Achieving DORA Compliance with ServiceNow at Heart

In this article, I want to discuss HOW to operationalise DORA requirements by leveraging as much as possible the out-of-the-box capabilities of the ServiceNow platform. Each section below is aligned with DORA’s top-level obligations.

• For each regulatory requirement, we identify the typical outcomes that are q good sign towards compliance
• We also identify the most appropriate ServiceNow Product and feature to achieve it.

ICT Risk management

Have a documented IT risk framework integrated in the wider enterprise risk management program (Art. 6)

Typical outcomes:

• IT Risk Management Policy, IT Risk Register, Business continuity and disaster recovery plan

ServiceNow Products:

• IRM > Policy and compliance > Policy authoring and redlining in Compliance workspace
• IRM > Risk Management > Risk Framework, Risk Register, Risk workspace
• IRM > Business continuity management > Business continuity plan
• IRM > 3rd-party Risk Management > Risk assessment and vendor tiering

ServiceNow supports policy management through drafting and editing in Office 365 SharePoint or Google Drive, with collaborator redlining, pre-defined approvers, version retention, PDF conversion, KB publication, and acknowledgement campaigns.

IT risk is managed using a framework aligned to external standards like ISO 31000 or NIST, with risk categorisation, impact and likelihood scoring via SLE (single loss expectancy) and ARO (annual rate of occurrence). Control objectives are implemented as mitigation strategies, and entity-level tracking roll-up to risk statements rating in the Risk workspace.

Risk creation for entities are automated, continuously monitored with indicators, and assessed regularly.

Vendor risk assessments are managed through onboarding tier calculations, third-party score imports, and template-based questionnaires based on vendor tier.

Identify IT assets and systems supporting core business functions (Art. 😎

Typical outcomes:

• CMDB,  IT Services relationships to Critical or Important Functions, Third-Party Service Provider Inventory.

ServiceNow Product:

• Now Platform > CMDB and CSDM
• Application portfolio management
• ITOM > Service Mapping > Service maps
• IRM > Risk Management > Ris assessment, Key risk indicators, controls
• IRM > 3rd-party Risk management > 3rd-party portfolio

The ServiceNow CMDB stores information about operational CIs and their relationships, aligning with CSDM to link business capabilities, operational services, and infrastructure components. Service Mapping provides a visual view of CI dependencies and the cascading impact of alerts or outages, factoring in redundancy and failover. Risks are defined through generic statements (IRM) and mapped to entities.

Assessments calculate risk levels, and controls are applied for mitigation. Key risk indicators highlight posture changes directly in the Risk workspace. External vendors are flagged in the Company table. These records are integrated with the Third-party Portfolio to capture related contacts and fulfilled business services. Business services linked to vendors can be flagged as subject to DORA.

Execute risks assessments and tests to assess exposure to vulnerabilities and threats (Art. 9)

Typical outcomes:

• Threat-Led Penetration Testing (TLPT) Plans, Risk Assessment Reports

ServiceNow Product:

• IRM > Risk management > Continuous monitoring for risks
• IRM > Audit management > Audit engagement lifecycle, Audit project
• IRM > Ris management > Risk framework, Risk statements, Controls
• SecOps > Vulnerability Response > Vulnerable items + Threat intelligence
• SecOps > Application Vulnerability response > Pen Test Workspace and dashboard

ServiceNow integrates Vulnerability Management with Risk Management, allowing vulnerabilities identified on critical business services to generate issues directly in IRM. These issues show up in dashboards that provide a high-level view of risk identification and remediation.

External threat definitions from sources like NIST, and scans from tools such as Qualys or Tenable, are pushed into ServiceNow for mapping to CMDB CIs, risk assessment, and management of vulnerability.

Pen Testing and Threat-led Pen Tests (internal) findings can be captured manually and managed as application vulnerability items in the flow.

TLPT initiatives in ServiceNow simulate real-world attacks and are broken down into tasks with planning, costs, and findings. These tasks generate evidence, risks in IRM, and security incidents in SIR.

