DORA Article 19, 28 and 30: Why an ISMS Is No Longer Enough for Financial Entities
DORA requires operational client communication during incidents, an up-to-date ICT provider register, and continuous monitoring. An ISMS alone cannot deliver this.
DORA Article 19, 28 and 30: Why an ISMS Is No Longer Enough for Financial Entities
The DORA regulation has applied directly to nearly all financial entities in the EU since January 17, 2025. It introduces requirements that a traditional ISMS cannot meet – particularly around client communication and continuous monitoring of ICT service providers.
What an ISMS Covers – and What It Doesn't
An ISMS aligned with ISO 27001 delivers governance: policies, risk registers, controls, annual audits. DORA builds on this – Articles 5 and 6 require a documented ICT risk management framework under the responsibility of the management body. An ISMS can deliver that.
But DORA goes significantly further in three areas:
1. Article 19(3): Clients Must Be Informed Without Undue Delay
DORA doesn't only introduce reporting deadlines to supervisory authorities (4 hours for initial notification, 72 hours for intermediate report, 1 month for final report). Article 19(3) additionally requires:
"Where a major ICT-related incident occurs and has an impact on the financial interests of clients, financial entities shall, without undue delay as soon as they become aware of it, inform their clients."
This is new: communication doesn't only flow vertically to the authority, but horizontally to business partners. An ISMS documents incidents internally – it provides no channel for structured real-time client communication.
2. Article 28(3): The Information Register Must Be Up to Date
Financial entities must maintain and update a complete register of all ICT third-party service providers – not as a one-off exercise, but on an ongoing basis. Supervisory authorities such as BaFin can request this register at any time.
An ISMS typically contains a vendor list. But a register in the DORA sense requires structured, current data on contract scope, locations, subcontractors, and criticality – ideally in a format that can be populated automatically.
3. Article 30(3)(e): Continuous Monitoring – Not Annual Audits
DORA requires in contracts with critical ICT service providers "the right to monitor on an ongoing basis the performance of the ICT third-party service provider." At the same time, the regulation references mechanisms such as "access, inspection and audit rights" and "on-site inspections."
Here lies a gap: DORA demands continuous monitoring but presupposes instruments from the world of annual audits. No financial entity can conduct quarterly on-site inspections of 30 ICT service providers. What "continuous" means operationally must be solved differently: with dashboards, automated status updates, and structured data feeds.
The Solution: ISMS for Governance, Trust Center for Operations
DORA implicitly separates two worlds: internal control and external communication. An ISMS covers the first. For the second – client communication during incidents, continuous provider monitoring, an up-to-date information register – an operational system is needed.
A Trust Center bridges exactly this gap: it makes security posture visible, enables proactive communication, and delivers structured data that clients can directly incorporate into their own information registers.
Sources: