DORA Regulations and Financial Reporting: What Communications Directors Need to Know

The answer is less intuitive than it seems. DORA doesn’t target Communication Directors the way it targets an IT department. It reaches them through two distinct channels: first, by integrating them into the formal digital-risk governance chain of their organization; second, by subjecting their everyday communication tools, including newsroom, distribution wire, journalist CRM, archiving platforms, to the same requirements as critical IT systems.

Wiztrust provides a concrete answer by covering four of the six contractual clauses required for third‑party ICT providers. In addition, Wiztrust Protect ensures traceability and integrity of communications, during and after an incident, thanks to legally enforceable timestamping.

Key takeaways:

• DORA has been applicable since 17 January 2025. The grace period is over for the 22,000+ European financial entities concerned.
• Communication Directors are part of the formal ICT governance accountability chain when they sit on the executive committee or take part in resilience policies.
• Communication tools (newsroom, wire, journalist CRM, archiving) fall within the scope of third‑party ICT providers subject to DORA requirements.

Overview: DORA, communication implications

What DORA really changes for communications departments

Governance: communication leaders enter the formal digital-risk chain

DORA imposes an explicit, documented, and auditable responsibility on governing bodies for ICT risk management. When a Communication Director sits on the executive committee or participates in approving communication policies, they become part of that responsibility chain.

This means two concrete things. First, communication processes related to digital resilience must be documented, approved, and reviewed periodically in the same way as IT processes. Second, in the event of an incident followed by a regulatory investigation, regulators can request to review communications published during and after the incident, and verify that approval processes were in place.

Incident notification: communications is on the front line

In the event of a major ICT incident, DORA requires an initial notification to the competent regulator within 4 hours of detection. An interim report follows within 72 hours, and a final report within one month of closure.

These timelines are operationally very tight. Communications is systematically involved in drafting and validating messages sent to regulators, markets, and media. Teams must be able to activate a full protocol in under an hour, with pre-approved messages, a clarified decision chain, and tools capable of certifying and archiving in real time everything that is published.

The operational challenge is twofold: produce fast, and produce verifiably. Every message sent to the regulator, markets, or media during the crisis becomes part of the audit file. Without a real-time certification and timestamping mechanism, a financial entity faces the risk of later disputes over the integrity of its communications, an especially sensitive risk when the final report, due within a month of closure, relies on the exact chronology of messages distributed.

Structuring your communications around DORA: three operational dimensions

DORA requires communicating in a rigorous, documented, and coordinated way. For communications leaders, this translates into three distinct workstreams.

Preventive communication: build credibility before an incident

Institutional investors, ESG rating agencies, and financial analysts have incorporated digital resilience into their evaluation criteria. Publishing proactively about your DORA framework strengthens credibility with these audiences, well before an incident occurs.

This preventive communication takes concrete forms:

• A dedicated paragraph on DORA governance in the annual report and URD
• Investor notes on your digital resilience framework, especially during roadshows
• Targeted briefings for specialized financial journalists covering banks/insurers’ resilience
• Thought-leadership articles on ICT governance practices in your sector

Communication during an incident: protocols and traceability

In an ICT incident, three constraints apply simultaneously to communications: speed (4 hours for the initial notification), coordination (IT, legal, communications in parallel), and traceability (everything published must be provable and archivable).

A DORA-compliant crisis communications protocol includes at minimum:

• A decision tree to determine within 30 minutes whether the incident requires regulated communication
• Pre-written, legally pre-approved messages for the most likely incident scenarios
• A prioritized recipient list with up-to-date contacts: regulators, investors, media, rating agencies
• A blockchain certification and timestamped archiving tool with evidentiary value for all messages distributed during the incident, guaranteeing integrity against later regulatory audit requests
• A post-incident debrief process to update the protocol

Post-incident communication: manage reputation over time

After an incident is closed, the quality of communications produced during the crisis continues to be scrutinized by regulators, media, and markets. Three principles structure this phase:

• Consistency: the same narrative must be maintained consistently across all stakeholders and over time. Contradictions between communications to regulators, markets, and media create reputational and regulatory risks.
• Documented integrity: published communications must be archived with proof of integrity. In the event of an investigation, the entity must be able to demonstrate that messages were not modified afterwards.
• Impact measurement: media coverage and stakeholder perception after the incident must be analyzed to feed the closure report and adjust reputation communications strategy.

Conclusion

DORA doesn’t turn communications leaders into security owners. It integrates them into a governance chain that was previously mostly IT, and subjects their communication tools to new requirements for resilience, traceability, and contracting.

The good news: these requirements are operationalizable. A rigorous inventory of providers, updated contracts, a documented and tested crisis protocol, and tools able to prove the integrity of your communications—this is what DORA expects from a mature communications function.

Wiztrust supports more than 60 communications departments in the CAC 40 and SBF 120, including BNP Paribas, Crédit Agricole, Engie, and TotalEnergies, with an infrastructure designed for these requirements: EU-hosted newsroom, blockchain certification of communications via Wiztrust Protect, timestamped archiving with evidentiary value, and contracts including audit rights, documented SLAs, and DORA-compliant exit clauses.

FAQ: DORA and financial communications

What is DORA and why are communications leaders concerned?

DORA (Digital Operational Resilience Act) has been applicable since 17 January 2025. Communications leaders are affected in two ways: as part of the ICT governance chain when they sit on the executive committee, and as owners of communication tools (newsroom, wire, journalist CRM) that fall within the scope of third‑party ICT providers subject to DORA requirements. Both realities involve new documentation and contracting obligations.

Which communication tools fall within DORA’s scope?

All ICT providers whose failure could interrupt the distribution of regulated market information or affect continuity of financial services must be inventoried through a DORA lens. Depending on the entity’s size and risk profile, this can include newsroom platforms, wire distribution services, journalist CRM tools, media monitoring solutions, and certification/archiving platforms. These providers are not all automatically deemed “critical”, but they must all be assessed.

What are the incident notification timelines under DORA?

In the event of a major ICT incident, DORA imposes three cumulative deadlines: an initial notification to the competent regulator within 4 hours of detection, an interim report within 72 hours, and a final report within one month after the incident is closed. These timelines imply that crisis communications protocols must be prepared, validated, and tested before an incident occurs. The ability to certify and archive messages in real time is a traceability requirement.

Does DORA apply to European subsidiaries of listed non-financial groups?

DORA applies to any regulated entity in the European financial sector, regardless of the group it belongs to. If an industrial or listed group owns a subsidiary carrying out banking, insurance, or asset-management activity in Europe, that subsidiary is fully subject to DORA. Communications leaders in these groups must ensure corporate communications practices do not create inconsistencies with regulated communication obligations imposed by DORA on those entities.

What if my contracts with communications providers are not DORA-compliant?

The priority is to identify non-compliant contracts by comparing them against the list of six required clauses: audit rights, documented SLAs and BCP/DRP, EU data location, SSO/2FA and privileged-access management, documentation of the subcontracting chain, and an exit clause with data portability. For each non-compliant contract, start a renegotiation or request an addendum. Document the exchanges. In an audit, proof of the compliance effort has as much value as the final contract.

How does Wiztrust concretely meet DORA requirements?

Wiztrust covers four of the six contractual clauses required by DORA for third‑party ICT providers: EU hosting and processing, documented SLAs and continuity plan, privileged-access management with SSO and two‑factor authentication, and an exit clause with full data portability. Wiztrust Protect also addresses the requirement for traceability and documented integrity of communications distributed during and after an incident, with legally enforceable timestamp proof.