DORApp Blog
DORA Fundamentals

DORA RTS and ITS: Complete Guide (2026)

M
ByMatevž Rostaher
DORA RTS vs ITS comparison image with structured regulatory documents and reporting workflow concept
dora-rts-guide-hero-image-showing-compliance-workspace-with-regulatory-documents-1.jpg

If you work in compliance, risk, procurement, or IT at a financial institution, you have probably had this moment already: you understand the Digital Operational Resilience Act at a high level, but then the real work starts. Someone asks which data points must be reported, what the incident templates actually require, how third-party arrangements should be documented, or what format regulators expect. That is usually where the conversation shifts from the law itself to the technical standards behind it.

DORApp was built to simplify DORA compliance for EU financial institutions through a modular approach, turning complex regulatory requirements into structured, manageable workflows with a focus on technically acceptable reporting outputs. For many teams, the challenge is not reading DORA once. It is translating DORA into repeatable daily operations, evidence, and submissions that hold up under scrutiny.

This article explains what DORA RTS and ITS are, how they differ, where they matter most in practice, and what compliance teams should pay attention to in 2026 as regulators move from initial compliance to proof of compliance.

  • What RTS and ITS mean under DORA
  • DORA RTS and ITS: where to find the official texts and how to track updates
  • Why the standards matter in practice
  • RTS vs ITS in practice: how they impact operating model design
  • Where DORA RTS and ITS show up most often
  • The main DORA RTS and ITS you will run into
  • What changed in 2026
  • How to prepare your team
  • Common mistakes to avoid
  • Frequently Asked Questions
  • Key Takeaways
  • Conclusion

    • What RTS and ITS mean under DORA

    DORA, formally Regulation (EU) 2022/2554, sets the legal framework for digital operational resilience across EU financial entities. If you need a broader foundation first, it helps to review what is dora and a more detailed dora regulation explained breakdown.

    Here is the practical distinction. Regulatory Technical Standards, usually called RTS, add detail to the core regulation. They explain how certain obligations should be interpreted or structured. Implementing Technical Standards, usually called ITS, focus more on standardized methods, templates, forms, and reporting mechanics so authorities receive information in a consistent way.

    Think of RTS as the rule design, and ITS as the reporting instructions

    That is not a legal definition, but it is a useful working model. RTS often shape the substance of what you need to control, assess, document, or oversee. ITS often define how information should be presented, exchanged, or submitted.

    Under DORA, both matter because compliance is not only about having policies. It is also about producing evidence in a format supervisors can actually review and compare across institutions.

    Why this distinction matters to non-lawyers

    Many operational teams do not struggle with the headline requirement. They struggle with implementation. A legal text might say you need incident reporting, ICT risk management, or third-party oversight. The RTS and ITS tell you what that looks like in operational detail, what fields may be expected, and how structured your processes need to become.

    That is why dora rts becomes such an important search term once institutions move from awareness into execution.

    DORA RTS and ITS: where to find the official texts and how to track updates

    Here is the thing: in day-to-day implementation, the hardest part is often not understanding what RTS and ITS are. It is making sure your team is working from the final, legally applicable text, not a draft, a consultation paper, or an older consolidated file someone saved to a shared drive.

    Where the authoritative RTS and ITS text is typically published

    In most cases, the legally applicable versions of RTS and ITS are published as EU legal acts and become authoritative once they are adopted and published through official EU channels. Practically, teams often look to the Official Journal of the European Union for the final published act, because that is where publication and entry-into-force context is recorded.

    You will also typically see the European Commission publish delegated acts and implementing acts on its official pages. That matters because RTS are usually adopted as delegated acts, while ITS are usually adopted as implementing acts. The difference is not just terminology. It often signals whether you are looking at control expectations and criteria, or at standardized procedures and templates that may be used for supervisory intake.

    Drafts and near-final documents can still be useful for planning, but from an execution standpoint, you want to lock your policies, templates, and reporting logic to the final version with the correct publication and application dates.

    A simple workflow for keeping your internal “standards register” current

    Most institutions already have a place where obligations live, sometimes a GRC tool, sometimes a spreadsheet, sometimes both. The difference often comes down to how well the register is maintained once the project phase ends.

