DORA is a long directive. Six clauses drive ninety percent of the engineering work. Start there.
ICT risk management framework.
Article 6 is the spine. Document your framework, your governance, and your responsibilities — and make those documents reflect what your team actually does, not what you wish they did.
The auditor reads the doc, then watches the work. Mismatch is the source of most adverse findings.
Major-incident reporting.
Articles 17–23 set the clock. The clock starts at detection, not at acknowledgement. Build the detection-to-classification path before you build the report itself.
Every minute spent classifying is a minute on the clock. Pre-built classification trees, with human gates for the edge cases, are the difference between a 4-hour first-report and a 24-hour scramble.
Third-party risk.
Article 28 onward. Supplier mapping, concentration analysis, exit plans, and sub-outsourcing transparency.
Most institutions discover at this clause that their supply graph is a tree of unknowns. Make the graph queryable before you write the policy.
Threat-led penetration testing.
Article 26. Less work than people fear, more discipline than they expect. The output is not a report; it is a roadmap of corrective actions, with owners and deadlines.
Treat it as a forcing function for the corrective backlog you already maintain.
Information sharing.
Article 45. Mostly governance — define what you share, with whom, under what protection, and route it through people empowered to decide.
Easy clause to underestimate, easy clause to fail.
Documentation that survives.
The whole directive lives or dies on whether your documentation reflects reality at the moment of inspection.
Living documents, owned by named individuals, refreshed on cadence. That is the work.