2026-04-17·16 min read·

DORA Art.14: Communication Strategy — Crisis Plans, Designated Officers, and ICT Incident Disclosure for Financial Services (2026)

Post #407 in the sota.io EU Cyber Compliance Series

DORA Chapter II defines the ICT risk management framework. Articles 5–13 govern identification, protection, detection, response, recovery, and learning. Article 14 closes the chapter with the missing dimension that regulators have repeatedly cited in post-incident investigations: structured communication.

The regulatory logic is precise. An entity that detects an incident, contains it, and recovers — but fails to communicate clearly with affected clients, coordinate internally, or inform counterparts — has created secondary harm from the incident itself. DORA Art.14 operationalises the principle that crisis communication is a core component of digital operational resilience, not an afterthought handled ad hoc by whoever is senior in the building when a breach occurs.

Art.14 has three provisions. Each creates a distinct, auditable obligation. This guide covers all three, shows how they connect to the Art.19 major incident reporting regime, provides implementation guidance and a Python self-assessment tool, and closes with a 25-item NCA audit checklist.

1. Who Is Subject to DORA Art.14

DORA Art.2(1) scope covers approximately 22,000 EU financial entities:

Entity Type	DORA Scope	Art.14 Notes
Credit institutions (banks)	✅ Full	EBA oversight; public communication scrutiny highest
Investment firms	✅ Full	Includes MiFID II investment firms above thresholds
Payment institutions	✅ Full	PSD2 entities now under dual DORA + PSD2 notification regime
E-money institutions	✅ Full	Prepaid card issuers, wallet operators
Insurance / reinsurance	✅ Full	Solvency II entities + DORA layered
CCP / CSDs / trading venues	✅ Full	Systemically significant — heightened public interest standard
Crypto-asset service providers (CASPs)	✅ Full (from Dec 30 2024)	MiCA registration + DORA Art.14 from same date
Management companies / AIFs	✅ Full	UCITS/AIFM scope
Microenterprises (<10 staff, <€2M)	✅ Proportionality applies	Art.14 obligations remain; proportionate implementation
ICT third-party providers	❌ Not DORA Ch.II	Subject to DORA Chapter V oversight instead

Proportionality (Art.4(2)): Smaller entities must still designate a communication officer and maintain a crisis plan, but the plan can be lighter-weight — e.g., a single-page procedure document plus named contact, rather than a full media playbook.

2. Art.14(1): Crisis Communication Plans

The Obligation

"Financial entities shall have in place crisis communication plans enabling a responsible disclosure of, at least, major ICT-related incidents or vulnerabilities to clients and counterparts, and to the public, where appropriate." — DORA Art.14(1)

Three disclosure targets are specified: clients, counterparts (i.e., business partners, correspondent banks, payment networks), and the public. The trigger is a major ICT-related incident or a significant ICT vulnerability. The qualifier "where appropriate" applies only to public communication — client and counterpart notification is always required for major incidents.

What "Major" Means Under DORA

A major incident is formally classified under the Art.18 criteria and the EBA/ESMA/EIOPA Joint Guidelines on classification (published December 2023). Key thresholds triggering Art.14 disclosure obligations:

Criterion	Major Incident Threshold
Clients affected	≥5,000 clients OR >5% of client base
Duration	≥4 hours for critical function unavailability
Financial losses	Gross losses ≥€100,000 / Net losses ≥€50,000 (credit institution)
Reputational impact	Significant media coverage or regulatory attention
Data integrity	Integrity breach affecting critical data
Geographic scope	Multi-jurisdiction impact

NCA audit expectation: The Art.14(1) plan must reference these thresholds explicitly. NCAs routinely cite plans that merely say "contact clients if there is a major incident" — without defining what constitutes major — as non-compliant.

Crisis Communication Plan: Required Content

An Art.14(1)-compliant crisis communication plan must contain at minimum:

Trigger Matrix

[ICT Incident Detected]
    → Art.18 Classification Check
        → Major? → YES → Art.14 communication workflow ACTIVE
                → NO → Internal handling, no Art.14 obligation
    → Art.19 parallel reporting workflow (separate track)

Content by Disclosure Target:

Target	What to Communicate	When	Channel
Clients	Nature of incident (non-technical), services affected, expected resolution, protective actions available	≤24h after major classification	Email, in-app, SMS, secure message
Counterparts	Business impact, affected integrations, expected recovery, whether data shared with them was involved	≤4h from incident confirmation	Secure email, dedicated B2B contact
Public	General nature of incident (if material public interest), actions taken, how to get more info	Only if significant client base or systemic risk	Press release, website, regulator-coordinated

Template Structure for Client Notification:

Subject: [FINANCIAL ENTITY NAME] — Service Disruption Update — [DATE]

We are writing to inform you of an ICT incident that occurred on [DATE/TIME].