    A practical “standards register” for DORA RTS and ITS typically includes:

  • Standard name and topic, in plain language your teams use internally
  • Type: RTS or ITS
  • Version or official reference, with a linkable identifier in your internal system
  • Publication date and application date, tracked separately
  • Which DORA pillar it affects, so you can route it to the right workstream
  • Internal owner and secondary reviewer, so monitoring is not nobody’s job
  • Impact note, for example “new fields for reporting” or “tightened criteria”

    • This is not about creating paperwork. It is about reducing the chance that incident reporting logic, ROI data fields, or third-party policy language stays frozen while the standards move on.

    How to avoid outdated references in policies, templates, and reporting runs

    Consider this: the fastest way to create recurring remediation work is to embed a draft template or an old classification rule into your operating procedures, then keep running it as if it were current.

    To reduce that risk, teams often do a few simple things:

  • Bookmark official listings you use as your “source of truth” and agree internally which one wins in a conflict
  • Assign monitoring ownership, with a realistic cadence, for example monthly checks plus ad hoc checks around known adoption windows
  • Build a lightweight change note into your reporting calendar, so updates trigger a controlled review before the next submission cycle
  • Store the final applicable text alongside your internal interpretation, so auditors and supervisors can trace why a process step exists

    • In regulated environments, that traceability typically matters as much as the content itself. It helps you show that your process is anchored to the current standard, not to institutional memory.

    Why the standards matter in practice

    The reality is simple: supervisors do not assess resilience based only on your intention to comply. They assess whether your processes, records, controls, and reporting outputs align with current standards. That is why the combination of dora rts and dora its has a direct impact on workload, evidence quality, and regulatory readiness.

    From a regulatory standpoint, DORA has five pillars: ICT risk management, incident reporting, digital operational resilience testing, ICT third-party risk management, and information sharing. If you want a structured overview, Dorapp’s DORA Pillars Explained: Complete Breakdown (2026) is a helpful companion piece.

    Each pillar may be supported by technical standards that become highly relevant for operational teams. Under DORA, this means your legal, compliance, IT, security, and procurement functions often need to work from the same interpretation of the same standard.

    Consistency is now part of compliance

    What many people overlook is that technical standards are also about comparability. Regulators want cross-entity consistency. They want to understand whether one institution reports incidents, outsourcings, and risk classifications in a way that can be compared with another institution.

    This is one reason the Register of Information has become so central. It is not just a list. It is structured supervisory data. If you are working through that topic, this guide to the dora register of information will help frame it properly.

    Platforms like DORApp streamline the creation and maintenance of the Register of Information process through a structured workflow that includes data import, record management, enrichment from public sources, validation checks, and export of DORA-compliant reports in XBRL format based on current technical requirements.

    dora-rts-vs-its-comparison-image-with-structured-regulatory-documents-and-report-1.jpg

    RTS vs ITS in practice: how they impact operating model design

    If you are designing your DORA operating model, it helps to treat RTS and ITS as two different kinds of implementation work. Both matter, but they tend to stress different parts of your organization.

    RTS often drives control expectations, ITS often drives data and submission mechanics

    From a practical standpoint, RTS usually shapes what your controls and governance need to look like. That could include how you structure your ICT risk management framework, what you document around third-party and subcontracting risk assessment, and what governance evidence you can produce consistently.

    ITS, on the other hand, often turns into a data-model and reporting-engineering problem. It may define required fields, validations, report structures, and timelines. That can show up as “the form we have to fill in” for incident reporting, or “the template structure” behind Register of Information submissions.

    Think of it this way: RTS tends to answer, “What should exist, and at what level of rigor?” ITS tends to answer, “What exactly must be submitted, in what structure, and when?”

    Evidence artifacts supervisors often expect to see aligned to the standards

    There is no single universal checklist across all authorities, and expectations can vary by institution type and jurisdiction. Still, when RTS and ITS become the benchmark, supervisors and auditors typically look for artifacts that show your process runs, not just that it was designed.

    Common examples include:

  • Process documentation and role definitions that tie back to the relevant RTS expectations
  • Incident logs with clear classification rationale and an audit trail of escalation and reporting decisions
  • Third-party inventories that reconcile to procurement and IT realities, not just contractual records
  • Testing plans, test results, and remediation tracking for resilience testing activities
  • Register of Information completeness checks, validation outcomes, and evidence of review gates before submission

    • This does not guarantee how any given supervisor will assess your program, but it reflects the kind of traceability that often reduces follow-up questions.

