Menu
Join my newsletter
9. Crisis Management and Communication
Effective crisis management and communication are critical requirements of the Digital Operational Resilience Act (DORA). Financial entities must establish robust frameworks to manage crises and communicate effectively with stakeholders, customers, and regulators during ICT-related incidents or operational disruptions. This guide outlines DORA's expectations for crisis management and communication, best practices, and how they integrate with other compliance areas.

by Sylvan Ravinet

The StratOps way to accelerate DORA
This guide on Crisis Management and Communication can help you achieve DORA compliance. Faster. Part of my 12-capabilities cyber framework.
Before continuing, make sure you are subscribed to StratOps!
Get weekly insights in your email
My StratOps newsletter helps cybersecurity experts achieve more, faster.
It's Free! For now.
Have feedback? Connect with me on Linkedin
1. Overview of Crisis Management and Communication in DORA
Crisis management and communication under DORA focus on establishing structured approaches to handle significant ICT-related incidents and ensure timely, accurate, and effective communication. This includes:
  • Managing the escalation from incidents to crises
  • Establishing effective management structures and processes
  • Implementing comprehensive communication strategies
  • Ensuring integration with the broader operational resilience framework
DORA requires financial entities to establish crisis management and communication strategies that are integrated with their broader incident management and business continuity plans.
1.1 Regulatory Foundation
DORA Regulation (EU 2022/2554):
  • Article 14: Crisis communication requirements
  • Article 19: Major incident management and escalation
  • Article 11: Business continuity requirements
  • Articles 13 and 16: ICT incident management and operational resilience
RTS 2024/1772: Major incident classification criteria
RTS 2024/1774: ICT risk management and response
Additional RTS/ITS issued by the European Supervisory Authorities (ESAs) (EBA, ESMA, EIOPA)
2. Core Requirements for Crisis Management
2.1 Crisis Definition and Criteria
Per RTS 2024/1772 Article 8, a crisis is characterized by:
  • Multiple materiality thresholds being exceeded
  • Significant cross-border impact
  • Potential systemic implications
  • Severe operational disruption
  • Substantial reputational risk
2.2 Escalation Process
Per RTS 2024/1774 Article 22, financial entities must establish:
  • Clear and documented escalation triggers and thresholds
  • Structured management notification procedures
  • Efficient crisis team activation protocols
  • Seamless integration with incident management framework
3. Building an Effective Crisis Management Structure
3.1 Crisis Management Team
Per DORA Article 14, organizations must establish:
  • A comprehensive team structure with defined roles:
  • Crisis Director: Overall crisis leadership and decision-making
  • Communication Lead: Stakeholder communication strategy
  • Technical Response Lead: Technical incident management
  • Stakeholder Relations: External relationship management
  • Incident Response Coordinators: Operational response
  • Regulatory Reporting Officers: Compliance and reporting
  • Clear decision authority matrix
  • Criteria for external expert engagement
  • Documented approval workflows for external communications
3.2 Crisis Command Center
Organizations must establish:
  • Flexible physical/virtual command center capabilities
  • Robust communication tools and systems
  • Efficient information flow management processes
  • Effective resource coordination protocols
  • Secure and reliable communication channels
4. Crisis Response Process
4.1 Initial Response
Per RTS 2024/1774, initial response must include:
  • Comprehensive situation assessment
  • Rapid team mobilization procedures
  • Structured stakeholder notification
  • Efficient resource deployment
  • Thorough impact evaluation
4.2 Crisis Operations
Organizations must implement:
  • Efficient command center activation procedures
  • Strategic resource allocation and management
  • Continuous impact monitoring and assessment
  • Comprehensive stakeholder coordination
  • Effective service continuity management
  • Coordinated communication strategy execution
4.3 Recovery Process
Organizations must establish:
  • Clear service restoration priorities
  • Efficient resource reallocation procedures
  • Structured transition to normal operations
  • Thorough post-crisis assessment
  • Comprehensive lessons learned documentation
5. Crisis Communication Strategy
5.1 Communication Framework
Organizations must develop:
  • Comprehensive stakeholder mapping and prioritization:
  • Internal stakeholders: Management, employees, response teams
  • External stakeholders: Customers, regulators, service providers
  • Media and public relations stakeholders
  • Strategic channel selection and management
  • Robust message development and approval processes
5.2 Communication Requirements
