Skip to main content
11 min readDORANCASupervisory Review

What NCAs Actually Examine in a DORA Supervisory Review

Andrey Gubarev
By Andrey GubarevCISM, CDPSE, SABSA20+ years in cybersecurity and complianceAndrey Gubarev ↗LinkedIn ↗

A DORA supervisory review by an EU NCA examines your ICT risk framework, evidence package, and management accountability. Learn what EU fintechs should prepare.

In this article
  1. What triggers a DORA supervisory review
  2. The five areas NCAs examine in a DORA review
  3. 1. ICT risk management framework (Articles 5–16)
  4. 2. Management body governance (Article 5)
  5. 3. ICT incident classification and reporting (Articles 17–23)
  6. 4. Third-party ICT provider oversight (Articles 28 to 30)
  7. 5. ICT testing programme (Articles 24–27)
  8. How to prepare for a DORA supervisory review
  9. What documentation to prepare before NCA engagement
  10. Common findings in early DORA supervisory reviews
  11. NCA supervisory focus by jurisdiction
  12. Frequently asked questions
  13. What does an NCA examine in a DORA ICT risk supervisory review?
  14. What documents should a fintech prepare for a DORA supervisory review?
  15. How long does a DORA supervisory review take?
  16. What happens if a fintech fails a DORA supervisory review?
  17. How CyAdviso supports DORA supervisory review preparation

Last reviewed: 30 June 2026

Key takeaways

  • A DORA supervisory review by an EU NCA typically examines five areas: framework completeness (Articles 5–16), management body accountability (Article 5), incident classification and reporting (Articles 17–23), third-party ICT provider oversight (Article 28), and ICT testing evidence (Articles 24–27).
  • NCAs examine whether the ICT risk function operates continuously and whether the management body acts on ICT risk information — not only whether policies exist.
  • The most significant preparation gap is missing operational evidence — a current risk register, management body minutes referencing ICT risk, a third-party register reflecting current dependencies — not missing policy documents.
  • Reviews can be triggered by the routine supervisory cycle, a peer enforcement action, an ICT incident report, or a significant change event; waiting for a notice to begin preparation is the most avoidable mistake.

A DORA supervisory review by a National Competent Authority typically examines five areas of your ICT risk management framework: the completeness of the framework itself (DORA Title II, Articles 5–16), management body accountability and governance documentation (Article 5), ICT incident classification and reporting records (Articles 17–23), third-party ICT provider oversight (Article 28), and evidence of ICT testing (Articles 24–27).

Fintechs that have not mapped their ICT risk management framework against DORA Articles 5–16 before a review are likely to receive findings. NCAs do not only examine whether policies exist. They examine whether the ICT risk function operates continuously, whether the management body receives and acts on ICT risk information, and whether the entity can produce documentary evidence on request.

For EU-licensed fintechs — EMIs, Payment Institutions, and CASPs — the most significant preparation gap is not the absence of policy documents. It is the absence of operational evidence: updated risk registers, management body meeting records that reference ICT risk, and a third-party provider register that reflects current dependencies.

Supervisory reviews can be triggered by the routine NCA supervisory cycle, a peer enforcement action in the sector, an ICT incident report, or a significant change event such as a merger or new product launch. Waiting for a review notice to begin preparation is the most common and most avoidable mistake.

What triggers a DORA supervisory review

National Competent Authorities have broad discretion over when to initiate a DORA supervisory review. Common triggers include:

Routine supervisory cycle: NCAs typically schedule periodic ICT risk reviews as part of their oversight programme. For smaller fintechs, this may be triggered by a data call (supervisory questionnaire) before any on-site engagement.

Peer enforcement action: When an NCA issues a finding against one EU-licensed fintech in a sector, it often conducts thematic reviews across comparable entities. A finding at a competing EMI or PI is a practical signal for your own DORA readiness.

ICT incident report: DORA Article 19 requires fintechs to report major ICT-related incidents. A reported incident triggers NCA scrutiny of the underlying ICT risk framework. Was it identified, classified, and managed correctly?

Supervisory questionnaire: In many jurisdictions, NCAs issue data calls or supervisory questionnaires as a first step. These typically request policy documents, risk registers, and evidence of management body oversight. Failure to respond adequately can trigger a deeper review.

Significant organisational change: A merger, acquisition, new product line, or change in ICT outsourcing arrangements may prompt an NCA to assess whether the ICT risk framework has been updated accordingly.

DORA does not limit NCAs to these scenarios. The supervisory powers of competent authorities under DORA Title VII are broad.

The five areas NCAs examine in a DORA review

Based on EBA ICT Risk Guidelines, DORA Title II requirements, and published EBA supervisory convergence reports, a DORA supervisory review typically covers five areas:

1. ICT risk management framework (Articles 5–16)

NCAs examine whether a documented ICT risk management framework exists and operates continuously. Key questions:

  • Is the framework approved by the management body?
  • Is the ICT risk register current and maintained?
  • Is there evidence of ongoing risk identification (Article 8), not just a point-in-time assessment?
  • Are ICT risk controls documented and tested?