Affected services: [LIST]
Impact: [BRIEF NON-TECHNICAL DESCRIPTION]
Current status: [CONTAINED / RECOVERING / RESOLVED]
Protective steps you may take: [IF APPLICABLE]
Expected resolution: [TIMEFRAME OR "UNDER INVESTIGATION"]

For questions: [DEDICATED CONTACT / LINK]
Further updates: [SCHEDULE — e.g., every 4 hours until resolved]

[ENTITY NAME] [DATE/TIME OF THIS MESSAGE]

Vulnerability Communication (Art.14(1) also covers vulnerabilities): This is frequently overlooked. Art.14(1) also requires a plan for communicating significant ICT vulnerabilities — before an incident occurs. This is distinct from the incident notification flow and requires a separate procedure governing:

When is a vulnerability "significant" enough to require external notification?
Who assesses (typically CISO + Legal)?
Coordinated disclosure timeline (align with CVE/NVD standard: 90-day disclosure window unless active exploitation)
Client impact assessment before disclosure

3. Art.14(2): Internal and External Communication Policy

The Obligation

"Financial entities shall implement, as part of their ICT risk management framework, a communication policy for internal staff and for external stakeholders. Communication policies for staff shall take into account the need to differentiate between staff involved in ICT risk management, in particular the staff responsible for response and recovery, and staff that needs to be informed." — DORA Art.14(2)

Two policies in one provision: internal (staff) and external (clients, counterparts, press, regulators). The internal policy has an explicit requirement to differentiate between operational staff (those managing the incident) and informational staff (those who need situational awareness but are not in the response chain).

Internal Communication Policy: Staff Differentiation Matrix

DORA Art.14(2) requires explicit role differentiation. Failure to distinguish between operational and informational staff creates two failure modes observed in NCA inspections:

Over-communication to responders — non-incident staff flooding response channels with questions, degrading the response team's effectiveness
Under-communication to affected teams — client-facing staff unaware of the incident, giving contradictory information to clients

Recommended Staff Tier Model:

Tier	Role	Communication Channel	Update Frequency
T1: Incident Response	CISO, SOC lead, IR team, affected system owners	War-room channel (Slack/Teams incident channel, dedicated bridge)	Real-time, every 15–30 min during active phase
T2: Operational Awareness	CEO/CRO/CCO, Legal, Compliance, Communication Officer	Secure management dashboard or dedicated Tier-2 channel	Every 60 min or on material change
T3: Informational	Client-facing staff, front-office, branch network	Pre-approved talking points via email or intranet	Before client contact begins; updated if material change
T4: General Staff	All other employees	Brief internal notice after incident contained	Post-containment only
T5: Board	Board members	CISO or CEO direct briefing	For major incidents only; after initial containment

Communication Silence Rule: T3/T4/T5 staff must not be informed until the Art.14(3) communication officer approves the message. This prevents unofficial communications leaking to clients or press before the controlled disclosure.

External Communication Policy

The external policy governs how the entity communicates with non-employee stakeholders:

Stakeholder	Policy Element
Clients	Pre-drafted template library by incident type; approved channels; single-voice principle (no competing messages from different departments)
Counterparts / B2B	Dedicated B2B communication officer or procedure; confidentiality of operational details; coordination on mutual incident impact
Regulators	This is governed by Art.19 (separate reporting regime); Art.14 external policy should cross-reference Art.19 procedures
Media / Press	All media enquiries → Art.14(3) designated officer only; no-comment default until press release approved
Social media	Monitoring procedure for social mentions; single-account policy; Art.14(3) officer authorises responses

4. Art.14(3): Designated Communication Officer

The Obligation

"At least one person in the financial entity shall be tasked with implementing the communication strategy for ICT-related incidents and fulfil the public relations and media role for that purpose." — DORA Art.14(3)

This is the most frequently non-compliant element in NCA inspections. Many entities have communication plans but no named, trained individual whose primary incident responsibility is communication. DORA Art.14(3) makes this designation mandatory.