Organizations must implement:
  • Efficient notification protocols
  • Structured information sharing processes:
  • Detailed incident description and root cause analysis
  • Comprehensive impact assessment on critical functions
  • Clear mitigation action plans
  • Accurate service restoration timelines
  • Tailored stakeholder-specific messaging
  • Effective balance between speed and accuracy
5.3 Regulatory Notification
Per RTS 2024/1772, organizations must establish:
  • Comprehensive major incident reporting procedures
  • Efficient cross-border notification processes
  • Regular supervisory update protocols
  • Thorough documentation requirements
  • Strict compliance with reporting timelines
5.4 Communication Best Practices
Organizations should implement:
  • Transparency and trust measures:
  • Clear and honest communication protocols
  • Appropriate technical language management
  • Coordinated messaging strategies:
  • Aligned internal and external communications
  • Consistent cross-channel messaging
  • Effective technology utilization:
  • Efficient automated notification systems
  • Secure communication platforms
6. Integration with Other DORA Domains
6.1 Incident Management
Organizations must ensure:
  • Clear escalation criteria and procedures
  • Effective response coordination
  • Comprehensive documentation practices
  • Seamless integration with broader framework
6.2 Business Continuity
Organizations must establish:
  • Aligned recovery objectives
  • Coordinated service restoration
  • Efficient resource management
  • Integrated continuity planning
6.3 Third-Party Management
Organizations must implement:
  • Comprehensive provider coordination protocols
  • Thorough service impact assessment
  • Aligned communication strategies
  • Coordinated messaging for shared services
6.4 Testing & Validation
Organizations must conduct:
  • Regular crisis simulation exercises
  • Comprehensive communication testing
  • Thorough process validation
  • Integrated TLPT assessments
7. Crisis Lifecycle Management
7.1 Pre-Crisis Preparation
Organizations must establish:
  • Comprehensive risk monitoring systems
  • Effective early warning indicators
  • Regular preparation activities and drills
  • Sufficient resource readiness measures
  • Detailed template and playbook development
7.2 Active Crisis Management
Organizations must implement:
  • Efficient situation management procedures
  • Effective resource coordination
  • Comprehensive impact control measures
  • Strategic stakeholder communication
  • Continuous real-time assessment
7.3 Post-Crisis Activities
Organizations must ensure:
  • Thorough lessons learned documentation
  • Comprehensive process improvement identification
  • Effective control enhancement implementation
  • Strategic stakeholder feedback integration
  • Framework updates
8. Best Practices and Success Factors
8.1 Critical Success Elements
Organizations must maintain:
  • Well-defined escalation criteria
  • Clear command structures
  • Integrated processes and procedures
  • Regular testing and validation programs
  • Comprehensive documentation practices
  • Strong stakeholder alignment
  • Effective communication measures
8.2 Common Challenges and Solutions
Organizations must address:
  • Decision-making under pressure through:
  • Clear authority matrices
  • Comprehensive pre-defined scenarios
  • Regular training programs
  • Resource management through:
  • Detailed resource inventories
  • Clear priority frameworks
  • Established external agreements
  • Communication challenges through:
  • Consistent messaging strategies
  • Coordinated stakeholder engagement
  • Managed technical complexity
8. Testing and Maintenance
9.1 Testing Requirements
Organizations must conduct:
  • Regular crisis simulation exercises
  • Comprehensive communication drills
  • Active stakeholder participation
  • Thorough documentation and improvement
  • Detailed scenario-based testing
9.2 Plan Maintenance
Organizations must ensure:
  • Regular review and update cycles
  • Comprehensive stakeholder feedback integration
  • Thorough regulatory alignment checks
  • Effective documentation management
  • Continuous improvement processes
Links to Related DORA Compliance Themes
For a comprehensive understanding of DORA compliance, this guide aligns with the following related topics:
For detailed implementation guidance, refer to DORA's RTS and ITS documentation and related guides within this compliance series.
The StratOps way to accelerate DORA
CISO & Advisor | My StratOps newsletter helps cybersecurity experts achieve more, faster.

I hope this guide on Crisis Management and Communication will help your team achieve DORA compliance.
Have feedback? Let’s connect on LinkedIn
Not yet a member? Get insights & more resources in the StratOps newsletter
🚀 Accelerate your DORA implementation with StratOps
Implementation kits are a great start, but real resilience requires structured execution.
Join my StratOps trainings to master DORA’s 12 capabilities and fast-track compliance.