    A simple translation approach: turn each requirement into operating model components

    What many people overlook is that standards get implemented twice: first as interpretation, then as operations. A useful internal method is to translate each relevant RTS or ITS requirement into four operational elements:

  • A data field: what you need to capture and store
  • A process step: when and how the data is created, reviewed, and updated
  • An owner: the accountable team or role for accuracy and timeliness
  • A review cadence: how often it is checked, refreshed, and challenged

    • If you do this consistently, RTS and ITS stop being documents you “read” and become a managed backlog of controls, data, and evidence. For most small compliance teams inside larger institutions, that shift is what makes the workload predictable instead of deadline-driven.

    Where DORA RTS and ITS show up most often

    If you are trying to prioritize, focus first on the areas where technical standards tend to create the most operational friction.

    Incident reporting

    Major ICT-related incident reporting is one of the clearest examples of dora implementing technical standards in action. Institutions need more than an incident policy. They need classification criteria, internal escalation logic, reporting triggers, and the ability to complete supervisory templates accurately and on time.

    In practice, this usually affects security, IT operations, legal, communications, and compliance at the same time. That is one reason incident workflows often break down if ownership is unclear.

    ICT risk management

    DORA expects financial entities to maintain a sound internal governance and control framework around ICT risk. If you are reviewing your methodology, it is worth reading more on the ict risk management framework dora and the broader concept of ict risk dora.

    RTS in this area can shape expectations around assessment logic, control design, documentation depth, and governance evidence. That matters because an institution may believe its framework is mature, while supervisors may be looking for a more specific audit trail.

    Third-party risk and the Register of Information

    This is where many institutions feel the weight of DORA most directly. You need an accurate inventory of ICT third-party service arrangements, including the structured data needed for supervisory reporting. The first Register of Information submission deadline was 30 April 2025, and in 2026 the focus has shifted from initial filing to data quality, consistency, and evidence that the process is maintained continuously.

    DORApp includes a dedicated ROI module, a proprietary relationship-based data model, public-data enrichment, and DORA report export functionality that converts maintained records into XBRL-based reporting outputs. That kind of support can reduce manual rework, but the regulatory obligation still sits with the institution.

    XBRL and submission mechanics

    For many compliance teams, XBRL feels like a technical wall between good data and accepted submission. Yet this is exactly where ITS becomes very practical. Supervisors increasingly rely on structured machine-readable formats to validate submissions automatically.

    If your team needs a broader context, the Dorapp XBRL category is a useful place to continue reading.

    The main DORA RTS and ITS you will run into

    If you are building an internal plan, it helps to move from “areas affected” to “standards packages you will actually run into.” You do not need to memorize every document title to do this well. You need a practical map that tells you which workstreams will be driven by RTS, which will be driven by ITS templates, and where structured reporting will hit you.

    A practical mapping to the five DORA pillars

    Below is a simple way many teams group the most common DORA RTS and ITS themes by pillar. The naming varies across internal programs, but the topics tend to be consistent.

  • ICT risk management: RTS themes typically cover what an ICT risk management framework should include, including governance elements, policies, and expectations around maintaining an auditable control environment.
  • Incident reporting: RTS themes typically cover classification criteria and reporting triggers. ITS themes typically cover the reporting process mechanics and the templates or structured formats authorities expect.
  • Digital operational resilience testing: RTS themes typically include threat-led penetration testing (TLPT) expectations, including scope logic, involvement, and documentation requirements that support oversight.
  • ICT third-party risk management: RTS themes often cover third-party policy requirements, oversight expectations, and subcontracting-related risk considerations that need to be reflected in governance and contracting practices.
  • Information sharing: even where this pillar is less template-heavy, institutions still tend to align internal governance and risk decisioning to the relevant standards and supervisory expectations.

    • The Register of Information cuts across the third-party pillar in particular, but operationally it also touches data management, procurement, IT, and governance. That is why it often behaves like a standalone program even when it sits inside TPRM.

    RTS that define criteria and content vs ITS that define forms and procedures

    The difference often comes down to what kind of work is created. RTS tends to define criteria, thresholds, and content requirements. ITS tends to define the forms, templates, and procedures you must follow to submit information consistently.

