Three Gaps That ESMA Supervision Will Find First
DORA's ICT risk management framework requirements are specific enough that the gaps in an incomplete program are predictable. Examiners will look for an ICT asset inventory with classification against the risk framework, a documented workflow for major ICT incident reporting to the relevant NCA, and a register of information for third-party ICT providers — the vendor dependency map that regulators view as the systemic risk disclosure. Firms that became subject to DORA in January 2025 without these three elements in place are running a narrowing window before supervisory engagement moves from informal to formal. Compliance and risk teams of 10–30 people rarely have the bandwidth to build all three from scratch while managing routine reporting obligations.
A Single Deployment That Delivers the Full Framework
An AI Labor Company agent works across iManage, OneTrust, Workiva, and Diligent to build the three core DORA deliverables in sequence. It produces the ICT asset inventory with risk classifications mapped to DORA's prescribed categories, builds the major incident reporting workflow in Workiva for NCA submission with escalation routing and timeline controls, and generates the ESMA register of information for third-party ICT providers from your existing vendor documentation. The result is a complete, documented DORA framework — not a gap assessment or a project plan, but operational outputs. Teams in this position typically see the production timeline compress by 60–80%, with deployments live in roughly ten weeks.
The Risk Equation: What Delayed Implementation Actually Costs
DORA non-compliance exposes EU financial entities to supervisory escalation that can include mandatory corrective orders and financial penalties. More practically, the operational risk of running without a documented major incident reporting workflow is real — an ICT incident during a period of non-compliance is a compounded exposure. Completing the framework also has a longer-term efficiency dimension: a properly structured DORA program reduces the overhead of each subsequent annual review, makes vendor risk assessments faster to execute, and positions the compliance team to handle regulatory updates incrementally rather than running another remediation cycle.
We have partial documentation in multiple systems. Does the agent need us to have everything organized before deployment?
No. The agent is designed to work from your current state — partial documentation, inconsistent formats, vendor data scattered across iManage and OneTrust. It identifies what exists, flags what's missing, and produces the deliverables based on what's available while documenting gaps that require human input.
Does the ESMA register of information need to be in a specific format?
Yes — ESMA has prescribed templates for the register of information under DORA. The agent produces output aligned to those templates, populated from your vendor documentation and ICT asset data.
How do we update the framework as our ICT environment changes?
The agent establishes the initial framework and workflow in Workiva. Ongoing maintenance — adding new ICT assets, updating vendor entries, processing incident reports — can be handled by the same agent operating in a standing periodic review cadence.