DORA COMPLIANCE CHECKLIST

DORA compliance checklist

A practical DORA (Digital Operational Resilience Act) compliance checklist for EU financial entities: ICT risk management framework, incident classification and reporting, resilience testing, third-party register, and annual reporting - the five pillars of Regulation 2022/2554.

Official source:

Read the official EIOPA DORA portal

Download the checklist (PDF)Download DOCX

Who must comply with DORA

Who DORA applies to

EU financial entities including credit institutions, payment institutions, e-money institutions, investment firms, insurers, reinsurers, AIFs, UCITS, crypto-asset service providers under MiCA, and central counterparties. Also applies to critical ICT third-party service providers under EU oversight.

Jurisdiction: EU financial entities + their ICT third-party service providers. Full name: Digital Operational Resilience Act (Regulation 2022/2554).

DORA Checklist

The DORA compliance checklist

The high-level cycle. Each item below is the visible head of a fuller process - open it in the editor to flesh out the steps, owners, and decisions your team actually runs.

Download fillable PDF Download DOCX

The PDF includes real fillable form fields - tick each checkbox in your PDF reader and fill in organisation name, owner, and dates. The DOCX is fully editable in Word, Google Docs, or any compatible editor.

STEP 1
Define the in-scope DORA perimeter (entity categories + critical third parties).
STEP 2
Establish the ICT risk management framework and assign management body responsibility.
STEP 3
Maintain a register of ICT systems, processes, and the people responsible.
STEP 4
Build the ICT-related incident classification, management, and reporting workflow.
STEP 5
Define and document the digital operational resilience testing programme.
STEP 6
For significant entities: conduct threat-led penetration testing (TLPT) every 3 years.
STEP 7
Maintain the ICT third-party register and contractual arrangements per Article 28.
STEP 8
Manage concentration risk and exit strategies for critical third-party dependencies.
STEP 9
Submit annual reports to the competent authority covering all five pillars.
STEP 10
Update the framework based on incident learnings, regulatory technical standards, and supervisory expectations.

FILLABLE PDF PREVIEW

DORA compliance checklist

Digital Operational Resilience Act (Regulation 2022/2554)

Organisation

[Organisation name]

Owner

[Assigned to]

Target date

[Target completion date]

Reviewed by

[Reviewed by]

Define the in-scope DORA perimeter (entity categories + critical third parties).

Establish the ICT risk management framework and assign management body responsibility.

Maintain a register of ICT systems, processes, and the people responsible.

Build the ICT-related incident classification, management, and reporting workflow.

Define and document the digital operational resilience testing programme.

+ 5 more checkboxes in the downloaded PDF

DORA Process Map

DORA as a process map

The DORA programme as a process map. Each pillar feeds into the annual report and back into the framework - DORA explicitly expects iterative improvement, not a one-off setup.

Open in editor

DORA ICT-related incident classification and reporting

A DORA (Regulation (EU) 2022/2554) ICT-related incident classification and reporting process rendered as a BPMN 2.0 process map. The flow detects an ICT incident, classifies it as major or non-major against the Article 18 criteria, and on the major-incident branch drives the three statutory clocks: 4-hour initial notification, 72-hour intermediate report, and 1-month final report to the competent authority. Non-major incidents are logged internally and rolled into the periodic review.

Detect and triage an ICT-related incident; record discovery time - this starts every DORA clock.
Classify the incident against the Article 18 criteria - clients affected, data loss, duration, geographic spread, reputational impact, criticality of services.
If the incident is non-major, log it in the internal incident register and proceed to the periodic review.
If the incident is major, submit the initial notification to the competent authority within 4 hours of classification (and no later than 24 hours from detection) - Article 19(4) RTS.
Investigate the incident and submit the intermediate report within 72 hours of the initial notification, updating root cause, status, and impact figures.
Within 1 month of the intermediate report, submit the final report with root-cause analysis, mitigation actions, and lessons learned (Article 19(4)).
Close the incident, update the ICT risk framework, and feed findings into the next resilience-testing cycle.

DORA FAQ

Frequently asked questions

When did DORA take effect?

DORA entered into force on 16 January 2023 and became applicable on 17 January 2025. From that date, in-scope financial entities and critical ICT third-party providers must comply with the full regulation and the associated regulatory technical standards (RTS) and implementing technical standards (ITS).

Who counts as a "critical ICT third-party service provider"?

The European Supervisory Authorities (ESAs) designate critical ICT TPPs (CTPPs) under Article 31 - hyperscale cloud providers, major SaaS vendors, and core banking software providers being the obvious candidates. CTPPs face direct EU oversight regardless of whether their financial-entity customers each subject them to oversight.

What is Threat-Led Penetration Testing (TLPT)?

TLPT is realistic, intelligence-driven testing of an entity's ICT systems and processes by skilled "ethical hackers" using TTPs (tactics, techniques, procedures) of real threat actors. DORA requires TLPT every 3 years for significant entities under Article 26, aligned with the TIBER-EU framework where relevant.

How does DORA interact with the NIS2 Directive?

DORA is the lex specialis for the financial sector - where DORA applies, it overrides NIS2 obligations for the same matters. Financial entities should map their obligations under both and document the DORA / NIS2 boundary in their compliance programme.

More Compliance Checklists

Other compliance checklists

CMMC 2.0 compliance checklist

A step-by-step CMMC 2.

HIPAA compliance checklist

The annual HIPAA compliance cycle as a step-by-step checklist: risk analysis, policy updates, workforce training, safeguards, documentation, and re-attestation.

SOC 2 compliance checklist

A practical SOC 2 compliance checklist covering Trust Service Criteria selection, control mapping, evidence gathering, auditor engagement, and report issuance - for both Type I and Type II engagements.

PCI DSS 4.0.1 compliance checklist

A practical PCI DSS 4.

SOX compliance checklist

A practical Sarbanes-Oxley compliance checklist focused on Section 404: scoping significant accounts and ITGCs, documenting control design, testing operating effectiveness, evaluating deficiencies, and supporting management's assertion.

CCPA / CPRA compliance checklist

A practical CCPA / CPRA compliance checklist covering personal-information inventory, privacy notice, consumer rights request workflow, vendor agreements, and staff training - the operational backbone for California consumer privacy obligations.

All compliance checklists

The full compliance hub - every checklist (HIPAA, SOC 2, PCI DSS, CMMC, NIST, FedRAMP, ITAR, DORA, SOX, CCPA) plus the regulation deep-dives (CPS 230, OSFI E-21, EU AI Act Annex IV) in one place.

Turn the DORA checklist into a working process

Open the DORA process map, rename the steps to match your organisation, and turn the checklist into a working procedure your team can run year after year.