    Incident reporting is a good example. Teams typically need RTS-driven logic for classification and timing triggers, then ITS-driven mechanics to populate the required reporting templates correctly and submit them through the expected channels.

    The Register of Information is another common example. The core obligation is in DORA, but the operational pain often comes from ITS-style structure and template expectations. You can have a complete vendor inventory and still struggle if the fields, relationships, or validations do not match what the template requires.

    What this mapping helps you do operationally

    This is not just categorization. A clear mapping usually helps you:

  • Prioritize workstreams by which ones are likely to trigger structured reporting and tighter supervisory validation
  • Assign SMEs early, for example security and IT for incident classification, procurement and TPRM for supplier records, and reporting teams for submission mechanics
  • Spot dependencies, such as how subcontracting assessment impacts ROI completeness and third-party oversight evidence
  • Plan for operating rhythm, meaning what gets updated continuously vs what is reviewed periodically

    • For most institutions, this is where RTS and ITS stops being an abstract legal topic and becomes a realistic work plan with accountable owners.

    dora-implementing-technical-standards-visual-showing-compliance-operations-workf-1.jpg

    What changed in 2026

    2026 is not just another compliance year. It marks the shift from implementation to evidence. Many institutions met the 17 January 2025 applicability date by standing up minimum processes. Now supervisors are increasingly asking whether those processes actually operate, whether records remain current, and whether outputs can withstand automated and manual review.

    Proof of compliance matters more than project completion

    Consider this: a spreadsheet-based process may have been enough to get through early internal mobilization. It may not be enough once regulators begin cross-checking submissions and looking for recurring data issues across reporting cycles.

    As currently defined, 2026 also sits in a broader regulatory context. The ESAs designated Critical Third-Party Providers in November 2025. Delegated Regulation (EU) 2025/532 introduced deeper subcontracting risk considerations. The ECB also finalized its guide on outsourcing cloud services in July 2025. These developments increase pressure on institutions to show that third-party governance is active, not static.

    Automated scrutiny is increasing

    No more grace period is the practical message many teams are hearing. Regulators are increasingly using automated checks to compare ICT register content, submission structure, and recurring information gaps. That does not mean every authority behaves identically, but it does mean technical quality has become a larger part of supervisory credibility.

    With features such as configurable workflows, audit trail visibility, record validation, full-text search, and XBRL-oriented report export, DORApp is designed to help teams work with imperfect data while still moving toward a more controlled and reviewable operating model.

    How to prepare your team for DORA RTS and ITS

    If your institution still treats technical standards as something for legal review only, it is worth changing that approach. DORA RTS ITS implementation is operational work.

    Start with a map of obligations to owners

    Make a clear list of which RTS and ITS affect which function. Compliance may interpret the obligation, but IT may own control evidence, procurement may own supplier data, and security may own incident classification inputs. Without that mapping, deadlines often become last-minute collection exercises.

    Separate legal interpretation from reporting production

    These are connected, but they are not the same. One workstream should answer what the standard requires. Another should answer how your institution captures, validates, reviews, and exports the data or evidence. That is where many programs stall.

    Build around repeatability, not heroics

    From a practical standpoint, the best operating models reduce dependence on one person who understands the templates. You want repeatable workflows, review gates, traceability, and a defensible audit trail. DORApp’s modular structure, including ROI, TPRM, and planned broader lifecycle support, reflects that kind of operating model by turning obligations into maintained processes rather than isolated projects.

    If you want a broader starting point for core concepts, the digital operational resilience act dora explainer and the DORA European Commission Timeline and History (2026) article are worth bookmarking.

    Common mistakes institutions make with DORA technical standards

    Most problems are not caused by a total lack of effort. They come from reasonable assumptions that break down under regulatory detail.

    Treating RTS and ITS as optional add-ons

    Some teams read the regulation and assume they have covered the requirement in principle. Then they realize the technical standards define the actual shape of the process or submission. By then, remediation work is more expensive.

    Keeping critical reporting logic in uncontrolled spreadsheets

    Spreadsheets can still play a role, especially for data gathering. The issue starts when validation rules, ownership, and report logic live only in a few tabs that nobody else fully understands. That increases key person risk and often weakens auditability.

    Confusing tool functionality with legal sufficiency

    A platform may help you structure data, validate records, or export a file, but it does not replace your legal and regulatory judgment. Tools support compliance processes. They do not transfer accountability away from the institution.

