Major European Bank

The bank operated a complex IT landscape spanning retail banking, investment services, and insurance subsidiaries. DORA compliance required a holistic approach across all entities, but several obstacles stood in the way.

• Fragmented ICT Risk Landscape. Risk assessments were siloed by business unit, each using different methodologies, tools, and taxonomies. There was no unified view of ICT risk across the group, making it impossible to meet DORA's consolidated reporting requirements.
• Unmapped Third-Party Dependencies. The bank relied on 340+ ICT service providers, but only a fraction were formally documented. Critical dependencies on cloud providers, payment processors, and market data feeds had no contractual resilience clauses.
• Inconsistent Incident Classification. Cyber incidents, IT outages, and operational disruptions were classified differently across entities. DORA requires standardized severity classification and mandatory reporting timelines that the existing process could not support.
• No Resilience Testing Framework. The bank had never conducted threat-led penetration testing (TLPT) at scale. DORA mandates regular resilience testing of critical functions, but there was no framework, no playbooks, and no dedicated team.
• Tight Regulatory Timeline. With enforcement approaching, the bank had less than 8 months to achieve full compliance. Previous internal attempts had stalled due to scope ambiguity and organizational resistance.

The bank needed an architect who understood both the regulatory framework and the ServiceNow platform deeply enough to design a solution that was compliant, operable, and sustainable.

MainStack assigned a senior architect with dual expertise in financial services regulation and ServiceNow GRC. The approach prioritized regulatory risk: we addressed the highest-penalty items first and built outward.

• DORA Gap Assessment (Weeks 1-3). We mapped the bank's current ICT governance against all 5 DORA pillars: ICT risk management, incident reporting, resilience testing, third-party risk, and information sharing. Each gap was scored by regulatory severity and remediation effort.
• Unified ICT Risk Framework (Weeks 3-8). We designed and deployed a consolidated ICT risk management framework on ServiceNow GRC. This unified risk taxonomy, assessment methodology, and reporting across all business entities into a single governed model.
• Third-Party Provider Registry (Weeks 4-10). We built a comprehensive ICT third-party register, mapping 340+ providers with criticality assessments, contractual resilience clauses, and concentration risk indicators. Automated alerts flag when dependencies exceed risk thresholds.
• Incident Classification and Reporting (Weeks 6-12). We implemented DORA-compliant incident classification (major, significant, cyber) with automated severity scoring and regulatory reporting timelines. The system generates pre-populated reports for the national competent authority within the mandated windows.
• Resilience Testing Playbooks (Weeks 10-16). We created a threat-led penetration testing framework including scenario libraries, test execution procedures, and remediation tracking. The framework supports both internal testing and TLPT exercises as required by DORA Article 26.
• Board Reporting and Governance (Weeks 14-20). We built executive dashboards giving the board real-time visibility into DORA compliance status, ICT risk posture, and resilience test results. DORA places direct accountability on the management body, so these dashboards became a critical governance tool.

The bank passed its first DORA regulatory audit with zero critical findings. The framework is now operated independently by the internal team, with MainStack available for annual reviews and regulatory updates.