Who Can Be the Designated Communication Officer?

Art.14(3) says "at least one person" without specifying a title or minimum seniority. However, effective and NCA-compliant implementation requires:

Requirement	Why It Matters
Named in the ICT risk management framework	NCA will ask for the name during inspection; "we will assign someone" is non-compliant
Trained in crisis communications	Untrained officers make unforced disclosure errors under pressure; NCA expects evidence of training
Authority to approve external communications	Cannot fulfil the role without authority to issue client notifications and press statements
Available 24/7 (or clear backup chain)	ICT incidents do not respect business hours; the plan must name a primary + backup
Not the same person as the incident response lead	Dual-role failure: a CISO managing a live incident cannot simultaneously manage media enquiries

Common Mistakes:

Assigning the CISO as sole communication officer (CISO is operationally occupied during an incident)
Naming a Communications Director who has no ICT risk training and does not know when an incident is "major"
No backup — primary unavailable during incident
Plan references "the designated communication officer" without naming a specific person

Recommended Designation Structure:

Primary Communication Officer: [Name, Title]
Backup Communication Officer: [Name, Title]
Escalation Contact (Board-level): [Name, Title]
Last Review / Reconfirmation: [DATE — must be refreshed at least annually]

Scope of the Art.14(3) Role

The communication officer is responsible for:

Approving all external communications (client notifications, press releases, counterpart messages)
Handling media enquiries — sole spokesperson for ICT-related incidents
Monitoring press and social media for incident mentions requiring response
Coordinating with Legal and Compliance before any public statement
Post-incident comms review — was the communication timely, accurate, compliant?
Annual review of Art.14(2) policies and Art.14(1) plans

5. Art.14 × Art.19 Integration: Communication vs. Regulatory Reporting

DORA creates two parallel but distinct workflows for major ICT incidents:

Dimension	Art.14 (Communication)	Art.19 (Reporting)
Audience	Clients, counterparts, public, internal staff	National Competent Authority (EBA/ECB/national regulator)
Trigger	Major ICT incident or significant vulnerability	Major ICT incident (same classification)
Timeline	≤24h for client notification (best practice)	4h initial notification → 24h intermediate → 5 days final
Content	What happened, impact, protective steps, recovery ETA	Technical details, financial impact, RCA, remediation plan
Owner	Art.14(3) Communication Officer	CISO / Compliance / ICT Risk Function
Format	Free-form, client-appropriate language	EBA/ESMA/EIOPA-prescribed reporting template
Confidentiality	Client communication can be public	Regulatory report is confidential; regulator controls disclosure

Critical Sequencing Issue: NCAs have cited entities that filed the Art.19 regulatory report but delayed client notification — or worse, that sent client notifications with more detail than the regulatory report. The Art.14 communication officer and Art.19 reporting function must coordinate before any external communication is sent.

Recommended Integration Workflow:

[Major Incident Confirmed — Art.18 Classification]
         │
    ┌────┴────┐
    │         │
Art.19       Art.14
Reporting    Communication
Workflow     Workflow
    │         │
4h NCA       Pre-draft client
Initial     notification
Report       (do not send)
    │         │
         Legal/Compliance Review
         + Art.19 report alignment
                  │
         Art.14(3) Officer Approves
                  │
         Client Notification Sent
         (≤24h from major classification)

6. Python `DORACommChecker` Implementation

from dataclasses import dataclass, field
from typing import Optional
import datetime

@dataclass
class CommunicationPlan:
    """Art.14(1): Crisis communication plan."""
    plan_document_ref: str
    last_reviewed: datetime.date
    covers_major_incidents: bool
    covers_significant_vulnerabilities: bool
    client_notification_procedure: bool
    counterpart_notification_procedure: bool
    public_notification_procedure: bool
    major_incident_thresholds_defined: bool
    template_library_exists: bool
    art19_coordination_documented: bool

@dataclass
class InternalCommPolicy:
    """Art.14(2) internal: Staff communication policy with tier differentiation."""
    policy_document_ref: str
    t1_response_team_channel_defined: bool
    t2_operational_awareness_channel_defined: bool
    t3_informational_staff_procedure_defined: bool
    communication_silence_rule_documented: bool
    communication_officer_approval_required: bool

@dataclass
class ExternalCommPolicy:
    """Art.14(2) external: External stakeholder communication policy."""
    policy_document_ref: str
    client_policy_defined: bool
    counterpart_policy_defined: bool
    media_policy_defined: bool
    social_media_policy_defined: bool
    single_voice_principle_documented: bool
    regulator_policy_cross_references_art19: bool

