DORA implementation: ICT compliance

We prepare financial institutions and their suppliers to meet the requirements of the DORA regulation. We check and assess gaps, implement key policies and processes (ICT risk, incidents, resilience testing, business continuity, suppliers) and organise infrastructure: 24/7 monitoring, backups, HA and a complete set of documents for audit.

488

publicly reported incidents

of incidents involved credit institutions

4.44

M €

average global cost of a data breach

How do we operate?

Information

Benefits

FAQ

Recommendations

Contact

Strona główna DORA implementation

DORA Regulation: how compliance is implemented

From gap assessment to audit readiness!

We start with a concise gap assessment aligned with DORA requirements, evaluating maturity in the areas of ICT risk, incident management, business continuity (BCM/DRP), resilience testing, and supplier management. The results are turned into a clear roadmap with priorities, owners and metrics.

Next, policies and procedures are implemented and the technical layer is organised: 24/7 monitoring and alerts, backups with restoration tests, HA/geo-redundancy, registers (risks, incidents, changes), runbooks and playbooks. We prepare DORA report templates (4h/24h/72h/1 month), required provisions in SLAs/supplier contracts and an exit plan.

Audit

We identify DORA gaps and risks in ICT infrastructure and processes.

Design

We create policies, procedures, registers and an implementation roadmap with KPIs.

Plan implementation

We implement processes and tools (risk, incidents, BCM/DRP, 24/7 monitoring, backups, HA) and compile evidence for audit.

Incident simulations

We practise scenarios, test resilience (tabletop/TLPT) and consolidate the reporting required by DORA.

Where to start with DORA implementation?

DORA audit (gap assessment)

A comprehensive review of processes and ICT with a gap map, priorities and a clear roadmap

A DORA audit (gap assessment) is a structured review of your processes and infrastructure against the five pillars of DORA. We work with documents and configurations, speak with the team, review architecture, logs, RTO/RPO and alert thresholds.

Areas covered include risk and incidents, business continuity (BCM/DRP), 24/7 monitoring, backup/HA, identity and access management (IAM), vulnerabilities/patching, registers, and collaboration with suppliers.

The result is a gap map with impact assessment, division into quick wins and projects, and a roadmap with owners and KPIs, plus a list of missing policies/procedures/registers (evidence pack). This way you know what to do first and why.

DORA policies, procedures and registers

Ready-made, customised templates: ICT risk, incidents, BCM/DRP, resilience testing, registers and evidence pack.

Policies and standards: ICT risk, incident, business continuity (BCM/DRP), resilience testing, supplier security and contract management
Operational procedures (SOP + runbooks): incident detection/triage/classification, 4h/24h/72h/1 month reporting, CAB/changes, restoration tests, patch management, crisis communication.
Registers required by DORA: risks, incidents, assets, changes, access (IAM), vulnerabilities, suppliers/contracts, acceptance exceptions.
Annexes and forms: RACI matrix, materiality criteria, KPIs/KRIs, report templates (KNF/ESAs), audit checklists, SLA clauses (RTO/RPO, exit plan, audit rights).
Formats and integration: Word/Google Docs, Confluence, Jira/Service Desk; versioning in Git and clear mapping to existing tools.

The result: a coherent, practical set of documents and artefacts that the team actually works with—not just paperwork for the audit.

Technical implementation for DORA

24/7 monitoring and alerts, backups with restoration tests, HA/hardening, central logs/SIEM and operational runbooks

Technical implementation for DORA means translating regulatory requirements into specific controls within your infrastructure, making it manageable, measurable and auditable.

24/7 monitoring and alerts: metrics, logs and synthetic tests, Critical/High/Warning/Info thresholds, on-call escalations and response playbooks.
Backups with restoration tests: 3-2-1 rule, encryption, immutable copies (WORM), cyclical restore drills aligned with defined RTO/RPO.
HA / DR: clustering and automatic failover, segmentation, emergency runbooks and regular failover tests.
Hardening and access: baseline (e.g. CIS), MFA/PAM, secret rotation, patching windows, and vulnerability scanning with remediation.
Centralised logs / SIEM: log ingestion, detection correlations, retention aligned with policy and reports for audit purposes.
Operational runbooks: step-by-step guides for incidents and changes, linked to event classification and 4h/24h/72h/1 month report templates.

Incidents and reporting (national supervisory authorities, ESAs)

4h/24h/72h/1 month process, materiality thresholds, forms and automations—along with predefined message templates.

What do we report?
Events meeting materiality thresholds (impact on clients/services, downtime duration, data loss, spread, supply chain).
How is the decision made?
Criteria matrix + report/no-report checklist, decision owner and acceptance trail.
How is reporting performed?
Predefined forms and channels to the relevant supervisory authority, reference number, incident register.
What is automated?
A draft submission is created from SIEM/monitoring in ITSM (fields, timestamps, impact metrics), versioned in Confluence/Git.
How is communication handled?
Message templates for clients/partners, Q&A for PR, integration with status page and crisis communication plan.
How do we close?
Final report with RCA, corrective actions, runbook and KPI/KRI updates.

