The ITAM-Unit

Menu

The Digital Operational Resilience Act & IT Asset Management

Roel Dufifie

1. DORA

1.1. What is DORA?

DORA stands for the Digital Operational Resilience Act. It is a regulation issued by the European Union and has been in effect since January 17, 2025. As it is an EU regulation, this means the legislation is directly applicable in all EU member states.

The purpose of the regulation is to strengthen the financial sector’s resilience in the event of disruptions to the critical digital business processes of financial institutions. This includes situations such as the unavailability of IT services, which would prevent banks and insurance companies from processing payments for their customers, or cyberattacks that result in customer data being exposed.

The regulation distinguishes between several focus areas. There are chapters on ICT risk management, management, classification, and reporting of ICT-related incidents, testing of digital operational resilience, management of ICT risk from third-party providers, and provisions for information sharing. These chapters are further divided into sections and articles that provide detailed content to the regulation. It’s important to note that many of DORA’s requirements are already partly covered in existing agreements. For example, IT contracts for critical services often already include provisions on incident reporting, outsourcing to third parties (subcontractors), and Service Level Agreements (SLAs) regarding IT service availability.

Financial institutions have had since January 16, 2023, to comply with DORA. However, in practice, many institutions are not yet fully compliant. One common issue is uncertainty around DORA’s applicability—whether a process or IT service is considered “critical” under DORA. Some IT service providers may believe they are not delivering critical services, whereas financial institutions may argue the opposite. Furthermore, the consequences for non-compliance are severe—not just fines, but also reputational damage and a loss of trust in the financial sector. In short, while DORA aims to enhance IT resilience in the financial industry, it still raises many practical questions.

1.2. Contractual consequences of DORA

The consequences of DORA are numerous. Institutions must implement uniform rules for ICT risk management, conduct regular resilience testing, and report major ICT incidents to regulators such as DNB (De Nederlandsche Bank) and/or AFM (Dutch Authority for the Financial Markets). Article 3(10) of DORA defines major ICT incidents as those with a significant adverse impact on networks and information systems that support critical or important functions of the financial entity. Additionally, there must be more oversight of third parties (third-party risk management), business continuity and recovery plans must be in place, and there must be greater willingness and capacity to voluntarily share information about cyber threats and ICT vulnerabilities. At a high level, DORA has the following practical implications for IT providers and their clients:

1.2.1. Amending existing IT contracts

Existing IT contracts must be amended to comply with DORA requirements. This could be done at a natural point in time, such as during contract renewal before January 17, 2025. If no such moment occurred, the contract needed to be amended mid-term. In practice, this has proven to be a challenge. Some parties incorporate DORA requirements into their existing contracts, but most use a standard format (addendum) to make the contract DORA-compliant. The issue here is that various formats exist, and parties often disagree on which format is appropriate or optimal. Party X may want to use format A, while counterparty Y insists on format B. This leads to delays, additional negotiations, legal consultations, and risk assessments. It can also harm the working relationship between the parties more than it helps.

1.2.2. Concluding new DORA-compliant contracts

New contracts must also comply with DORA. The advantage here is that parties can adjust their general terms and conditions to ensure the new contract is immediately DORA-compliant. For instance, the general terms could include a reference to a DORA addendum or specific DORA-related clauses, along with automatic acceptance. However, the problem often lies in which party’s general terms and conditions apply. Each party typically wants its own terms to govern the agreement.

Moreover, DORA-driven general terms and conditions may conflict. For example, DORA might require that IT providers supply information to clients free of charge if requested by a regulator such as DNB. However, the IT provider’s own terms might state that while they will supply the information, they are entitled to charge reasonable costs.

1.2.3. Transparency around subcontractors

DORA requires clear visibility into which critical IT services have been outsourced and which subcontractors are involved. It must be clear who the subcontractors are for each critical IT service. If such services are casually outsourced to any third party, this poses a significant risk to the financial institution’s resilience. It is crucial to know which subcontractors have access to sensitive business or customer data. Do subcontractors only have access to the data they truly need? What happens in case of a data breach involving a subcontractor? Is there a protocol for who to contact and how quickly to act? Can an IT provider replace a subcontractor without consent from the client, or is approval required? These and other questions are not always easy to answer, which underscores the need for full transparency about who provides critical IT services and who is responsible when things go wrong.