@dataclass
class CommunicationOfficer:
    """Art.14(3): Designated communication officer."""
    primary_officer_name: str
    primary_officer_title: str
    backup_officer_name: Optional[str]
    backup_officer_title: Optional[str]
    officer_documented_in_framework: bool
    officer_has_approval_authority: bool
    officer_crisis_comms_trained: bool
    last_training_date: Optional[datetime.date]
    twentyfour_seven_availability_documented: bool

@dataclass
class AssessmentResult:
    check_name: str
    status: str  # "COMPLIANT", "NON_COMPLIANT", "PARTIAL"
    finding: str
    recommendation: Optional[str] = None

@dataclass
class DORACommCheckerReport:
    entity_name: str
    assessment_date: datetime.date
    results: list[AssessmentResult] = field(default_factory=list)

    def add(self, result: AssessmentResult):
        self.results.append(result)

    def summary(self) -> dict:
        compliant = sum(1 for r in self.results if r.status == "COMPLIANT")
        partial = sum(1 for r in self.results if r.status == "PARTIAL")
        non_compliant = sum(1 for r in self.results if r.status == "NON_COMPLIANT")
        return {
            "compliant": compliant,
            "partial": partial,
            "non_compliant": non_compliant,
            "total": len(self.results),
            "score_pct": round((compliant + 0.5 * partial) / len(self.results) * 100, 1) if self.results else 0
        }

    def to_markdown(self) -> str:
        s = self.summary()
        lines = [
            f"# DORA Art.14 Compliance Assessment: {self.entity_name}",
            f"**Date:** {self.assessment_date}",
            f"**Score:** {s['score_pct']}% ({s['compliant']} compliant, {s['partial']} partial, {s['non_compliant']} non-compliant)",
            "",
            "| Check | Status | Finding |",
            "|---|---|---|",
        ]
        for r in self.results:
            icon = "✅" if r.status == "COMPLIANT" else ("⚠️" if r.status == "PARTIAL" else "❌")
            lines.append(f"| {r.check_name} | {icon} {r.status} | {r.finding} |")
        return "\n".join(lines)


class DORACommChecker:
    def __init__(
        self,
        entity: str,
        plan: CommunicationPlan,
        internal_policy: InternalCommPolicy,
        external_policy: ExternalCommPolicy,
        officer: CommunicationOfficer,
    ):
        self.entity = entity
        self.plan = plan
        self.internal_policy = internal_policy
        self.external_policy = external_policy
        self.officer = officer

    def check_crisis_plan_completeness(self) -> AssessmentResult:
        issues = []
        if not self.plan.covers_major_incidents:
            issues.append("major incident scope missing")
        if not self.plan.covers_significant_vulnerabilities:
            issues.append("vulnerability communication missing")
        if not self.plan.major_incident_thresholds_defined:
            issues.append("major incident thresholds not defined")
        if not self.plan.art19_coordination_documented:
            issues.append("Art.19 coordination procedure missing")
        days_since_review = (datetime.date.today() - self.plan.last_reviewed).days
        if days_since_review > 365:
            issues.append(f"plan review overdue ({days_since_review}d)")

        if not issues:
            return AssessmentResult("Art.14(1) Crisis Plan", "COMPLIANT", "Plan complete and current.")
        if len(issues) <= 2:
            return AssessmentResult("Art.14(1) Crisis Plan", "PARTIAL", f"Gaps: {'; '.join(issues)}", "Close gaps before next NCA inspection.")
        return AssessmentResult("Art.14(1) Crisis Plan", "NON_COMPLIANT", f"Multiple gaps: {'; '.join(issues)}", "Full plan overhaul required.")

