22 fields, plus an Excel-ready master register with 18 columns that acts as your single source of truth.
Under DORA, an initial notification of a major incident is due within four hours of classification as major and no later than 24 hours after the entity becomes aware of it. An intermediate report follows within 72 hours, and a final report is due no later than one month after the intermediate report.
The library flags which documents must be completed live during an incident and ensures those forms exist as approved blank templates in advance. Because the templates are ready before an incident, your team records information rather than designing forms under pressure, which is essential for meeting DORA's tight deadlines.
Each document carries a status code. M means the document is explicitly mandated by DORA or its technical standards. C means it is required in practice to evidence a mandatory obligation. R means it is a recommended good-practice document drawn from standards such as ISO 27035 and NIST SP 800-61.
Yes. The master register is supplied as an Excel-ready CSV with 18 columns. You can import it directly into Excel, SharePoint or your GRC platform and maintain it as the single, controlled source of truth for your DORA incident response documentation.
The library is a professionally structured template product. It gives you the complete inventory, structure, ownership and regulatory mapping, and it is designed to be adapted to your specific entity, sector and systems before use. A sector adaptation guide is included to support this.
We offer a host of courses including our NCSC Assured Training in Cyber Incident Planning and Response and our NCSC Assured Training in Building and Optimising Incident Response Playbooks.
Hands On, full-support 'Security As a Service', specifically designed for organisations that require access to experienced cybersecurity, governance, risk and compliance professionals.
A unique, affordable, subscription-based, cybersecurity service for small to medium businesses, offering 280+ services in cybersecurity.
Scenario-based, verbally-simulated tabletop attack exercises that test your organisation's ability to effectively respond to a cyber-attack.