ICT supplier management and exit plan

Due diligence, DORA clauses in SLAs, ongoing risk monitoring and a practical exit plan

What is done:

Due diligence (before launch): rapid supplier assessment, DORA/NIS2 compliance checklist, verification of certificates, sub-supplier chain and data flows.
Supervision (during cooperation): KPIs/KRIs, incident thresholds and escalation paths, supplier risk register, cyclical reviews and an up-to-date evidence pack.
SLA clauses (essentials): RTO/RPO and availability, audit rights, notification of sub-supplier changes, data location/portability, incident reporting principles.
Exit plan (without downtime): export formats and data ownership, cutover/rollback scenario, schedule and access termination + acceptance criteria.

The result is full control of supply-chain risk and predictable service provider changes—without chaos and with a complete set of audit evidence.

They recommend us

Check out what our partners are saying about us!

Trust and partnership approach to projects

Our long-standing cooperation with Centuria is based on high trust and partnership approach to projects, but also on the camaraderie within the project teams. Flexibility, good communication and our sense of security resulting from the support of a team of experts very familiar with Magento make us ready to recommend Centuria to others. We feel that we can always rely on them.

Borys Skraba - CEO

Strix

Proactive business partner

Centuria is a proactive business partner that doesn't wait for us to make a move, but independently looks for needed solutions or improvements that we can implement together. Together we have been working for years for the success of one of the largest Magento instances in Poland. Sincerity in cooperation and professional advice, which we are happy to use for years, are invaluable to us. With a clear conscience, we can recommend Centuria as an infrastructure expert.

Kuba Zwoliński

Snowdog

Partnership based on trust

We want to deliver high value to our customers. The key to ensuring the secure and smooth operation of Magento stores is the right server solutions. We needed a proactive partner in this area, one that looks for the best possible solutions itself and is very proactive. Centuria, with whom we have been working for about 2 years now, is such a partner for us. We really like how they streamline and organize every project they start working on. Centuria is a partner we trust and can recommend as an expert in server solutions for Magento.

Mateusz Ogonowski - Co-founder

Growcode sp. z o.o.

Recommended company

We have been working with Centuria for many years, valuing the team's extensive knowledge, experience and flexibility. The company stands out for its extremely professional approach to support and high responsiveness to the tickets we throw in. It is a great advisor on IT infrastructure management. A reliable business partner for the implementation of large e-commerce projects on Magento - definitely worth recommending.

Rafał Gadomski - CEO

Advox Studio

A reliable and competent partner!

We highly value cooperation with Centuria for their proactive approach, expertise and commitment at every stage of the project. Centuria's team has helped us more than once in selecting server solutions for our clients, and thanks to their experience and professional support, we have received solutions tailored to specific business needs. We recommend Centuria to anyone who needs a reliable and competent partner in the area of IT infrastructure.

Cezary Kożon - CEO

Spyrosoft Ecommerce S.A.

Acting in the customer's interest

In our opinion, Centuria is distinguished above all by acting in the interests of the client's company. Working with them, you can count on a personalized and individual approach to even the most difficult cases. We feel that the proposed solutions are "tailor-made" to our needs, by involving our agency in the process of their creation, based on joint discussions of possible solutions.

Paweł Biliński - CTO & co-founder

Lizard Media

Professionalism and expertise

I value the cooperation with Centuria above all for its professionalism and expertise related to Magento. This is an invaluable asset in critical situations. The 24/7 support gives great peace of mind to both us and our clients. I strongly recommend Centuria to anyone who takes business seriously and counts on a professional, stable partner for the development of their business.

Szymon Niedziela - CEO

Panda Group

Professionalism and high commitment

Together with Centuria, we are developing one of the largest e-commerce sales platforms based on Magento in Poland. Professionalism and high commitment directly translates into results. Centuria are specialists in administration and management of infrastructure with a very complex structure and a multitude of links between systems. The continuity and availability of the aforementioned system since the beginning of our cooperation is maintained in a way that meets our requirements, and orders are carried out with the utmost care.

Tomasz Stefanowski - Web Development Manager

Castorama Poland

Centuria proved a reliable and responsive partner for many years.

The team never left us wondering if things were getting done. We instead had full confidence that this knowledgable team knew what to do and that they'd get it done. I write this review because changes within our organization moved us in a different direction and we now no longer work with Centuria. To show my appreciation for their attentiveness and effectiveness

Charles Nicoletti

mTab

A reliable and experienced partner

Due to the specific nature of our e-commerce project gear.cdprojektred.com, we needed a reliable partner well-versed in modern technologies to quickly and efficiently implement the infrastructure for our application. Centuria handled the task in an exemplary manner and additionally ensured the stability of sales during the large promotional campaigns we were conducting.