A structured risk framework, based on standards like ISO 31000, supports classification, control objectives, and entity-level risk tracking within the Risk workspace.

Use monitoring tools to timely detect anomalies and alerts. (Art. 9)

Typical outcomes:

• Monitoring Tools, Security Information and Event Management (SIEM), Automated Threat Detection System, Anomaly Detection Reports

ServiceNow Product:

• SecOps > Threat intelligence > Connectors
• SecOps > Security Incident response > SIEM connectors
• SecOps > Vulnerability Response > Vulnerability scanner connectors
• IRM > Policy and compliance > Policy authoring and redlining in Compliance workspace
• IRM > Risk management > Controls
• ITSM > Incident, Problem, Change management
• Now Platform > CMDB and CSDM > Business Capability, Application service
• ITOM > AIOps > Anomaly Detection

ServiceNow integrates with SIEM tools like Splunk, MS Sentinel, MF ArcSight, and Sumo Logic to capture and process events in real time. Combined with ServiceNow SIR and Threat Intelligence, it supports automated security response (SOAR) and adds contextual depth through frameworks like MITRE ATT&CK.

Although ServiceNow doesn’t offer a native SIEM, it consolidates external event data with CMDB contextualisation, service-aware prioritisation, and remediation flows.

Incidents and deviations, including those defined under DORA, are tracked and reported in dashboards and workspaces, linking alerts, risks, and remediation.

Process documentation tied to incident management is maintained in the Compliance workspace, while the CMDB is used to capture operational monitoring tools.

SIEM monitoring and Vulnerability scanners can be listed as Application Services under the “Monitoring tools and tech” business capability.

3rd-party risk management

Conduct due diligence on vendor’s operational resilience and security before onboarding (Art. 28)

Typical outcomes:

• Completed Vendor Due Diligence Questionnaire, Risk Assessment Summary, Vendor Due Diligence Report

ServiceNow Product:

• IRM > 3rd-party Risk management > Risk overview workspace, Due Diligence workflow, Tiering and risk profile, Vendor portal Document request

ServiceNow provides a comprehensive view of vendors and their risk posture through a centralised vendor management workspace. This includes access to risk ratings, risk areas, and ongoing engagements for each third party.

Vendors are assessed using tailored questionnaires for internal and external engagements, with due diligence conducted at onboarding, reassessment, and offboarding.

Vendors are segmented into tiers, assigned risk profiles, and evaluated across multiple risk domains. Risk intelligence can also be pulled from third-party sources.

Assessment templates can auto-generate requests for questionnaires or documents via the Vendor Portal. Based on responses and history, remediation plans and tasks are created to mitigate vendor-related issues.

Include in vendor contracts clauses ensuring regular audit and performance reviews, notifications about incidents, compliance with DORA (Art. 28)

Typical outcomes:

• Contract Management Policies, DORA-Compliant Contract Clause Library

ServiceNow Product:

• Sourcing and Procurement Operations > Contracts, Digital resilience third-party registers, Terms and conditions
• ITSM > Enterprise Asset workspace > Terms and conditions
• IRM > Policy and compliance > Policy authoring and redlining in Compliance workspace

In ServiceNow, both Asset and Procurement contracts are extensions of the core contract table and share common features such as contract number and Terms and Conditions.

Procurement contracts manage supplier terms and pricing, while Asset contracts focus on lifecycle, warranty, and support.

Contracts can be created through Asset Management > Contract Management or within the Hardware/Enterprise Asset workspace, where predefined Terms and Conditions—including DORA-specific clauses — can be applied and reused across contracts.

Although plans are documented as policies, their enforcement and execution are handled directly within ServiceNow’s contract management workflows and configurations.

Continuously monitor vendors to identify emerging risks and maintain a vendor risk registry (Art. 28)

Typical outcomes:

• Vendor Risk Registry, Vendor Monitoring Process Documentation

ServiceNow Product:

• IRM > 3rd-party Risk management > Risk overview, Digital resilience third-party registers, Due diligence process
• IRM > Policy and compliance > Policy authoring and redlining in Compliance workspace

ServiceNow’s Vendor Management workspace provides a risk overview per supplier based on assessment results and scoring rules.

