DORA Incident Response Document Library

Every policy, procedure, register and report your firm needs to meet its DORA ICT incident response obligations — mapped, numbered and ready to adapt

DORA Document Library Mandatory Docs DORA

Free and Immediately Usable DORA Incident Response Document Library

The DORA Incident Response Document Library is a complete, ready-to-use inventory of the documentation a financial entity needs to satisfy its ICT incident response obligations under the EU's Digital Operational Resilience Act (Regulation (EU) 2022/2554). It removes the single hardest part of DORA compliance. That is knowing exactly which documents you need, who owns them, and where each one sits in the incident lifecycle.

Instead of starting from a blank page, you start from a structured library of 146 documents across 13 categories. Every entry is mapped to its specific DORA article, Regulatory Technical Standard (RTS) or Implementing Technical Standard (ITS). Nothing is left to guesswork.

What is the DORA Incident Response Document Library?

DORA requires financial entities across the EU to prove they can withstand, respond to and recover from ICT-related disruptions. A large part of that proof is documentary. Supervisors do not just want to hear that you have a process. They want to see the approved policies, the classification records, the reporting artefacts and the evidence logs that show the process is real.

This library is the control document for that entire documentation set. It answers a question most firms struggle with. What does a complete DORA incident response documentation set actually look like?

Each of the 146 documents is listed with its purpose, its owner, its format and its regulatory basis. The documents are grouped into thirteen clear categories, and each category explains why it exists, who maintains it, and where its documents fall in the incident timeline. On top of the register itself, the library includes 15 full document profiles for the artefacts DORA makes mandatory, each specified across 22 detailed fields. A separate Excel-ready master register with 18 columns lets you drop the whole set straight into Excel, SharePoint or your GRC platform and run it as your single source of truth.

What's inside?

The library organises everything into thirteen categories that follow the natural shape of an incident, from governance through to lessons learned.

  • Governance and policy — the policies, procedures and RACI that establish authority, scope and decision rights. This is where a supervisory review almost always begins.
  • Detection, intake and triage — how events are spotted, logged and assessed before a formal decision is made.
  • DORA incident classification — the artefacts that apply the seven RTS criteria and materiality thresholds to decide whether an incident is major.
  • Regulatory reporting — the initial, intermediate and final report templates built around DORA's strict reporting clock.
  • Response and recovery — the playbooks and records that guide containment, eradication and restoration.
  • Evidence — the logs and records that prove what happened and when, so your response holds up under scrutiny.
  • Third-party and outsourcing — the documentation covering ICT provider incidents and contractual obligations.
  • Business impact and resilience — impact assessments and continuity links.
  • Communications — internal, external and stakeholder messaging artefacts.
  • Privacy, legal and cross-regulatory — the documents that manage the overlap with GDPR and other regimes.
  • Root cause and lessons learned — the post-incident review records required under DORA's learning obligations.
  • Testing, training and improvement — evidence that your capability is exercised and improved over time.
  • Registers and trackers — the master register and supporting logs that tie the whole set together.

Every document carries a status code so you can see at a glance how strong the requirement is. M marks a document explicitly mandated by DORA or its technical standards. C marks one required in practice to evidence a mandatory obligation. R marks a recommended good-practice document drawn from ISO 27035, NIST SP 800-61 and supervisory expectations.

Each document also carries a lifecycle marker — Before, During or After — showing whether it must be prepared in advance, completed live during an incident, or finished in the post-incident phase. This matters more than it sounds. DORA's four-hour initial notification window leaves no time to design a form once an incident is under way. The blank templates have to exist and be approved beforehand.

Why this matters under DORA

DORA is not a light-touch framework. It places responsibility for ICT risk directly on the management body, and it sets hard, unforgiving deadlines for reporting major incidents. An initial notification is due within four hours of an incident being classified as major, and no later than 24 hours after the firm becomes aware of it. An intermediate report follows within 72 hours. A final report is due within one month.

You cannot hit those deadlines while still deciding what your documents should look like. Firms that treat documentation as an afterthought discover the gap at the worst possible moment, during a live incident with a regulator waiting. This library closes that gap in advance.

Key benefits

  • You stop guessing what you need. The library is a complete, pre-mapped inventory. Every document is tied to a specific article, RTS or ITS, so you can see your obligations and your gaps in one place.

  • You move faster in a crisis. Because every "during-incident" form already exists as an approved blank template, your team fills in records rather than inventing them. That is the difference between meeting the four-hour clock and missing it.

  • You are ready for supervisory review. The set is built the way an auditor reads it, starting with governance and flowing through classification, reporting and evidence. When a regulator asks, the answer is already on the shelf.

  • You run it as a single source of truth. The 18-column master register imports straight into Excel, SharePoint or your GRC tool, giving you one controlled, maintainable view of your entire documentation estate.

  • You save weeks of work. Rather than building 146 documents from scratch, your team adapts a professionally structured set. The heavy lifting of research, mapping and structure is already done.

Who is the DORA Document Library for? 

The library is designed for financial entities in scope of DORA and the people responsible for their operational resilience. That includes CISOs and information security leaders, risk and compliance officers, operational resilience teams, internal audit, and the management bodies who now carry personal accountability for ICT risk. It also supports the ICT third-party providers who must align with their clients' DORA obligations.