    Ignoring category-specific guidance and adjacent standards

    DORA does not operate in a vacuum. National practices, supervisory expectations, sector profile, outsourcing guidance, and interconnected rules may all shape how your implementation is reviewed. The DORA Fundamentals category is useful if you need to widen the lens without losing practical focus.

    Disclaimer: The information in this article is intended for general informational and educational purposes only. It does not constitute professional technical, legal, financial, or regulatory advice. Website performance outcomes, platform capabilities, and business results will vary depending on your specific circumstances, goals, and implementation. Always evaluate tools and platforms based on your own needs and, where relevant, seek professional guidance.

    This article is for informational purposes only and does not constitute financial, legal, or regulatory advice. DORA compliance requirements may vary based on your institution type, size, and national regulatory framework. Content referencing regulated industries is provided for general context only and should not be interpreted as legal, regulatory, compliance, or financial advice. If you operate in a regulated sector, always consult qualified financial, legal, and compliance professionals for guidance specific to your situation.

    dora-rts-its-2026-readiness-image-showing-compliance-planning-audit-preparation--1.jpg

    Frequently Asked Questions

    What is the difference between DORA RTS and DORA ITS?

    DORA RTS usually provide more detailed rules on how certain requirements should be structured or assessed, while DORA ITS typically specify standardized formats, templates, and reporting mechanics. In simple terms, RTS often shape the substance of compliance expectations, and ITS often shape how information is reported or exchanged. In practice, both matter because institutions need not only compliant policies but also technically acceptable supervisory outputs. For operational teams, the distinction becomes important when assigning responsibilities between legal interpretation, process owners, and reporting teams.

    Why are technical standards so important under DORA?

    Because the core regulation sets the framework, but the technical standards usually define much of the operational detail. Without understanding the relevant RTS and ITS, teams may know what DORA expects at a high level but still miss how to document, classify, report, or validate information in practice. This becomes especially important for incident reporting, ICT risk governance, and the Register of Information. Technical standards also support consistency across the EU, which helps supervisors compare data from multiple institutions using a common structure.

    Do all financial entities need to care about every DORA RTS and ITS?

    No, not necessarily in the same way. DORA applies to 20 categories of EU financial entities, but the relevance of a given RTS or ITS may depend on your institution type, scale, operational model, and risk profile. Some standards will be central to nearly all institutions, especially around ICT risk management and third-party oversight. Others may have more specific operational implications depending on how your organization handles incidents, testing, outsourcing, or group governance. That is why it helps to map each standard to affected functions and owners.

    Are RTS and ITS legally binding under DORA?

    As adopted and applicable under the EU legislative framework, RTS and ITS are intended to operationalize parts of the regulation and are not just optional guidance. That said, institutions should always review the final adopted text, current supervisory guidance, and any national implementation context that affects practical interpretation. Teams sometimes treat technical standards as secondary reading, but that can create serious implementation gaps. If your institution is making material decisions based on a specific standard, legal and compliance review remains important.

    How do DORA RTS and ITS affect the Register of Information?

    They affect both what data needs to be organized and how that data may need to be structured for supervisory submission. The Register of Information is not simply a vendor inventory. It is a structured record of ICT third-party service arrangements that regulators may examine for completeness, consistency, and reporting quality. That is why institutions often need clearer data ownership, stronger validation, and repeatable export processes. In 2026, the challenge is less about filing once and more about maintaining a reliable process that continues to produce defensible outputs over time.

    What role does XBRL play in DORA implementing technical standards?

    XBRL is important because certain DORA reporting outputs are expected in structured machine-readable format, which supports automated supervisory review. For many compliance teams, this is where DORA ITS becomes very tangible. You may have the right underlying information, but if the formatting, taxonomy alignment, or submission structure is wrong, you could still face technical rejection or remediation work. That is one reason many institutions now separate data ownership from reporting production and use purpose-built workflows to reduce avoidable formatting issues.

    Can a software platform make an institution DORA compliant?

    No. A platform can support your compliance processes, improve data quality, reduce manual effort, and help structure workflows and reporting. It cannot take over legal accountability or guarantee that your institution meets every regulatory expectation. DORA compliance depends on governance, control design, operational execution, oversight, and institution-specific interpretation. Tools are most helpful when they make ongoing compliance more repeatable and auditable. They are least helpful when treated as a substitute for ownership, process discipline, or qualified legal and compliance review.

