Skip to main content
ITSMx
DORA — Digital Operational Resilience Act

File your DORA initial notification inside the 4-hour window — from the incident your team is already working.

ITSMx embeds DORA major-incident classification, reporting cascades, and the Register of Information into the same records your service desk works every day. No second system, no template reconstruction.

Request a demo
What the regulation requires → what ITSMx produces

Capabilities

DORA
Art. 18Major-incident classification (7 RTS criteria)

Incidents are scored against the seven RTS criteria as they are worked. Classification is embedded in the incident form, not a separate process.

DORA
Art. 194h / 72h / 30d reporting cascade

Initial notification within 4 hours, intermediate report within 72 hours, final report within 30 business days. Timers start automatically when an incident is classified as major.

DORA
Art. 28(3)Register of Information (XBRL + CSV)

Export the register of all ICT third-party service providers in the format expected by competent authorities. Data is sourced from the CMDB and integration catalog.

DORA
Art. 29Concentration risk evidence

Identify dependencies on single ICT providers across business functions using CMDB relationships. Surface concentration before the auditor asks.

DORA
Art. 10Critical-CVE detection evidence

CVE tracking on CIs linked to business-critical functions, with evidence of detection and remediation timelines for Art. 10 resilience testing.

DORA
Art. 8Change testing evidence

Change records carry test evidence, CAB approval chains with segregation of duties, and rollback documentation — linked to the CIs affected.

Common questions

DORA FAQ

Not yet. The platform produces the report content and tracks cascade timelines, but submission to your national competent authority is manual. Automated submission is on the roadmap.
All seven: clients affected, transactions affected, reputational impact, duration/service downtime, geographical spread, data losses, and criticality of services affected.
Yes. The CMDB supports typed relationships between service providers, sub-processors, and ICT services, surfacing the chain for Art. 28–29 reporting.
DORA applies to financial entities and their critical ICT third-party providers. The DORA toggle set is designed for both, but you only enable what applies.

Informational only — not legal advice. Consult qualified counsel for regulatory obligations specific to your organization.

See the DORA cascade running on a live incident.

30 minutes. We'll map it to your major-incident classification and reporting obligations.

Request a demoTalk to us