It extends the IRM Risk Management application, associating relevant Risk statements to each vendor as entities, grouped under a Third-party and Supply Chain risk framework.

The Digital Resilience 3rd Party Register extension consolidates all key information needed for DORA compliance, including legal entities, branches, business functions, vendors, contracts, and assessments.

While the resilience plan is documented as a policy, its enforcement is carried out through ServiceNow’s 3rd Party Risk Management due diligence process during onboarding, ongoing monitoring, and offboarding.

Develop Vendor exit plans to manage the smooth transition of functions in case of failure. (Art. 29)

Typical outcomes:

• Termination Notice Procedures, Exit Transition Period, Data Security and Privacy Measures, Knowledge Transfer, Cost and Personnel Considerations

Servicenow Product:

• Source-to-Pay Operations > Supplier Lifecycle Operations > Supplier offboarding playbook
• IRM > Policy and compliance > Policy authoring and redlining in Compliance workspace
• IRM > 3rd-party risk management > Due diligence request controls
• SPM > Project > Cost management, Resource management

The supplier off-boarding process is documented as a policy but implemented in ServiceNow using the Offboard a Supplier playbook within the Source-to-Pay workspace.

This playbook provides step-by-step guidance, defines task durations, and integrates with Vendor Risk Management to conduct due diligence.

If Third-Party Risk Management (TPRM) is used, due diligence during termination triggers requests, questionnaires, and document submissions to confirm data transfer or destruction.

Controls can be set to manage vendor risk during this phase.

While TPRM and IRM don’t directly track exit costs, ServiceNow Risk Management can estimate financial impact using Single Loss Expectancy and mitigate it with control objectives. Larger off-boarding efforts may be managed as full projects, with the playbook optionally configured to include cost management steps.

Incident Reporting

Have a process and tool to log and manage IT incidents, especially major ones. (Art. 17)

Typical outcomes:

• Incident Management Policy, Incident Logging System, Major Incident Reporting Templates, Incident Response Plan, Incident Classification Guidelines

ServiceNow Product:

• IRM > Policy and compliance > Policy authoring and redlining in Compliance workspace
• ITSM > Incident management > Major Incident management, Incident communications management

Although the plan is formally documented as a policy published in the KB, its execution is carried out in ServiceNow through the Incident Management flow.

ServiceNow captures incidents from multiple sources and channels, enriches them with CMDB and KB references, and supports classification and resolution tracking.

Major incidents can be managed through the optional Major Incident Management plugin, which groups related incidents for faster resolution and communication.

The Incident Communications Management application supports structured messaging during critical events.

Notify authorities of major incidents on a service that falls in scope of DORA within 24 hours after detection. (Art. 19)

Typical outcomes:

• Incident Reporting Policy, Communication Plan for Regulatory Notification, Initial Incident Notification Template, Training Materials for Incident Response Teams

ServiceNow Product:

• ITSM > Incident management > Incident communication plans
• IRM > Policy and compliance > Policy authoring and redlining in Compliance workspace, Policy acknowledgement
• Now Platfrom > Now Plaform > Knowledge base, Custom table, Excel export
• HRSD > HR Learning > LMS integration

The DORA incident reporting plan is documented as a policy but implemented in ServiceNow Incident Management or SIR workflows.

The policy can include automated task creation with SLAs to ensure incidents are reported to authorities. Policy acknowledgement campaigns and suggested KB articles (via Now Assist) can also reinforce compliance procedures with relevant teams. Major incidents tied to DORA can be flagged using CMDB relationships, with business services inheriting the DORA flag from upper-level capabilities.