2. ITAM

2.1. What is ITAM?

IT Asset Management (ITAM) is a strategic discipline in which an organization systematically tracks, manages, and optimizes its IT assets throughout their entire lifecycle. IT assets include both hardware (such as laptops, servers, and printers), software (such as licenses and applications), and digital assets (such as cloud subscriptions and virtual machines). Organizations often use specialized ITAM software to gain insights into these assets.

ITAM has several objectives. The most important are:

  • Cost control: keeping an eye on expenses and avoiding unnecessary purchases. It’s wasteful to buy software Y when software X – already available – offers the same functionality. It’s also wise to check if a used laptop is available for a new employee before ordering a new one.
  • Compliance: adhering to and enforcing (software license) terms to reduce audit risks and the associated financial consequences. This includes not only avoiding fines but also retroactively paying for overuse of licenses in past years, costs related to audits, possible legal expenses, and reputational damage.
  • Security: identifying and managing unauthorized or illegal software and outdated hardware. For example, preventing employees from installing illegal or potentially harmful software, which could unintentionally introduce malware onto a laptop or into the company network.
  • Efficiency: using IT assets optimally to prevent overcapacity or underutilization. For instance, evaluating whether department X truly needs 1,000 licenses for software Y annually, or whether only 500 are actually used.
  • Lifecycle management: managing IT assets from acquisition to retirement or disposal. This provides insights and predictability into future costs, which can then be incorporated into long-term financial planning. It also allows timely procurement, ensuring uninterrupted operations. The IT Asset Lifecycle is discussed in more detail in section 2.3.

2.2. HAM, SAM, and CAM

ITAM is an umbrella term and discipline. Key components and subfields of ITAM include Hardware Asset Management (HAM), Software Asset Management (SAM), and Cloud Asset Management (CAM).

Hardware Asset Management (HAM) involves managing physical IT assets, such as servers, desktops, laptops, printers, mobile devices, and network equipment. HAM ensures these physical assets are used efficiently, maintained properly, and disposed of appropriately at the end of their lifecycle, in compliance with applicable laws and regulations. Before purchasing new hardware, existing resources are reviewed. If new hardware is purchased, depreciation is recorded, enabling timely replacement. This provides economic value while also promoting sustainability through reuse or reallocation of hardware.

Software Asset Management (SAM) focuses on managing software applications and licenses. It helps organizations optimize software usage and reduce costs, maximizing the value of IT investments. It also supports compliance and reduces legal risks, such as fines or retroactive payments for software overuse due to non-compliance with license terms.

Cloud Asset Management (CAM) concerns the management of cloud-based assets, subscriptions, and associated costs. It ensures effective and economical use of cloud resources, such as servers, databases, software, licenses, and data in cloud platforms like Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform. Key tasks include inventory tracking, monitoring, and automation. As with other ITAM components, the ultimate goals are cost control and compliance—with both regulatory and security requirements.

2.3. The IT Asset Lifecycle

All IT assets—whether hardware, software, or cloud-based—follow a lifecycle. Understanding this lifecycle is essential for effective asset management. The IT Asset Lifecycle consists of the following phases:

  • Planning: identify the need for new assets and determine the best method for acquisition. First, check if the required assets already exist, if suitable alternatives are available, or if assets are stored in other departments.
  • Procurement: if assets are necessary and not available internally, proceed to acquisition—either by purchase or lease. A strong future-oriented procurement strategy is essential for cost savings. For example, if expansion is expected, buy hardware in bulk at a discount. If licenses are needed for a proof of concept, purchase only what is currently required. A skilled procurement team is critical for cost control.
  • Deployment: install and configure the assets for use. Optimize configurations to maximize value—particularly for newly purchased assets expected to have a long lifespan. Take the time to do this right.
  • Utilization: actively use the assets in daily operations. If an asset is no longer needed or underused, consider returning, selling, or downgrading it (e.g., removing add-on cloud subscriptions). Ask employees and stakeholders if the asset meets expectations.
  • Maintenance: perform regular updates to mitigate security risks. Repair and support assets for optimal performance and user satisfaction. After updates or repairs, check with stakeholders to ensure the asset is functioning as expected. If not, contact the vendor—can they offer support or compensation?
  • Retirement: decommission assets that are no longer needed or functional. Track hardware depreciation carefully. For software and cloud assets, check license terms for cancellation periods. Consult stakeholders on future use: should the asset be reused, kept as a backup, or permanently retired?
  • Disposal: properly dispose of assets that are no longer needed or functional. Ensure data is securely erased and comply with environmental regulations. For example, when disposing of a laptop, sensitive company and personal data must be fully erased before handing it over to a disposal partner. Verify that the partner complies with environmental laws.

