The Digital Operational Resilience Act (DORA) is fundamentally changing the approach to ICT risk management and cyber security. Whereas previously a combination of documents, spreadsheets and one-off audits could suffice, today a continuous, managed and demonstrable system is expected.
It is in this context that Excel, as widespread and practical as it is, is no longer enough.
Excel is often the first step. It’s fast, accessible and most people know how to use it. For basic asset records or a simple risk list, it can work. The problem arises when an organization starts to meet the actual requirements of DORA. These are not based on a one-off spreadsheet, but on a long-term sustainable process. DORA compliance is not a project that is completed once. It is a living mechanism that is constantly adapting to changes in the IT environment, organizational structure and current threats.
In such an environment, the limitations of Excel quickly become apparent. Data becomes outdated, individual files diverge and no one is sure which version is correct. There is no single source of truth. As soon as one asset, process or risk changes, that change needs to be reflected in multiple places, which often does not happen in practice.
This is where specialized software like cybreg starts to make sense. It’s not just about record keeping, it’s about management. Find out more about the approach here: cybreg.dora
From registration to management
One of the typical problems in Excel is that the organization doesn’t really know exactly what to protect. Assets, processes and their links exist, but they are not systematically linked. In cyberreg, these relationships are modelled directly in the system. Each asset has an owner, a value and a link to specific processes. This makes it possible to immediately see which parts of the organization are critical and what the impact of their failure would be.
Another typical scenario is working with risks. In Excel, risks are often recorded in isolation and their evaluation is manual. As soon as, for example, the value of an asset or the probability of a threat changes, everything needs to be recalculated. In cybreg, risks are linked to assets and processes and the system automatically calculates their resulting level based on impact and probability.
Proof instead of chaos
Another big difference from Excel is the work with evidence and auditing. Tables often lack a clear history of changes and traceability. When auditing, information is then difficult to track down in emails or older versions of files. Cybreg, on the other hand, keeps a complete audit trail, including document versioning, change measures and accountabilities. Every change is traceable and demonstrable.
One reality instead of multiple Excel
At the same time, in practice, organisations do not address just one regulation. DORA often overlaps with NIS2, ISO 27001 or GDPR. In Excel, this means duplication and constant overwriting of data. Cybreg allows you to record one measure and map it to multiple regulatory frameworks at the same time. This significantly reduces the administrative burden and increases data consistency.
Driving instead of tracking
Another major difference is seen in areas where active management, not just record keeping, is needed.
A typical example is supplier management. DORA places great emphasis on third parties and their risks. Cybreg connects suppliers to assets and processes and allows to identify, for example, concentration risk when multiple critical areas depend on one supplier.
Incident management works in a similar way. Instead of static spreadsheet records, it offers cybreg management of the entire process, including statuses, responsibilities and asset relationships.
Real-time overview
DORA requires the ability to provide evidence of current status at any time. Not just the detail, but the big picture.
Cybreg offers dashboards and reports that show the status of risks, the implementation of measures or the level of compliance in real time. In addition, reports can be generated in formats required by the regulator, for example for the CNB.
Conclusion
Although DORA does not prescribe a specific technology, it clearly shows that tables are not enough. Organizations need a system that connects data, enables collaboration, provides traceability, and can respond to changes in real time.
Excel remains a good starting point. However, once an organisation moves towards the actual implementation of DORA, it becomes more of a hindrance than a solution.
