Unlocking DORA Compliance with ServiceNow: Strategies and Success Stories Wanted!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-21-2024 12:41 AM
Hey everyone,
As we are working on implementing the EU Digital Operational Resilience Act (DORA) compliance by January 17, 2025, I'm curious on how your organizations are optimizing ServiceNow to meet DORA's mandates? The Dora regulations affects the EU's financial sector and suppliers of ICT services to that sector – wherever those suppliers are based.
ServiceNow Integration for DORA: What strategies are you employing to weave ServiceNow's capabilities into your DORA compliance efforts? Are there specific modules or tools within ServiceNow that are proving to be game changers?
Major Incident classification: With DORA's focus on identifying and reporting Major Incidents, how is your incident management landscape evolving? Are you overhauling your incident management process totally, or incorporating the new assessment criteria to specifically address DORA's requirements?
Reporting: how are you streamlining the reporting of major ICT incidents, considering its detailed requirements?
ServiceNow employees: Is ServiceNow developing solutions or adaptations specifically to help clients comply with these frameworks? Additionally, could you provide insights or guidance on how organizations can best leverage ServiceNow to meet these regulatory requirements efficiently?
I assume we are not the only ones trying to find our way through the dark, so hopefully, your insights will help illuminate the path for us, as well as for others… 😉

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-21-2024 01:49 AM
I would recommend talking to your account team on this. There are numerous ways ServiceNow can support you in your road to DORA.
I think this is a great blog post for a high-level overview.
https://www.servicenow.com/uk/blogs/2023/dora-building-technology-strategy.html
When it comes to products and and capabilities in the platform, Operational Resilience certainly has it's place.
https://www.servicenow.com/products/operational-resilience.html
Send me a DM if you need contact info for your dedicated account team.
If helpful or correct, please indicate so!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-24-2024 06:30 AM - edited 03-24-2024 06:32 AM
Thanks Mattias! I posted this question in the ITSM PAC forum as well, and I am pasting my response from there, here as well...
Thank you, for your response and resources regarding DORA compliance!
We're in partnership with ServiceNow, engaging both our internal teams and account team to refine our strategy. I was just curious to know if ServiceNow has any broader strategies regarding DORA compliance specifically. And if you are, I might have some ideas to share 😏
The ting is… Our existing Incident Management framework has been working fine… We categorize service offerings based business criticality levels and employ a priority matrix that combines impact and urgency to determine incident priority. Any user can propose Major Incidents, which an Incident Manager can promote or reject. And we have a standard operating procedure for which incidents must be reported to the authorities.
However, the introduction of DORA presents new regulatory challenges since it introduces precise criteria for defining Major Incidents that must be reported to the authorities, altering the landscape of Incident Management for us.
DORA mandates two-tiered criteria for classifying Major Incidents:
Either: 1) An incident qualifies as Major if it directly impacts critical services or important functions and involves a successful, malicious, unauthorized access to our network and information systems.
Or 2) it's considered Major if, aside from impacting critical services and important functions, it satisfies at least two of six secondary criteria. These criteria span a broad range, including effects on clients, financial counterparts, transactions, data integrity, reputational and economic impacts, incident duration, and geographic scope.
These criteria are assessed through a combination of binary, relative and absolute thresholds.
We're finding it challenging to reconcile these new mandates with our established protocols, cause we kind of like doing things the way we are, but can’t chose not to be compliant to DORA.
So, others that are in the same situation… any shared experiences or strategies for this integration would be highly appreciated!