Aleksandra Jarośkiewicz - Board Member

CD PROJEKT RED STORE

FAQ

In what ways is your DORA implementation more than "just documentation"? What do you actually deliver?

We do not just produce policies; we implement working processes and controls.

What we deliver specifically:

Gap assessment: gap map, priorities, roadmap and KPIs/KRIs.
Set of policies/procedures + registers (risk, incidents, BCM/DRP, testing, suppliers) fine-tuned to your organisation.
Configured technical controls: 24/7 monitoring and alerts, backups with tests, HA/DR, centralised logs/SIEM, IAM and hardening.
Incidents and reporting: 4h/24h/72h/1 month workflow, forms and message templates.
Suppliers: due diligence, DORA clauses for SLAs, exit plan.
Evidence pack + runbooks and short training sessions for the team.

What is the first step of cooperation and what data do you need to get started?

A short kick-off call (30–45 min) + NDA. We define the scope, process owners and read-only access. We send a checklist and export formats.

What we need to get started (minimum):

List of critical systems/services + owners and RTO/RPO.
Architecture diagram (on-prem/cloud/containers) and main integrations.
Current policies/procedures (incidents, BCM/DRP, backup, patching), if available.
Monitoring/logs: sample alerts, SLO/SLA, tools in use (ITSM/SIEM).
Backup/DR: schedule, most recent restoration tests.
Suppliers: list + key SLAs/agreements, incidents from the last 12 months.

"DORA: from when?" — what are the key dates and milestones (including RTS/ITS)?

Key DORA dates (summary):

16 Jan 2023 — the regulation enters into force (preparation period).
17 Jan 2024 — ESAs publish the first package of final RTS/ITS drafts.
17 July 2024 — second package: 4 RTS, 1 ITS and 2 guidelines; submitted to the Commission for adoption.
23 Oct 2024: the Commission adopts RTS/ITS on incident/cyber threat reporting (4h/24h/72h/1 month).
17 Jan 2025: DORA applies (no transition period); including the obligation to maintain an ICT contract register.
28 Apr 2025 (PL): deadline for submitting the ICT contract register to national supervisory authority (one-off national milestone).

Can you integrate DORA processes with our tools (Jira/ServiceNow, SIEM, monitoring, ITSM)?

Yes. We integrate DORA processes with your stack without replacing any tools, or recommend changes for the future.

What we do in practice:

Jira / ServiceNow (ITSM): Incident/Problem/Change ticket types, DORA-specific fields, SLA/KPIs, automatic on-call escalations, report templates and RCA checklists.
SIEM & logs (e.g. Splunk, Elastic, Sentinel, QRadar): rule mapping for DORA severity levels, webhooks for ITSM, contextual evidence (event ID, evidence, timeline) and auto-creation of submission drafts.
Monitoring/APM (Prometheus+Alertmanager, Grafana): Critical/High/Warning/Info thresholds, service tagging, alert routing, dashboard snapshots for the evidence pack.
CMDB/service catalogue: criticality, owners, RTO/RPO, links (ERP/PIM/WMS), supplier dependencies—for materiality reporting.
Runbooks and knowledge base (Confluence/Knowledge Base): “Execute runbook” commands, communication checklists (KNF/ESAs, clients, PR), and change versioning
SSO/RBAC & audit: OIDC/SAML, least privilege roles and permissions, full change trail and policy-compliant retention.
Integration standards: OpenTelemetry, syslog, API/webhooks; we connect with your existing environment.

What does the DORA audit (gap assessment) look like and what does it cover?

Audit process (in brief):

Kick-off + NDA → scope, owners, read-only access.
Document review & interviews → policies, procedures, registers.
Configuration review → monitoring, backup/DR, logs/SIEM, IAM, patching.
Maturity assessment & scoring → gaps, impact/risk, quick wins.
Report & roadmap → priorities, owners, KPIs/KRIs.

Scope in line with DORA:

ICT risk, incidents and reporting (4h/24h/72h/1 month).
Resilience testing (BCM/DRP, restore drills, coordinated tabletop/TLPT).
ICT supplier management (due diligence, SLA, audit rights, exit strategy).
Evidence / registers (risks, incidents, changes, access, contracts, assets).
Technical layer: 24/7 monitoring and alerts, backups (3-2-1/WORM), HA/DR, IAM/MFA, logs/SIEM, vulnerabilities/patching.

Do you support on-prem, private cloud and public cloud environments (AWS/Azure/GCP)?

Yes, absolutely.

Private cloud: ours and the client’s (VMware/Proxmox/K8s)—design, hardening, HA/DR, monitoring, backup/restore drills.
Public cloud (AWS/Azure/GCP): landing zone, IAM/MFA, S3/Blob/WORM, observability, DORA reporting automations.
On-prem: remote only (architecture, configurations, audits, runbooks)—no physical work in the DC.