    def check_internal_policy(self) -> AssessmentResult:
        issues = []
        if not self.internal_policy.t1_response_team_channel_defined:
            issues.append("T1 response channel not defined")
        if not self.internal_policy.t3_informational_staff_procedure_defined:
            issues.append("informational staff procedure missing")
        if not self.internal_policy.communication_silence_rule_documented:
            issues.append("silence rule not documented")

        if not issues:
            return AssessmentResult("Art.14(2) Internal Policy", "COMPLIANT", "Staff tiers and communication rules documented.")
        return AssessmentResult("Art.14(2) Internal Policy", "PARTIAL" if len(issues) == 1 else "NON_COMPLIANT", f"Gaps: {'; '.join(issues)}")

    def check_external_policy(self) -> AssessmentResult:
        issues = []
        if not self.external_policy.client_policy_defined:
            issues.append("client communication policy missing")
        if not self.external_policy.media_policy_defined:
            issues.append("media/press policy missing")
        if not self.external_policy.single_voice_principle_documented:
            issues.append("single-voice principle not documented")
        if not self.external_policy.regulator_policy_cross_references_art19:
            issues.append("Art.19 cross-reference missing from external policy")

        if not issues:
            return AssessmentResult("Art.14(2) External Policy", "COMPLIANT", "External stakeholder policies complete.")
        return AssessmentResult("Art.14(2) External Policy", "PARTIAL" if len(issues) == 1 else "NON_COMPLIANT", f"Gaps: {'; '.join(issues)}")

    def check_communication_officer(self) -> AssessmentResult:
        issues = []
        if not self.officer.officer_documented_in_framework:
            issues.append("officer not named in ICT risk framework")
        if not self.officer.officer_has_approval_authority:
            issues.append("approval authority not formally granted")
        if not self.officer.officer_crisis_comms_trained:
            issues.append("no crisis communication training on record")
        if not self.officer.backup_officer_name:
            issues.append("no backup officer designated")
        if not self.officer.twentyfour_seven_availability_documented:
            issues.append("24/7 availability not documented")

        if not issues:
            return AssessmentResult("Art.14(3) Comm. Officer", "COMPLIANT", f"{self.officer.primary_officer_name} designated with backup.")
        if len(issues) <= 2:
            return AssessmentResult("Art.14(3) Comm. Officer", "PARTIAL", f"Gaps: {'; '.join(issues)}")
        return AssessmentResult("Art.14(3) Comm. Officer", "NON_COMPLIANT", f"Critical gaps: {'; '.join(issues)}", "Designate and train officer immediately.")

    def check_template_library(self) -> AssessmentResult:
        if self.plan.template_library_exists:
            return AssessmentResult("Communication Templates", "COMPLIANT", "Template library documented in crisis plan.")
        return AssessmentResult("Communication Templates", "NON_COMPLIANT", "No pre-approved templates.", "Pre-draft and approve templates for top 5 incident types.")

    def run_all(self) -> DORACommCheckerReport:
        report = DORACommCheckerReport(entity_name=self.entity, assessment_date=datetime.date.today())
        report.add(self.check_crisis_plan_completeness())
        report.add(self.check_internal_policy())
        report.add(self.check_external_policy())
        report.add(self.check_communication_officer())
        report.add(self.check_template_library())
        return report


# --- Example Usage ---
plan = CommunicationPlan(
    plan_document_ref="ICT-RM-COM-001 v2.1",
    last_reviewed=datetime.date(2026, 2, 1),
    covers_major_incidents=True,
    covers_significant_vulnerabilities=True,
    client_notification_procedure=True,
    counterpart_notification_procedure=True,
    public_notification_procedure=True,
    major_incident_thresholds_defined=True,
    template_library_exists=True,
    art19_coordination_documented=True,
)

internal = InternalCommPolicy(
    policy_document_ref="ICT-RM-COM-002 v1.3",
    t1_response_team_channel_defined=True,
    t2_operational_awareness_channel_defined=True,
    t3_informational_staff_procedure_defined=True,
    communication_silence_rule_documented=True,
    communication_officer_approval_required=True,
)

external = ExternalCommPolicy(
    policy_document_ref="ICT-RM-COM-003 v1.1",
    client_policy_defined=True,
    counterpart_policy_defined=True,
    media_policy_defined=True,
    social_media_policy_defined=True,
    single_voice_principle_documented=True,
    regulator_policy_cross_references_art19=True,
)

officer = CommunicationOfficer(
    primary_officer_name="Head of Communications",
    primary_officer_title="VP Communications",
    backup_officer_name="Chief Risk Officer",
    backup_officer_title="CRO",
    officer_documented_in_framework=True,
    officer_has_approval_authority=True,
    officer_crisis_comms_trained=True,
    last_training_date=datetime.date(2025, 11, 15),
    twentyfour_seven_availability_documented=True,
)

checker = DORACommChecker("Example EU Bank SA", plan, internal, external, officer)
report = checker.run_all()
print(report.to_markdown())

7. DORA × NIS2 Art.21(2) Dual-Compliance Mapping

Entities regulated under both DORA and NIS2 must satisfy parallel communication regimes. DORA is lex specialis for financial entities, so DORA Art.14 takes precedence where there is conflict — but NIS2 Art.21(2) adds complementary obligations not covered by DORA Art.14 alone.