Auto-generating DORA Excel templates from ServiceNow is not natively supported, and would probably be too complex for the value. However, organisations can map DORA Excel template columns to ServiceNow data model and build a report to facilitate manual export in a close enough format. These reports can be attached to incidents for reuse as a single incident will require multiple DORA reports. Some customers use custom tables to streamline data collection and export.

Keep authorities updated of ongoing incidents, and submit a post incident report within 5 working days after resolution, including the root cause, impact, resolution procedure, and future prevention plan (Art. 19)

Typical outcomes:

• Post-Incident Reporting Template, Root Cause Analysis (RCA) Procedures, Impact Assessment Framework, Preventive Action Plan

ServiceNow Product:

• IRM > Policy and compliance > Policy authoring and redlining in Compliance workspace
• IRM > Risk management > Controls
• ITSM > Incident management > SLAs, Post incident report
• ITSM > Problem management > Root cause, Definitive solution
• SecOps > Security incident response > Post incident report

The DORA reporting plan is documented as a policy but enforced through ServiceNow Incident or Security Incident (SIR) workflows, where tasks with SLAs can be automatically assigned to ensure regulatory reporting.

For post-incident review (PIR), Major Incidents in Incident Management display a PIR tab, which can be extended with DORA-specific fields. In Security Incidents, PIR reports can be generated as branded PDFs using configurable templates.

Since DORA templates are fixed, the most effective approach is to map relevant ServiceNow fields and export data for manual insertion into the official form.

Problem Management investigates root causes and proposes long-term solutions, often leading to Change Requests. In IRM, major incidents tied to DORA can be flagged as issues and addressed through Action Plans, using workflows that trigger controls or remediation tasks.

Operational resilience testing

Conduct risk-based testing of IT systems, and control annually. (Art. 25)

Typical outcomes:

• Risk Assessment Matrix , Risk Assessment Report, Security Assessment Report (SAR)

ServiceNow Product:

• SecOps > Vulnerability Response > Impact assessment
• IRM > Risk Management > Advanced Risk assessment, Operational risk dashboard on the Risk workspace

ServiceNow provides an out-of-the-box Operational Risks register, where risk statements are scoped to critical business services. When vulnerabilities from scanners are linked to these services, issues are automatically created in IRM.

Dashboards and workspaces offer a consolidated view of the organisations operational risk posture. The Risk workspace aggregates key security indicator — risks, assessments, controls, and issues—eliminating the need for manual reporting. Risk managers can drill into details and assess control effectiveness through inherent vs. residual risk heat maps.

Risk criteria in ServiceNow define impact and likelihood levels based on the organisation’s risk appetite. Risk assessment matrices and advanced evaluation methods calculate scores that adapt as conditions change, helping organisations prioritise risks through visual tools like dashboards and heat maps.

Perform threat-led Pen tests at least once every 3 years for critical assets (Art. 26)

Typical outcomes:

• Threat Intelligence Report, Penetration Test Plan, Penetration Testing Report, Remediation Plan

ServiceNow Product:

• IRM > Audit management > Audit engagement lifecycle, Audit project
• SecOps > Application Vulnerability response > Pen Test Workspace and dashboard, Remediation plan
• SecOps > Threat intelligence > Threat Intelligence security center

ServiceNow integrates external threat intelligence feeds (e.g., CrowdStrike, Palo Alto Networks) using the STIX format to capture indicators of compromise, threat actors, and recommended actions.

Combined with internal data from vulnerability scanners and SIEM systems, the Threat Intelligence Security Center provides contextual insights — showing how threats apply to specific CIs, scoring them, and guiding mitigation via tasks and playbooks.

Pen Testing is managed through a dedicated app used by internal ethical hacking teams to request, document, and remediate findings. Results are logged as Application Vulnerability Items (AVIs), prioritized by severity and business impact, followed by remediation and re-testing.

Threat-led Pen Testing (TLPT) extends standard testing by simulating real-world threats using current threat intel. TLPT initiatives in ServiceNow can be structured as audit projects, with planning, execution, and reporting. Tasks generated during these assessments can trigger issues or risks in IRM and security incidents in SIR, and serve as control tests for specific objectives.

