core requirement know what you have dora requires you to create and maintain a comprehensive inventory of all your digital assets this isn’t optional – it’s a fundamental regulatory expectation that forms the foundation of your ict risk management two types of assets you must track information assets any collection of information worth protecting (e g , customer data, financial records, business intelligence, etc ) ict assets all your technology hardware and software (e g , servers, computers, applications, network equipment, etc ) what you must do the four step process identify and classify everything document all business functions and who’s responsible for them map every information and ict asset that supports these functions include any hardware or software you use, even if it’s owned by a third party record for each ict asset the required information unique identifier (asset tag, serial number, etc ) physical or logical location classification level (e g , confidential, internal, public for information assets; non critical, normal, critical, etc for ict assets) asset owner (who’s responsible) business recovery requirements (how quickly it needs to be restored) external network exposure (including internet facing) support end dates from vendors or service providers document how assets connect and what depends on what business functions the asset supports dependencies with other assets and business functions establish criteria to determine which assets are most critical by evaluating ict risk level of the business functions they support impact of loss – what happens if confidentiality, integrity, or availability is compromised ongoing responsibilities annual reviews review and update inventories of business functions and assets at least yearly change management update inventories whenever you make major changes to your ict environment continuous monitoring keep inventories current as your technology landscape evolves policy and procedure requirements must prescribe how you’ll monitor and manage the entire lifecycle of ict assets record keeping requirements for all the details listed in the above four step process record keeping requirements for information necessary to perform ict risk assessments on legacy systems (micro enterprises exempted) must specify criteria for criticality assessment of all information and ict assets supporting business functions, considering ict risk related to business functions and their dependencies on assets impact analysis of losing confidentiality, integrity, and availability of assets on business processes and activities bottom line for compliance dora expects you to have complete visibility into your digital environment you cannot manage what you don't know you have the regulation requires systematic identification, classification, documentation, and ongoing management of all assets that support your business operations key takeaway asset management under dora isn't just about creating a list – it's about building a living inventory that enables effective ict risk management and demonstrates regulatory compliance through clear documentation and regular updates from requirements to reality understanding what regulators expect is only the first step the real challenge lies in translating these requirements into practical, day to day processes that work for your organization without overwhelming your resources many financial institutions find themselves asking "we know what we need to do, but how do we actually implement this systematically without breaking our budget or consuming all our time?" the gap between regulatory requirements and practical implementation often feels overwhelming, especially for small and medium institutions with limited it resources you need a clear, step by step approach that transforms these abstract requirements into concrete actions ready to turn requirements into action? whether you're looking to implement dora asset management with existing resources or seeking a more automated approach, you have proven paths forward learn how to build compliant asset management using spreadsheets and existing tools – perfect for organizations wanting to start immediately with minimal investment explore how automated asset discovery, dependency mapping, and regulatory reporting can transform compliance from a burden into a strategic advantage sources used for this article https //eur lex europa eu/legal content/en/txt/html/?uri=celex 32022r2554#art 8 https //eur lex europa eu/legal content/en/txt/html/?uri=oj\ l 202401774#art 4 https //eur lex europa eu/legal content/en/txt/html/?uri=oj\ l 202401774#art 5