Overview
Generate the complete set of policies required by DORA (Regulation (EU) 2022/2554) from a single organizational context. The skill acts as a policy factory: it collects entity type, proportionality tier, governance structure, and ICT landscape, then produces all 17 mandatory DORA policy documents plus a cross-reference summary. Each policy traces to its DORA article and RTS provision, references related policies by document ID, and is calibrated to the entity’s size and complexity.
What It Covers
- 17 mandatory policies spanning all DORA pillars: ICT risk management (Arts. 5-6), security (Art. 9), asset management (Art. 8), encryption (Art. 9(4)(d)), access control (Art. 9(4)(c)), network security (Art. 9(4)(e)), change management (Art. 8(4)), patch management (Art. 9(2)), incident management (Arts. 17-18), business continuity (Art. 11), backup and restoration (Art. 12), third-party risk (Art. 28), logging and monitoring (Art. 10), project management (Art. 8(4)), vulnerability management (Art. 9(2)), physical security (Art. 9(1)), and HR security (Art. 13(6))
- Proportionality: entities under Art. 16 simplified framework get reduced-scope policies; optional policies (network security, logging, project management, vulnerability management) are flagged as recommended
- Cross-reference consistency: every policy references related policies by document ID and title; terminology, role titles, escalation paths, and review cycles are kept aligned across the full set
- Gap analysis: when an existing policy inventory is provided, the skill maps each policy to DORA requirements, identifies gaps, overlaps, and conflicts before generating new documents
- RTS alignment: policies address both DORA article-level and RTS-level requirements (RTS 2024/1773 and RTS 2024/1774)
Example Conversation
You: We need the complete set of DORA policies for our payment institution. We have about 200 staff and EUR 500M in transactions. We already have an IT Security Policy and an Incident Response Plan, but nothing else DORA-specific.
Agent: I’ll start by collecting entity context. Based on what you’ve shared: payment institution under PSD2, ~200 staff, EUR 500M transaction volume. That places you in the full DORA framework (not Art. 16 simplified). Let me confirm a few details: Who sits on the management body responsible for ICT risk? Do you have a designated CISO? And which cloud providers or outsourced ICT services do you use?
You: Our CFO chairs the ICT committee, we have a CISO reporting to the CRO, and we use AWS for core infrastructure plus a SaaS core banking platform from FIS.
Agent: I’ve loaded the DORA policy catalog and your two existing policies. Running the gap analysis now – your IT Security Policy partially covers Art. 9(4) but is missing sub-requirements for encryption controls (Art. 9(4)(d)) and network segmentation (Art. 9(4)(e)). Your Incident Response Plan covers detection and escalation but lacks the DORA-specific classification thresholds from RTS 2024/1774 and the mandatory notification timelines under Art. 19. I’ll generate the full set of 17 policies plus the cross-reference summary, tailored to your governance structure and ICT landscape.
Agent: All 17 policies and the summary are written to
output/. Runningdora_policy_set_checkerto validate completeness…Agent: The checker confirms: all 17 required policies present, all mandatory sections complete, and all cross-references consistent. The policy set is ready for management body review and approval per Art. 5(2)(a).
Sample Output Excerpt
Below is an excerpt from a generated ICT Incident Management Policy, showing the standardized structure used across all 17 policies.
ICT Incident Management Policy
Document ID: POL-DORA-009 Version: 1.0 Classification: Internal Effective Date: 2025-07-01 Next Review Date: 2026-07-01 Owner: Chief Information Security Officer Approved By: Management Body
1. Purpose
This policy establishes ICT-related incident management requirements for Acme Payments Ltd in accordance with Regulation (EU) 2022/2554 (DORA), Articles 17-18, and Commission Delegated Regulation (EU) 2024/1774. It ensures that ICT-related incidents are detected, classified, escalated, and reported in a manner that protects digital operational resilience and meets regulatory notification obligations.
2. Scope
- Organizational scope: Acme Payments Ltd and all branch offices
- System scope: All ICT systems supporting payment processing, core banking (FIS), and AWS infrastructure
- Personnel scope: All staff; specialized procedures for ICT operations, security, and management body
- Third-party scope: FIS (core banking SaaS) and AWS incident coordination
5. Roles and Responsibilities
5.1 Management Body
- Bears ultimate accountability for the incident management process (Art. 5(2))
- Receives notification of all major ICT-related incidents within 2 hours of classification
- Approves external communications regarding major incidents
5.2 Chief Information Security Officer (CISO)
- Owns this policy and the incident classification process
- Leads the Incident Response Team for major incidents
- Submits notifications to the competent authority (DNB) per Art. 19
6. Policy Statements
6.1 Incident Classification
6.1.1. Acme Payments Ltd shall classify ICT-related incidents using the criteria defined in RTS 2024/1774, Article 8:
| Criterion | Major incident threshold |
|---|---|
| Clients affected | > 10% of active payment service users |
| Duration | > 2 hours for critical functions |
| Data losses | Any personal data or payment data breach |
| Economic impact | > EUR 100,000 direct costs |
| Geographical spread | > 2 Member States |
6.2 Notification to Competent Authority
6.2.1. Acme Payments Ltd shall notify DNB of major incidents per Art. 19:
- Initial notification: within 4 hours of classification as major
- Intermediate report: within 72 hours with root cause and impact
- Final report: within 1 month with lessons learned and remediation
10. Cross-References
| Document ID | Document Title | Relationship |
|---|---|---|
| POL-DORA-001 | ICT Risk Management Policy | Incident data feeds risk assessment updates |
| POL-DORA-010 | ICT Business Continuity Policy | Major incidents trigger BCP activation per Section 6.3 |
| POL-DORA-013 | Logging and Monitoring Policy | Detection capabilities feed incident identification |
| POL-DORA-017 | Human Resources Security Policy | Staff training on incident reporting obligations |
Extension Tools
dora_policy_set_checker validates the completeness and consistency of the generated policy set:
- Reads a JSON inventory file listing all generated policies with their IDs, names, sections, and cross-references
- Checks that all 17 DORA-required policies are present (errors for missing mandatory policies; warnings for simplified-framework-optional ones)
- Verifies every policy has the five mandatory sections: purpose, scope, roles, requirements, and review cycle
- Validates cross-reference consistency: every referenced policy ID must exist in the set; no broken references or mismatched titles
- Detects duplicate policy IDs across the set
- Respects proportionality: when
simplified_framework: true, policies POL-DORA-006 (Network Security), POL-DORA-013 (Logging), POL-DORA-014 (Project Management), and POL-DORA-015 (Vulnerability Management) are reported as warnings rather than errors if absent - Reports summary statistics: policies provided, required, and missing
- Use after generating the complete policy set and before finalizing for management body approval
Getting Started
Add your source materials to the project workspace – existing policy documents, organizational charts, ICT asset inventories, and third-party provider lists all help the agent tailor the policies to your entity. Then activate the DORA Policy Generator skill. The agent will collect your entity context (type, size, governance, ICT landscape) and generate all 17 required DORA policies plus a cross-reference summary, running the completeness checker before finalizing the set.