DORA monitoring
in a single inbox.
DORA (Regulation (EU) 2022/2554) has been fully applicable since 17 January 2025. Eighteen months in, supervisors are now in the second Register-of-Information cycle (annual submission deadline 31 March 2026) and the inspection focus has shifted from "is it set up?" to "is the third-party register actually complete and the sub-outsourcing chain mapped?". RTS, ITS, Q&As and national implementing acts continue to land across all three ESAs and every NCA — and CASPs are in scope alongside insurers and credit institutions. Horizon Scanner watches every source, scores each finding against your ICT-risk and third-party register, and routes it to the team that owns the response.
Scope
What DORA covers — and what we crawl for it.
Level-1 text and amendments
Regulation (EU) 2022/2554 itself plus any Council/Parliament-amending acts — surfaced from EUR-Lex the day they are published in the Official Journal.
RTS and ITS by ESA
All Joint-Committee final RTS and ITS, plus the EBA, EIOPA and ESMA single-authority technical standards — including draft consultations, public-hearing slides and the final adopted texts.
Supervisory Q&A and Guidelines
EIOPA, EBA, ESMA Q&A databases polled daily. Each answer is cross-referenced against the article it interprets.
TIBER-EU and threat-led penetration testing
Updates to the TIBER-EU Framework, national TIBER schemes, and threat-intelligence-led testing guidance from ECB and national competent authorities.
ICT third-party register obligations
Article 28 and the Register-of-Information ITS — second annual submission cycle closed 31 March 2026. Reporting deadlines, taxonomy updates, completeness-vs-supervisory-feedback diffs and Article 30 sub-outsourcing chains.
Major-incident classification and reporting
Articles 17–23 incident-reporting standards plus the major-incident classification criteria (Delegated Regulation (EU) 2024/1772) and reporting templates (CIR (EU) 2025/302), now live. Initial / intermediate / final notification cadence, supervisory letters, voluntary cyber-threat notifications.
Scope across financial institutions — including CASPs
DORA applies to all financial entities listed in Article 2(1), including CASPs authorised under MiCA and ART issuers. MiCA Article 68 cross-refers CASPs to DORA for ICT risk management. We tag findings with both frameworks where they apply.
How Horizon Scanner helps
Specifically for DORA teams.
- 01
Pre-filtered for ICT scope
Every fetched document is checked against the DORA scope taxonomy before scoring — supervisory letters on, for example, Solvency II reporting won't enter your DORA queue.
- 02
Dual-model verified
Every finding scored Impact ≥ 3 against DORA is verified by an independent second model before the routing rule fires. False-positives are the most expensive failure mode in this domain.
- 03
Routed to IT-Security & TPRM
Default routing matrix sends RTS on sub-contracting to your Third-Party Risk lead, incident-classification updates to your CISO, and TIBER guidance to your Red-Team programme manager.
- 04
Inspection-ready audit trail
Every action — fetch, score, route, acknowledge, escalate — is recorded immutably with timestamp and actor. The 5-year retention is the default, not an upgrade.
Sources monitored
The regulators we crawl for DORA.
- EIOPADORA-related guidelines, Q&A database entries, technical standards consultations and final publications.
- EBAJoint-Committee RTS/ITS, single-authority technical standards, supervisory expectations on operational resilience.
- ESMADORA-related technical standards, public statements affecting trading and market infrastructure.
- EUR-LexRegulation 2022/2554 and all delegated/implementing acts as published in the Official Journal.
- BaFinMaRisk, BAIT/VAIT/ZAIT and DORA-implementing circulars, FAQ updates, supervisory expectations.
- FMA (AT)DORA-implementing guidance, FMA-Mindeststandards on ICT risk management, threat-led testing notifications.
- ACPRRecommendations on outsourcing and ICT risk, supervisory letters to insurance and banking sectors.
- ECBTIBER-EU framework updates, supervisory expectations on cyber resilience for significant institutions.
Custom sources can be added in minutes — supervisory blog feeds, association circulars, internal counsel memos all route through the same engine.
FAQ
What DORA buyers ask first.
How do you handle national transpositions and gold-plating?
Every national source is tagged with its jurisdiction. A national-supervisor circular implementing a DORA RTS lands in your inbox with both tags. Groups operating across multiple EU jurisdictions can either scope team subscriptions per jurisdiction or aggregate them.
Does the register-of-information ITS taxonomy stay current?
The ITS taxonomy is treated as a controlled vocabulary inside the routing engine. When EIOPA publishes a taxonomy update the affected register entries flag for review with a diff against the previous version.
Can the audit trail satisfy a 5-year retention requirement?
Yes by default — and the export covers both the per-finding chain (fetch → score → route → acknowledge → escalate) and the configuration-change log (who edited which routing rule when). CSV and JSON exports are available on every tier.
How does dual verification work for DORA findings?
On Professional and Enterprise tiers, any document scoring Impact ≥ 3 on the primary classification pass is re-scored independently by a second, deliberately different processing layer. Disagreement triggers a human-review queue rather than auto-routing. False-positives are the most expensive failure in ICT compliance.
Go deeper
More on DORA in depth.
- GlossaryDORA Art. 28 — ICT third-party register
- GlossaryRegister of Information (DORA)
- GlossaryTLPT — threat-led testing
- AnalysisDORA inspection readiness 2026
- AnalysisDORA reporting deadlines: the 4-hour rule
- FrameworkNIS2 monitoring
- IndustryBanks
- IndustryInsurers
- IndustryCrypto-asset firms
- CalendarThe EU compliance calendar 2024–2028 — every deadline at a glance