2.4. Best practices for ITAM

To conduct effective IT Asset Management, following best practices is essential. The following practices outline the key steps an organization should take:

  • Maintain an accurate inventory: keep a detailed, up-to-date record of all IT assets. If you don’t know what you have, you can’t manage it. This is also vital for cybersecurity. Use specialized tools to monitor software usage and avoid under- or over-licensing.
  • Automate asset discovery: use a centralized ITAM tool to automatically detect and track assets on the network. Use both agent-based and agentless discovery tools for real-time visibility of hardware and software. Prevent shadow IT by regularly scanning the network. Ensure integration with your Configuration Management Database (CMDB), IT Service Management (ITSM), software deployment tools, and financial systems. Boost compliance by integrating ITAM with cybersecurity processes and align with regulations such as the General Data Protection Regulation (GDPR) and the ITAM standard ISO 19770.
  • Standardize processes: develop clear policies and procedures for asset management. Define ITAM goals and align them with broader organizational strategies such as cost reduction, compliance, or security risk reduction. Integrate ITAM policies into ITSM processes and governance frameworks.
  • Define roles and responsibilities: clearly allocate tasks among IT, procurement, finance, and legal departments. Assign asset owners and managers. Schedule regular coordination between departments and foster collaboration.
  • Implement lifecycle management: manage IT assets from procurement through to disposal. See section 2.3 for more detail.
  • Conduct regular internal audits: perform regular physical and digital audits to ensure compliance and identify improvement areas. Compare the actual inventory with administrative records, correct discrepancies, and update documentation.
  • Train staff: awareness starts with training employees on ITAM policies and the importance of asset management. Teach staff how to properly register assets. Integrate ITAM into IT training, e-learning modules, and onboarding processes.
  • Measure and report: define Key Performance Indicators (KPIs), such as license compliance, asset accuracy, asset coverage in ITAM tools, and active assets that have already been depreciated. Use dashboards to track performance and make informed decisions.

3. How ITAM contributes to DORA compliance

3.1. Supporting ICT risk management

Articles 5 through 10 of DORA outline obligations in the area of ICT risk management. For example, financial entities must have an internal governance and control framework that ensures effective and prudent management of ICT risk in order to achieve a high level of digital operational resilience (Art. 5.1 DORA). They must also have a solid, comprehensive, and well-documented ICT risk management framework as part of their overall risk management system, enabling them to address ICT risk swiftly, efficiently, and comprehensively (Art. 6.1 DORA).

Article 7 DORA requires financial entities to use up-to-date ICT systems, protocols, and tools to address and manage ICT risk. Article 8.1 DORA obligates financial entities to properly classify and document all ICT-supported business functions, responsibilities, and the information and ICT assets supporting those functions, including their ICT risk dependencies. Furthermore, financial entities must continuously monitor and control the security and operation of ICT systems and tools, and mitigate the impact of ICT risks using appropriate ICT security tools, policies, and procedures (Art. 9 DORA).

The Regulatory Technical Standards (RTS) accompanying DORA provide, in Article 4 (ICT asset management policy), guidance on how to comply with the obligations set out in Articles 8 and 9 of DORA. A policy must be established for managing ICT assets. This policy should stipulate that a financial entity collects information on and maintains documentation of its ICT assets. This ICT asset information should include the unique identification attribute, location, classification, owner, the business or service functions supported by the ICT asset, business continuity requirements including RTOs and RPOs (see 3.2), exposure to external networks and the internet, dependencies on other ICT assets and business functions, and, where applicable, the end date of third-party support for issues related to the ICT asset.

Article 10 DORA mandates that financial entities must have mechanisms in place to promptly detect anomalies, including issues with ICT network performance and ICT-related incidents, and identify potential physical vulnerabilities.

ITAM contributes to the above-mentioned obligations by enabling a complete and up-to-date overview of IT assets and is crucial for complying with Articles 8 and 9 of DORA, as well as with the requirements set out in Article 4 of the corresponding RTS. It helps particularly in identifying vulnerabilities, such as outdated software or unsupported systems. ITAM also assists in classifying critical assets and mapping dependencies—between applications, infrastructure, and vendors. The above is essential for complying with the requirements of DORA and the RTS, and for assessing ICT risks. In this way, ITAM contributes to the support of ICT risk management.

