Back to Resources
DORA Compliance Checklist — visual preview
Checklist

DORA Compliance Checklist

Digital Operational Resilience Act (Financial Services)

Overview

The Digital Operational Resilience Act (DORA) is an EU regulation (Regulation (EU) 2022/2554) that establishes a comprehensive ICT risk management framework for the financial sector. It became fully applicable on January 17, 2025. DORA applies to virtually all regulated financial entities in the EU, including banks, insurance companies, investment firms, payment institutions, crypto-asset service providers, and critically, the ICT third-party service providers that serve them. Unlike a directive, DORA is directly applicable across all EU member states without requiring national transposition.

Five Pillars of DORA

PillarFocus AreaKey Requirements
ICT Risk ManagementGovernance and risk frameworkComprehensive ICT risk management framework with Board accountability, risk appetite, and documented policies
ICT Incident ReportingDetection and notificationClassify, report, and document ICT-related incidents with prescribed notification timelines to competent authorities
Digital Operational Resilience TestingTesting programRegular testing of ICT systems, threat-led penetration testing (TLPT) for systemically important entities
ICT Third-Party RiskVendor managementContractual requirements for ICT providers, concentration risk assessment, and oversight of critical providers
Information SharingThreat intelligenceVoluntary information sharing arrangements for cyber threat intelligence between financial entities

ICT Risk Management Framework

The management body (board or equivalent) is directly responsible for defining, approving, and overseeing the ICT risk management framework. This includes setting the risk appetite for ICT risk, approving the digital resilience strategy, and allocating adequate budget and resources. The framework must cover identification and classification of ICT assets, continuous monitoring and detection of anomalous activities, comprehensive business continuity and disaster recovery plans, and learning and evolving processes based on incidents and testing. Financial entities must maintain documentation that demonstrates compliance to supervisory authorities.

Incident Reporting Requirements

  • DORA establishes a standardized incident classification and reporting framework:
  • Classify incidents based on impact criteria including number of clients affected, duration, geographical spread, data losses, and criticality of services impacted
  • Notify the competent authority of major ICT incidents through three stages: initial notification (within 4 hours of classification), intermediate report (within 72 hours), and final report (within one month)
  • Maintain an internal incident register logging all ICT incidents and significant cyber threats
  • Inform affected clients when major incidents impact their financial interests
  • Voluntarily report significant cyber threats to the competent authority

Implementation Checklist

  • Establish Board-level governance for ICT risk with documented accountability
  • Develop a comprehensive ICT risk management framework aligned with DORA Articles 5-16
  • Conduct a full inventory of ICT assets, systems, and third-party dependencies
  • Implement incident classification and reporting processes meeting DORA timelines
  • Design a digital operational resilience testing program covering all critical ICT systems
  • Arrange threat-led penetration testing (TLPT) if classified as a systemically important entity
  • Review and update all ICT third-party contracts to include DORA-mandated provisions
  • Conduct concentration risk assessments for critical ICT service providers
  • Develop ICT business continuity and disaster recovery plans with defined RPO/RTO
  • Establish communication plans for notifying clients and authorities during major incidents
  • Join or establish information-sharing arrangements for cyber threat intelligence

Critical ICT Third-Party Provider Oversight

DORA introduces a groundbreaking oversight framework for critical ICT third-party providers (CTPPs) designated by the European Supervisory Authorities (ESAs). CTPPs will be directly supervised by a Lead Overseer with powers to request information, conduct on-site inspections, issue recommendations, and impose periodic penalty payments. Financial entities must maintain a Register of Information for all ICT third-party service arrangements. Contracts with ICT providers must include specific provisions covering service levels, data location, audit rights, exit strategies, and incident support obligations.

Frequently Asked Questions

Who does DORA apply to?
DORA applies to 21 categories of financial entities including credit institutions, investment firms, insurance companies, payment and e-money institutions, crypto-asset service providers, central securities depositories, and trading venues. It also applies directly to ICT third-party service providers designated as critical by the ESAs.
How does DORA differ from NIS2?
DORA is a sector-specific regulation for financial services, while NIS2 is a cross-sector directive. DORA provides more detailed prescriptive requirements tailored to financial sector ICT risk. Financial entities subject to DORA are generally considered to meet the cybersecurity requirements of NIS2 through DORA compliance, but should verify with their national transposition of NIS2.
What is threat-led penetration testing (TLPT) under DORA?
TLPT is an advanced form of penetration testing based on real threat intelligence. Financial entities identified by competent authorities must conduct TLPT at least every three years. The testing must be performed by qualified external testers, cover critical functions and ICT systems, and use threat intelligence to simulate realistic attack scenarios.
What are the penalties for non-compliance?
DORA empowers competent authorities to impose administrative penalties and remedial measures. While specific penalty amounts are determined by each member state, critical ICT third-party providers can face periodic penalty payments of 1% of average daily worldwide turnover per day for up to six months. Financial entities face penalties aligned with existing financial sector supervisory frameworks.
Do we need to update existing ICT contracts?
Yes. DORA Article 30 specifies minimum contractual provisions that must be included in all ICT service agreements. Existing contracts that do not include these provisions must be updated. Key requirements include service level descriptions, data processing locations, provisions on accessibility and availability, termination rights, and cooperation obligations during incidents and audits.

Ready to use this resource?

Download it now or schedule a demo to see how Hunto AI can automate your security workflows.

Book a Demo