    What should teams prioritize first if they are behind on DORA technical standards?

    Start by identifying which standards create immediate operational obligations for your institution, then map those obligations to data owners, process owners, and reviewers. In many cases, the highest-priority areas are the Register of Information, incident reporting readiness, and ICT risk governance evidence. After that, focus on whether your current operating model can produce repeatable, reviewable outputs rather than one-off manual submissions. Teams that prioritize ownership clarity and data quality early often make faster progress than teams that begin with large-scale documentation refreshes alone.

    What changed for compliance teams in 2026?

    2026 has become the year of proof, not just preparation. Many institutions had enough structure in place to meet the original DORA applicability date, but supervisors now expect to see maintained records, consistent submissions, and evidence that controls operate over time. Developments such as CTPP designation, deeper subcontracting scrutiny, and more automated cross-checking of reported data have increased the importance of technical quality. For compliance teams, this usually means strengthening governance, validation, and cross-functional coordination rather than relying on deadline-driven remediation efforts.

    What are RTS in DORA?

    RTS in DORA are Regulatory Technical Standards that add detailed, legally applicable requirements to parts of the DORA regulation. They typically clarify what processes, controls, criteria, or governance elements should exist and how they should be structured. For operational teams, RTS often translate into control design, documentation expectations, and the evidence you need to retain over time.

    What does RTS mean in DORA?

    In the DORA context, RTS means Regulatory Technical Standards. These are technical rules that sit under the main regulation and usually define the detailed substance of how certain obligations are expected to work in practice. Teams often treat RTS as the bridge between high-level legal requirements and day-to-day control and governance expectations.

    What is the difference between RTS and ITS?

    RTS usually focus on detailed criteria and content, meaning what you are expected to implement and oversee. ITS usually focus on standardized procedures and formats, meaning how you are expected to report or submit information. A common example is incident reporting, where RTS may drive classification criteria and timing triggers, while ITS may drive the reporting templates, required fields, and submission mechanics.

    What is RTS regulation?

    RTS regulation usually refers to the EU legal mechanism where Regulatory Technical Standards are adopted as binding acts that supplement a primary regulation. In DORA, RTS are used to specify detailed requirements under the main framework. Because the final applicable version is adopted and published through official EU processes, institutions typically track both publication and application dates and align internal policies and controls to the adopted text.

    Key Takeaways

  • DORA RTS and ITS turn high-level legal obligations into practical operational and reporting requirements.
  • RTS often shape the substance of controls and governance, while ITS often define reporting formats and submission mechanics.
  • The biggest pressure points are usually incident reporting, ICT risk management, the Register of Information, and XBRL-based outputs.
  • In 2026, regulators are looking for maintained evidence and repeatable processes, not just initial compliance projects.
  • Tools like DORApp may help structure workflows and reporting, but accountability for compliance remains with your institution.

    • Conclusion

    DORA RTS and ITS matter because they are where broad obligations become real work. They affect how you classify incidents, structure third-party records, evidence ICT risk governance, and prepare technically acceptable submissions. For most institutions, the hardest part is not understanding that DORA exists. It is translating technical standards into routines that are clear, repeatable, and defensible.

    That is also why 2026 feels different. The conversation has shifted from startup-mode compliance to operational credibility. If your current process still depends on scattered spreadsheets, last-minute reconciliations, or a few people carrying all the reporting logic, now is a good time to tighten the model.

    If you want a more structured way to approach DORA reporting and ongoing resilience operations, explore how DORApp handles modules such as the Register of Information, XBRL-oriented reporting workflows, and audit-ready process support. You can also visit the Dorapp blog for more practical guidance on DORA fundamentals, technical standards, and implementation decisions.

    M

    About the Author

    Matevž Rostaher is Co-Founder and Product Owner of DORApp. He brings deep experience in building secure and compliant ICT solutions for the financial sector and is positioned by DORApp as an expert trusted by financial institutions on complex regulatory and operational challenges. DORApp’s own webinar materials list him as CEO and Co-Founder of Skupina Novum d.o.o. and CEO and Co-Founder of FJA OdaTeam d.o.o. His articles should carry the voice of someone who understands not just compliance requirements, but the systems and delivery realities behind them.