3.2. Continuity and recovery planning

Articles 11 and 12 of DORA address requirements regarding response and recovery, backup policies and procedures, restoration and recovery procedures, and recovery methods. For instance, Article 11 DORA states that financial entities must maintain a comprehensive ICT business continuity policy, including ICT response and recovery plans subject to independent internal audits. Financial entities must also implement and maintain appropriate ICT business continuity plans and perform periodic testing—especially for critical or important functions outsourced to, or contractually agreed upon with, third-party ICT service providers (see also 3.5). They must also perform a Business Impact Analysis (BIA) of their exposure to major business disruptions.

Article 12 DORA requires financial entities to develop and document backup policies, recovery and restoration procedures, and methods as part of their ICT risk management framework. These should ensure that ICT systems and data can be restored with minimal downtime and limited disruption or loss. ICT capabilities must be kept in reserve, and recovery must be done with proper controls to ensure maximum data integrity.

ITAM contributes to continuity and recovery planning by making it clear which assets are required for critical processes, thus enabling faster recovery from disruptions. ITAM also allows for the application of Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs) based on asset criticality, clarifying what must be done to restore operations and within what timeframes.

3.3. Incident response and reporting

Articles 17 through 19 of DORA define obligations regarding incident response and reporting. Article 17.1 DORA requires financial entities to define, establish, and implement an incident management process to detect, handle, and report ICT-related incidents. All ICT-related incidents and significant cyber threats must be recorded. In addition, Article 17.2 requires the implementation of appropriate procedures and processes for consistent and integrated monitoring, handling, and follow-up of ICT-related incidents, ensuring that root causes are identified, documented, and resolved to prevent recurrence.

Article 18 DORA explains how to classify ICT-related incidents and assess their impact. Article 19 further details how financial entities must report major ICT-related incidents to the competent authority and, if applicable, to their clients.

In the event of an incident, it must be immediately clear which system or component is affected and who is responsible for managing it—internally or externally. ITAM facilitates faster forensic investigation and reduces response times by providing accurate asset information and management accountability. This way, ITAM supports DORA’s requirements for incident response and reporting.

3.4. Supporting operational resilience testing

Articles 24 through 27 of DORA outline requirements for testing digital operational resilience. Article 24.1 DORA requires financial entities to establish, maintain, and evaluate a robust and comprehensive testing program for digital operational resilience. This must be integrated into the ICT risk management framework (as discussed in 3.1). Article 25 describes the content required for such testing programs.

Article 26 DORA details how and when financial entities must conduct advanced testing using Threat-Led Penetration Testing (TLPT), in which realistic cyberattacks are simulated. These tests follow a fixed process with mandatory timelines and documentation deliverables to ensure tests are conducted in a controlled and compliant manner. Article 27 outlines requirements for the testers conducting TLPT.

ITAM is essential for selecting which systems should be tested, especially high-impact systems like customer portals and payment systems, as well as systems subject to TLPT. ITAM also helps prepare for these tests by identifying which software is running where and what versions are in use.

3.5. Third-party oversight

Finally, Articles 28 through 30 of DORA cover the oversight that financial entities must have over third parties. Article 28 DORA lays out general principles regarding responsibility, proportionality, and transparency. It also specifies contractual requirements for using ICT services, particularly when those services support critical or important functions.

Article 29 DORA provides rules about preliminary assessments of ICT concentration risk at the entity level. Financial institutions must consider the possibility of becoming highly dependent on a third party—for example, when a provider offers a critical or important function that is not easily substitutable, or when the provider already delivers other critical services.

Article 30 DORA sets requirements for key contractual terms, with more detailed provisions when contracts involve critical or important functions.

In practice, many IT assets are provided and/or managed by third parties, such as Software as a Service (SaaS) applications or cloud infrastructure. A well-managed ITAM system provides visibility into which external vendors a financial entity relies on. It also identifies any subcontracted activities, as discussed in section 1.2.3. Furthermore, ITAM reveals which services and systems these third parties (or their subcontractors) support. Finally, ITAM helps confirm whether proper contractual and security safeguards have been put in place, as listed in Article 30 DORA.

4. Conclusion

IT Asset Management is a foundation for effectively fulfilling the obligations arising from the Digital Operational Resilience Act. Without an accurate and up-to-date inventory of digital assets, it is virtually impossible to be DORA-compliant in the areas of ICT risk management, continuity and recovery, incident response and reporting, operational resilience testing, and ICT outsourcing to third parties.