Based on test results, implement enhancements to mitigate identified risks. (Art. 25)

Typical outcomes:

• Risk Treatment Plan, Remediation Action Plan, Risk Register, Risk Assessment Reports

ServiceNow Product:

• IRM > Risk management > Risk response, Controls
• SecOps > Vulnerability Response > Remediation effort
• IRM > Risk Management > Risk Framework and Risk Register, Risk workspace

ServiceNow supports the full risk management lifecycle — from advanced risk assessment to response — by allowing users to define strategies like accept, mitigate, avoid, or transfer the Risk. Each response is formalised through a risk response task detailing the remediation plan, including control implementation.

Security Incident Response (SIR) uses a standardised workflow-driven process to prioritise and assign remediation tasks based on business impact.

In Vulnerability Management, a remediation wizard helps group related vulnerabilities and coordinate resolution with Change Management.

ServiceNow enables automated risk creation, continuous monitoring via indicators, and regular assessments.

Risks are structured using frameworks aligned with standards like ISO 31000 or NIST, with controls and mitigation strategies linked to generic risk statements. All risk data is centralised, removing the need for separate documentation.

Governance and oversight

Assign accountability for IT risk management to senior leadership. (Art. 5)

Typical outcomes:

• IT Risk Management Policy, Governance, Risk, and Compliance (GRC) Management Policy, Risk Management Framework (RMF), Leadership Accountability Risk Catalog

ServiceNow Product:

• IRM > Policy and compliance > Policy authoring and redlining in Compliance workspace
• IRM > Risk management > Process configuration, Risk Framework and Risk Register, Risk ownership Assignment

ServiceNow Risk management allowing organisations to group risk statements and apply a consistent approach to their handling. Risk statements are assigned to owners and owning groups, with local risk owners managing assessments and response activities, ensuring accountability throughout the process.

Conduct mandatory training for employees on IT risk awareness and resilience (Art. 13)

Typical outcomes:

• Security Awareness and Training Policy, Training Materials and Curriculum, Training Schedule and Records, Employee Acknowledgment Forms, Assessment and Evaluation Reports

ServiceNow Product:

• IRM > Policy and compliance > Policy acknowledgement
• HRSD > HR Learning > LMS integration, Training schedule and completion logs
• SecOps > Cybersecurity Executive dashboard > Phishing simulator spoke
• Now Platform > Knowledge base

Security and compliance training is typically delivered through third-party LMS platforms like SuccessFactors, which manage course content, scheduling, notifications, and completion tracking. ServiceNow integrates with these systems via Spokes and HR Learning-certified apps to sync training data, assign courses, and monitor progress.

While LMS platforms handle recorded content and quizzes, ServiceNow can supplement by issuing policy acknowledgements and triggering assessments to confirm understanding. Indicators in Policy and Compliance track training completion rates, and the Cybersecurity Executive Dashboard consolidates insights—including phishing simulation data from tools like KnowBe4 and MS Defender.

Implement periodic internal audits to check compliance with DORA standards (Art. 5)

Typical outcomes:

• Internal Audit Plan, Internal Audit Checklist, Internal Audit Report, Corrective Action Plan (CAP)

ServiceNow Product:

• IRM > Audit management > Audit engagement lifecycle, Audit project with SPM, Test template and plan, controls, Audit observations and Report

In ServiceNow IRM Audit Management, an audit plan defines the audit’s purpose, scope, timeline, resources, and costs, and is managed via a workflow with tasks and approvals. It can also be linked to a project in SPM if needed.

DORA is represented as an authority document, with requirements defined as statements, linked to control objectives and controls. These controls are tested using defined templates and plans, scoped through auditable units. Risk statements related to DORA (e.g., continuity failure) are tied to the same control objectives for compliance monitoring.

Audit findings are logged as observables, validated through evidence and reviews, and may result in action plans. Audit managers can generate formal audit reports using templates, publish them as KB articles, and confirmed observables can trigger IRM issues with defined response strategies.