The NCA expects a framework that shows evidence of operation: updates, review records, management decisions. Not a static policy document.

2. Management body governance (Article 5)

DORA places ultimate accountability on the management body. NCAs examine:

  • Does the management body receive regular ICT risk reporting?
  • Are ICT risk decisions documented in management body minutes?
  • Is there evidence that the management body has reviewed and approved the ICT risk management framework?
  • Who is the named ICT risk function owner, and what is their reporting line?

A management body that signs an annual policy review but receives no ongoing ICT risk information fails the Article 5 standard.

3. ICT incident classification and reporting (Articles 17–23)

NCAs examine whether the entity has a functioning incident management process aligned to DORA:

  • Is there a documented incident classification methodology aligned to the DORA classification criteria (Article 18)?
  • Are major incidents reported to the NCA within the required timelines (Article 19)?
  • Is there an ICT incident register maintained with classification decisions?
  • Are post-incident reviews conducted and findings integrated into the risk framework (Article 13)?

4. Third-party ICT provider oversight (Articles 28 to 30)

NCAs examine whether the entity has a Register of Information covering all ICT third-party providers, with assessment of concentration risk. They look for:

  • A current Register of Information per DORA Article 28(3);
  • Evidence that third-party ICT contracts include required DORA clauses;
  • Assessment of concentration risk — particularly where a single cloud provider or critical software vendor is used across multiple functions;
  • Evidence that third-party ICT arrangements are reviewed on an ongoing basis, with the Register of Information kept current under Article 28(3).

5. ICT testing programme (Articles 24–27)

For larger entities or those in critical sectors, NCAs may examine whether the ICT testing programme is operational:

  • Is there evidence of regular vulnerability assessments?
  • Are Business Continuity Plan (BCP) tests documented with outcomes?
  • For entities in scope of Threat-Led Penetration Testing (TLPT), has this been conducted and documented?

How to prepare for a DORA supervisory review

This section covers preparation in principle — the baseline an EU-licensed fintech should have in place before any notice arrives. For the step-by-step playbook to run in the weeks after you receive a supervisory review notice, see what to prepare before a DORA supervisory review →.

Preparation should begin well before a supervisory review notice arrives. The following four steps are the minimum preparation baseline for an EU-licensed fintech:

Step 1: Map your ICT risk management framework against DORA Articles 5–16

Conduct an internal mapping of your current ICT risk framework against each requirement in DORA Title II. Identify gaps: which requirements are covered by existing documentation, which require new or updated documents, and which require operational evidence (logs, management meeting records) that may not yet exist.

This mapping should result in a gap register that can be addressed before any NCA contact. For structured gap assessment methodology, see the DORA gap assessment guide →.

Step 2: Compile your ICT evidence index

Assemble the documentary evidence NCAs typically request. At minimum, this should include:

  • ICT risk management policy (current version, management body approval evidence);
  • ICT risk register (current, with recent updates visible);
  • ICT incident register (last 12 months, with classification);
  • Register of third-party ICT providers;
  • Management body meeting records referencing ICT risk;
  • ICT testing records (most recent BCP/DR test, VA results).

A structured evidence index template reduces preparation time significantly. See the DORA evidence index template → for a working format.

Step 3: Document management body accountability and ICT risk decisions

Review the last 12 months of management body records. Can you demonstrate:

  • regular ICT risk reporting received and discussed?
  • formal approval of the ICT risk management framework?
  • recorded decisions on material ICT risks or accepted risks?
  • evidence of challenge or follow-up on ICT risk findings?

If management body records do not explicitly reference ICT risk, begin a dedicated ICT risk agenda item for management meetings and document discussion and decisions from this point forward.

Step 4: Review your third-party ICT provider register against Article 28(3) obligations

Audit your Register of Information for completeness. For each ICT provider:

  • Is the provider listed with service category, criticality classification, and contract term?
  • Have DORA-required contractual clauses been reviewed?
  • Has concentration risk been assessed where a provider is used across multiple critical functions?

Update the register before any NCA request. An incomplete or outdated Register of Information is one of the most common findings in initial DORA supervisory reviews.

What documentation to prepare before NCA engagement

Beyond the four preparation steps, an NCA supervisory review will typically request documentary evidence in a standard information request or questionnaire. Items commonly requested include:

DocumentDORA ReferenceNotes
ICT risk management policyArticle 6Current version with approval evidence
ICT risk registerArticle 8Current, with recent update dates visible
Business Impact AnalysisArticle 11Covering critical ICT systems and services
ICT incident registerArticle 17Last 12–24 months, with classification
Register of third-party ICT providersArticle 28(3)Full register per ITS 2024/2956 templates
Management body meeting recordsArticle 5Showing ICT risk reporting and decisions
ICT testing recordsArticles 24–27BCP tests, VA results, TLPT if applicable
ICT business continuity policyArticle 11With test evidence

The full DORA obligations overview → covers the complete requirements list. This article focuses on what NCAs examine in practice, which is not always the same as the complete regulatory text.

