BAIT → DORA Mapping
| BAIT Module | DORA Article | RTS | Change Required |
|---|---|---|---|
| 1. IT Strategy (AT 4.2) | Art. 5 | – | Management personally responsible |
| 2. IT Governance (AT 4.3.1) | Art. 5–6 | 2024/1774 | Independent control function |
| 3. Information Risk Management (BT 1) | Art. 6–8 | 2024/1774 | Asset inventory extended |
| 4. Information Security Management (BT 2) | Art. 9 | 2024/1774 | Largely congruent |
| 5. Operational IT Security (BT 3) | Art. 9–10 | 2024/1774 | Automated detection |
| 6. Identity/Access Management (BT 4) | Art. 9 | 2024/1774 | MFA, PAM explicit |
| 7. IT Projects/Application Development (BT 5) | Art. 7 | 2024/1774 | SDLC security |
| 8. IT Operations (BT 6) | Art. 9, 11 | 2024/1774 | Capacity management |
| 9. IT Emergency Management (BT 7) | Art. 11–12 | 2024/1774 | RPO/RTO explicit |
| 10. Outsourcing (AT 9) | Art. 28–30 | 2024/1773, 2024/2956, 2025/532 | Significantly extended |
| 11. IT Multi-Client Service Providers (BT 8) | Art. 31–44 | Oversight framework | Incorporated into CTPP |
New Requirements Without BAIT Equivalent
| DORA | Description |
|---|---|
| Art. 14 | Communication plan, media spokesperson |
| Art. 18 | Standardised incident classification (6 criteria) |
| Art. 19–20 | Formalised reporting (4h/72h/1M, XML) |
| Art. 26–27 | TLPT (threat-led penetration testing) |
| Art. 28(3) | Information register of all ICT third-party providers |
| Art. 31–44 | CTPP oversight framework |
| Art. 45 | Information sharing on cyber threats |