From documentation to tested capability

A complete documentation set is a powerful start, but paper alone does not make a firm resilient. The documents have to be understood, owned and rehearsed. This is where preparation turns into genuine readiness.

At Cyber Management Alliance, we help financial entities go beyond the paperwork. Our cyber tabletop exercises put your incident response documentation to the test in realistic scenarios, so you find the gaps in a safe setting rather than during a live event. Our NCSC-Assured Cyber Incident Planning and Response training equips your teams to lead through a crisis with confidence. And our incident response playbook creation and review workshops ensure the playbooks in your library are practical, current and genuinely fit for purpose.

The library gives you the structure. We help you make it real.

** GDPR & Privacy ** We wholeheartedly believe in your and our rights to privacy and in the GDPR. The bottom of the page explains how we use your data.

Please Fill the Form Below To Get Your Free Copy of the DORA Incident Response Document Library

cyber-essentials-certification
NCSC Certified Training B&W 300px
CSC

Frequently Asked Questions about the DORA Incident Response Document Library

  • 1. What is the DORA Incident Response Document Library?

    The DORA Incident Response Document Library is a complete inventory of the 146 documents a financial entity needs to meet its ICT incident response obligations under the EU Digital Operational Resilience Act. It groups every policy, procedure, register, checklist, form, playbook and report into 13 categories, each mapped to its relevant DORA article, RTS or ITS.

  • 2. What is DORA and who does it apply to?

    DORA is the Digital Operational Resilience Act, Regulation (EU) 2022/2554. It sets rules for how financial entities in the EU manage ICT risk, respond to incidents and report major incidents to regulators. It applies to a wide range of financial entities as well as the critical ICT third-party providers that serve them.

  • 3. How many documents does the library include?

    The library includes 146 documents across 13 categories. It also provides 15 full document profiles for the artefacts DORA makes mandatory, each specified across 22 fields, plus an Excel-ready master register with 18 columns that acts as your single source of truth.

  • 4. What are DORA's incident reporting deadlines?

    Under DORA, an initial notification of a major incident is due within four hours of classification as major and no later than 24 hours after the entity becomes aware of it. An intermediate report follows within 72 hours, and a final report is due no later than one month after the intermediate report.

  • 5. How does the library help me meet the four-hour reporting window?

    The library flags which documents must be completed live during an incident and ensures those forms exist as approved blank templates in advance. Because the templates are ready before an incident, your team records information rather than designing forms under pressure, which is essential for meeting DORA's tight deadlines.

  • 6. What do the M, C and R status codes mean?

    Each document carries a status code. M means the document is explicitly mandated by DORA or its technical standards. C means it is required in practice to evidence a mandatory obligation. R means it is a recommended good-practice document drawn from standards such as ISO 27035 and NIST SP 800-61.

  •  7. Can I import the library into my own systems?

    Yes. The master register is supplied as an Excel-ready CSV with 18 columns. You can import it directly into Excel, SharePoint or your GRC platform and maintain it as the single, controlled source of truth for your DORA incident response documentation.

  • 8. Is the library ready to use or does it need adapting?

    The library is a professionally structured template product. It gives you the complete inventory, structure, ownership and regulatory mapping, and it is designed to be adapted to your specific entity, sector and systems before use. A sector adaptation guide is included to support this.

We are industry experienced practitioners when it comes to cyber security training & cyber security consultancy services

1487652208_graduationcap

Training

We offer a host of courses including our NCSC Assured Training in Cyber Incident Planning and Response and our NCSC Assured Training in Building and Optimising Incident Response Playbooks.

1487652701_like

Virtual CISO Services

Hands On, full-support 'Security As a Service', specifically designed for organisations that require access to experienced cybersecurity, governance, risk and compliance professionals.

1487652784_calendar-3

Virtual Cyber Assistant

A unique, affordable, subscription-based, cybersecurity service for small to medium businesses, offering 280+ services in cybersecurity.

1487652846_microphone

Cyber Crisis Tabletop Exercises

Scenario-based, verbally-simulated tabletop attack exercises that test your organisation's ability to effectively respond to a cyber-attack.

1487652632_search

Ransomware Tabletop Exercise

Measure your organisation’s Ransomware Readiness with a unique blend of verbal and visual simulations and ransomware scenario walkthroughs.

1487652567_line-chart

Executive Cyber Awareness Sessions

Specially designed for executive management, CEOs and boards of directors, engaging them in a business context to help explain the threats and risks from cyber-attacks.

How we use your data:

  • Contact you about our services including, but not limited to, training, trusted advisory and consultancy.
  • Keep you posted on free resources and documents.
  • Update you on upcoming webinars and surveys.
  • Update you when we host our ground-breaking Wisdom of Crowds events.
  • Ask you, every now and then, if you want to take part in crowdsourced initiatives.
  • Our partners (we carefully select our partners) may contact you to arrange or demo or share more information with you about their products or services when you watch one of our sponsored webinars. Remember, you can always tell us or our partners, "No, not interested".
Cyber Incident Response Plan Template