Common findings in early DORA supervisory reviews

Based on EBA supervisory convergence publications and EBA ICT and Security Risk Guidelines, the finding patterns below recur across early DORA supervisory reviews of EU-licensed fintechs. They are the reference taxonomy the related articles in this cluster point back to, rather than restate:

ICT risk register not current: The risk register reflects the state at the last gap assessment, not the current risk environment.

Management body not receiving dedicated ICT risk reporting: ICT risk is embedded in general compliance reporting. The management body cannot demonstrate it has reviewed ICT risks separately from general regulatory compliance.

Incident classification not aligned to DORA taxonomy: Incidents are classified by severity but not mapped to DORA Article 18 categories. Major incidents are identified retrospectively rather than through a real-time classification process.

Third-party register incomplete or not current: The Register of Information does not capture all ICT providers, particularly SaaS tools adopted by individual business units.

No evidence of ongoing framework operation: The framework was implemented following an advisory engagement and has not been maintained or updated since.

Addressing these before a review arrives is the most effective preparation. Preparing under NCA scrutiny is significantly more difficult.

NCA supervisory focus by jurisdiction

Different National Competent Authorities have issued ICT risk supervisory expectations that complement DORA requirements. Understanding your NCA's supervisory approach is part of preparation.

Lietuvos bankas, the Lithuanian National Competent Authority, supervises a large number of EU-licensed EMIs and Payment Institutions and has been active in issuing ICT and operational risk supervisory expectations aligned to EBA guidelines.

CySEC, the Cypriot National Competent Authority for CASPs, supervises a significant number of CASPs and has issued ICT-related supervisory guidance consistent with DORA Title II requirements.

For jurisdiction-specific supervisory expectations, consult the relevant NCA page before preparing your documentation package.

Frequently asked questions

What does an NCA examine in a DORA ICT risk supervisory review?

NCAs examine the ICT risk management framework completeness (DORA Articles 5–16), management body accountability and ICT governance documentation (Article 5), ICT incident classification and reporting records (Articles 17–23), the Register of Information for third-party ICT providers (Article 28), and evidence of the ICT testing programme (Articles 24–27). They request documentary evidence showing that the framework operates continuously — not only that policies exist.

What documents should a fintech prepare for a DORA supervisory review?

Minimum documentation: ICT risk management policy (with management body approval evidence), current ICT risk register, ICT incident register (12–24 months), Register of third-party ICT providers, management body meeting records referencing ICT risk, and ICT testing records (BCP/DR tests, vulnerability assessments). CyAdviso recommends maintaining a structured evidence index before any NCA engagement — see the DORA evidence index template →.

How long does a DORA supervisory review take?

DORA does not set a standard duration. An initial supervisory questionnaire or data call typically runs four to eight weeks from issuance to response deadline. An on-site or document-intensive supervisory review may extend two to four weeks, depending on the NCA and entity complexity. Some reviews begin with a data call and escalate to on-site engagement only if the initial response raises concerns. Fintechs should not wait for a review notice to assemble their evidence package. Once a notice arrives, preparation time is significantly constrained.

What happens if a fintech fails a DORA supervisory review?

An NCA may issue findings, require a remediation plan with deadlines, or impose supervisory measures. DORA Article 50 gives NCAs enforcement powers including public disclosure, temporary or permanent prohibition of activities, and administrative penalties. The severity of outcome typically depends on whether the finding is a documentation gap (lower severity, remediation required) or a governance failure (higher severity, particularly where the management body cannot demonstrate oversight). Findings are rarely resolved without operational changes to the ICT risk management function.

How CyAdviso supports DORA supervisory review preparation

CyAdviso works with EU-licensed fintechs to prepare for DORA supervisory reviews, including data calls, questionnaire responses, and on-site engagement. Based on engagements under EU financial-sector supervision, the preparation process involves:

  • mapping the current ICT risk framework against DORA Articles 5–16 and identifying evidence gaps;
  • building the evidence index and ensuring documentation reflects current operational state;
  • reviewing management body records and establishing an ICT risk reporting cadence;
  • updating the Register of Information for completeness;
  • conducting a pre-review dry run to identify and address likely findings before NCA contact.

Preparation is significantly more effective before a review notice arrives. After the notice, the timeline is constrained and the scope of remediation is limited.

To discuss your DORA supervisory review preparation, schedule a consultation with CyAdviso or contact us at info@cyadviso.com.

About the author

Andrey Gubarev

Andrey Gubarev is the founder and vCISO of CyAdviso. He has 20+ years in cybersecurity and multi-year CISO experience at EU-licensed fintechs, including EMIs, payment institutions and CASPs. His work focuses on DORA, MiCA, ICT risk governance, outsourcing oversight, incident readiness and board-ready evidence.

Certifications: CISM, CDPSE, SABSA.

gubarev.pro ↗LinkedIn profile ↗fromCISO.com ↗