Obligation	DORA Art.14	NIS2 Art.21(2) / Art.23	Dual-Compliance Action
Crisis communication plan	Art.14(1) — crisis plans for major incidents	Art.21(2)(c) — business continuity includes crisis comms	Single plan covering both frameworks
Communication officer designation	Art.14(3) — at least one designated person	Art.20 — management body responsible; no single officer required	Art.14(3) officer also fulfils NIS2 management body comms mandate
Client/stakeholder notification	Art.14(1) — clients, counterparts, public	Art.23(4) — significant incidents: notify affected entities	DORA plan covers NIS2 Art.23(4) if financial entity = essential entity
Staff communication policy	Art.14(2) — internal policy required	Art.21(2)(f) — security training and awareness policies	Joint staff awareness programme covering both frameworks
Regulator notification	Art.19 (separate from Art.14)	Art.23 (NIS2 report to CSIRT/NCA)	Parallel reports — DORA to ESMA/EBA/ECB; NIS2 to sector CSIRT
Vulnerability disclosure	Art.14(1) includes "significant vulnerabilities"	Art.12 — EU vulnerability database (DORA entities likely in scope)	DORA vulnerability comms procedure + NIS2 Art.12 registration

lex specialis rule: Where DORA Art.14 is stricter than NIS2 (e.g., the requirement to communicate to counterparts with no equivalent in NIS2), DORA Art.14 applies. Where NIS2 adds obligations not in DORA Art.14 (e.g., NIS2 Art.23 CSIRT reporting), NIS2 applies additionally.

8. Seven Common NCA Audit Failures for DORA Art.14

Based on published supervisory expectations from EBA, ECB/SREP, national NCAs (BaFin, AMF, DNB, FCA-equivalent conduct regulators), and the DORA JON guidelines:

Failure 1: Communication plan exists but thresholds not defined Plan says "notify clients in case of major incident" but does not define what constitutes a major incident. NCA finding: plan is not operational.

Failure 2: Art.14(3) officer not named — "TBD" in framework Entity has a crisis communication section in the ICT risk management framework but the officer field is blank or says "to be appointed." DORA requires a named person, not a role placeholder.

Failure 3: CISO simultaneously Art.14(3) officer CISO named as sole Art.14(3) officer. During a live incident the CISO is fully occupied with technical response. NCAs have flagged this as creating a single-point-of-failure in the communication chain.

Failure 4: No pre-approved communication templates Entity has a procedure but no templates. During a live incident, drafting messages from scratch leads to delays and legal review bottlenecks. NCA expectation: templates for top 5 incident types pre-approved.

Failure 5: Internal policy lacks staff tier differentiation Single communication policy for all staff with no distinction between response team and informational staff. Result: all employees receive same messages, creating noise in the response channel.

Failure 6: No Art.19 coordination procedure Art.14 external comms policy and Art.19 reporting procedure are developed independently. NCA inspectors routinely check whether the client notification and the regulatory report tell the same story — and whether the Art.14(3) officer reviewed the Art.19 report before client communication was sent.

Failure 7: Plan not tested or reviewed annually Art.14(1) crisis plan has not been tested in a tabletop exercise or live simulation since creation. Most NCAs require annual review evidence; EBA supervisory priorities 2025–2026 explicitly list communication plan testing as an inspection focus.

9. Communication Plan Testing: What NCAs Expect

Annual testing of the Art.14(1) crisis communication plan is not explicitly required in the DORA text but is firmly established in:

EBA Guidelines on ICT and Security Risk Management (EBA/GL/2019/04 — applicable as DORA bridge until EBA ITS published)
ECB SREP inspection methodology (crisis management testing criterion)
EBA supervisory priorities 2025–2026 (communication plan testing listed as focus area)

Minimum Acceptable Testing Evidence:

Test Type	Frequency	Evidence NCA Expects
Tabletop exercise — crisis comms scenario	Annual	Exercise report with participants, scenario, findings, action plan
Notification template review	Annual	Timestamp of legal/compliance approval; version history
Communication officer availability test	Annual	Test call/page log; backup activation test
Art.19 + Art.14 coordination drill	Annual	Joint exercise with reporting function; timeline adherence check
Post-incident review of actual Art.14 usage	After each major incident	Assessment of actual notification timeliness and content quality