Information sharing on cyber-threat intel.

Establish channels to exchange actionable threat intelligence with peers, regulators, and authorities (Art. 24)

Typical outcomes:

• Information Sharing Policy, Information Sharing Agreement (ISA), Threat Intelligence Sharing Procedures, Participation in Information Sharing Communities

ServiceNow Product:

• Now Platform > Knowledge
• IRM > Policy and compliance > Policy, Policy acknowledgement

Information Sharing Agreements (ISAs) with organisations like FS-ISAC or CERTs are legal documents stored as articles. While not operational, their key terms can be translated into enforceable policies and controls in ServiceNow.

ServiceNow does not natively support generating or submitting STIX/TAXII threat intel formats. Though it can capture relevant data, STIX submission typically requires external tools or platforms. Integration with FS-ISAC is done outside of ServiceNow, often via membership or manual file uploads.

Share details on vulnerabilities, attack patterns, and mitigation strategies. (Art. 24)

Typical outcomes:

• Cyber Threat Intelligence (CTI) Report, Cyber Threat Intelligence (CTI) Report Template

ServiceNow Product:

• IRM > Policy and compliance > Policy authoring and redlining in Compliance workspace, Policy, Controls
• SecOps > Threat intelligence > Threat intelligence Security center
• Now Platform > Knowledge

While ServiceNow can store relevant data, it cannot generate or transmit STIX via TAXII out-of-the-box. Submission is typically done manually or via external tools like MITRE’s taxii2-client. Customisation could enable STIX generation in JSON format.

Ensure all shared information complies with data privacy and confidentiality regulations. (Art. 24)

Typical outcomes:

• Data Privacy and Confidentiality Policy, Non-Disclosure Agreement (NDA), Data Sharing Agreement, Privacy Notice

ServiceNow Product:

• Now Platform > Knowledge
• IRM > Policy and compliance > Policy, Controls

Procedures related to threat intelligence can be documented as policy documents and enforced through controls.

Legal agreements like NDAs and ISAs with security information-sharing organizations (e.g., FS-ISAC or CERTs) are stored as non-operational documents in ServiceNow under “Security and compliance” or “Legal agreements.” Their key terms can be translated into enforceable policies and controls.

Privacy notices are documented as policies, published as Knowledge Articles, and typically linked in the Employee Center footer. Acknowledgement campaigns can be configured to ensure regular user awareness.

Participate in joint exercises and simulations to enhance industry-wide resilience. (Art. 25)

Typical outcomes:

• Exercise Participation Certificate, After-Action Report (AAR), Improvement Plan

ServiceNow Product:

• IRM > Business Continuity management > Exercise management
• IRM > Audit management > Audit test rests
• IRM > Risk Management > controls

Participation in scenario-based exercises (e.g. cyber threats) may result in a certificate from the financial supervisor, which can be stored in the Knowledge Base and used as audit evidence. These exercises validate the effectiveness of an organization’s business continuity plan.

In ServiceNow’s Business Continuity workspace, exercises can be managed and a PDF report generated upon completion. However, out-of-the-box, the system does not automatically include tasks to revise the business continuity plan based on exercise findings—this would require customisation.

To wrap up…

Going through the detailed mapping above, it almost seems like DORA was written with ServiceNow in mind.

Whether it’s Risk management, Business continuity management, Sourcing and procurement management, Vendor Risk management or IT service management, many key requirement finds a native match on the Now Platform. Others will at least consume data from ServiceNow (CMDB).

Another perspective on that is to recognise that DORA has enterprise-wide implications. ServiceNow being the leading Enterprise service management platform, it is only natural that it can support so many DORA requirements.

To help organisations, ServiceNow is foreseen to release more DORA related features and possibly an IMPACT Accelerator.

This article is based on a detailed, low level feature-level mapping I’ve minuciously curated for every DORA requirement.

If your organisation is exploring how it can best leverage ServiceNow to comply with DORA, we need to talk!