10. DORA Art.14 NCA Compliance Checklist (25 Items)

Art.14(1) — Crisis Communication Plan (10 items)

COM-01 Crisis communication plan documented and approved by management body
COM-02 Plan covers major ICT-related incidents as primary trigger
COM-03 Plan covers significant ICT vulnerabilities (separate procedure)
COM-04 Major incident thresholds explicitly defined (align with Art.18/EBA Joint Guidelines)
COM-05 Client notification procedure documented (channel, timing, content standards)
COM-06 Counterpart/B2B notification procedure documented
COM-07 Public communication procedure documented (including "when not to disclose" criteria)
COM-08 Pre-approved client notification templates exist for at least 5 incident types
COM-09 Art.19 coordination procedure integrated into crisis plan
COM-10 Plan reviewed and tested within the last 12 months (evidence on file)

Art.14(2) — Communication Policies (8 items)

COM-11 Internal communication policy documented with staff tier model
COM-12 T1 response team channel defined with escalation protocol
COM-13 T2 management awareness channel defined with update cadence
COM-14 T3 informational staff talking points procedure documented
COM-15 Communication silence rule documented and enforced
COM-16 External communication policy documented covering clients, counterparts, media
COM-17 Single-voice principle documented (all external comms via Art.14(3) officer)
COM-18 Social media monitoring and response procedure included in external policy

Art.14(3) — Communication Officer (7 items)

COM-19 Primary communication officer named in ICT risk management framework (not placeholder)
COM-20 Backup communication officer named with activation procedure
COM-21 Board-level escalation contact documented for systemic incidents
COM-22 Communication officer has formal written authority to approve all external communications
COM-23 Communication officer has completed crisis communications training (≤2 years ago)
COM-24 24/7 availability of Art.14(3) officer (or backup) documented and tested
COM-25 Communication officer is distinct from incident response lead (no dual CISO role)

11. Implementation Timeline for DORA Art.14 Readiness

DORA has been in full application since January 17, 2025. Art.14 obligations are immediately enforceable. NCAs conducting DORA-focused inspections in 2025–2026 will review Art.14 compliance as part of Chapter II ICT Risk Management Framework assessments.

For entities not yet fully compliant:

Week	Action
Week 1–2	Gap assessment using COM-01 to COM-25 checklist; document current state
Week 3–4	Designate Art.14(3) officer (primary + backup); document in framework
Week 5–6	Draft Art.14(1) crisis communication plan with defined thresholds
Week 7–8	Develop client notification templates (minimum 5 incident types)
Week 9–10	Draft internal staff communication policy with tier differentiation
Week 11–12	Draft external communication policy; Art.19 coordination procedure
Week 13	Legal/Compliance review and management body approval of all documents
Week 14	Tabletop exercise: full Art.14 + Art.19 coordination drill
Week 15	Close audit gaps identified in tabletop; final version documents
Week 16	Annual review schedule established; testing calendar in ICT risk plan

DORA Art.14: Communication Strategy — Crisis Plans, Designated Officers, and ICT Incident Disclosure for Financial Services (2026)

1. Who Is Subject to DORA Art.14

2. Art.14(1): Crisis Communication Plans

The Obligation

What "Major" Means Under DORA

Crisis Communication Plan: Required Content

3. Art.14(2): Internal and External Communication Policy

The Obligation

Internal Communication Policy: Staff Differentiation Matrix

External Communication Policy

4. Art.14(3): Designated Communication Officer

The Obligation

Who Can Be the Designated Communication Officer?

Scope of the Art.14(3) Role

5. Art.14 × Art.19 Integration: Communication vs. Regulatory Reporting

6. Python DORACommChecker Implementation

7. DORA × NIS2 Art.21(2) Dual-Compliance Mapping

8. Seven Common NCA Audit Failures for DORA Art.14

9. Communication Plan Testing: What NCAs Expect

10. DORA Art.14 NCA Compliance Checklist (25 Items)

Art.14(1) — Crisis Communication Plan (10 items)

Art.14(2) — Communication Policies (8 items)

Art.14(3) — Communication Officer (7 items)

11. Implementation Timeline for DORA Art.14 Readiness

See Also

6. Python `DORACommChecker` Implementation