Full DORA Compliance Checklist (Updated for 2025)

How to use this checklist

DORA organises digital operational resilience requirements into five pillars. This checklist covers each one — what you must have documented, what you must have tested, and what evidence regulators will expect to see. It is designed to be used as a gap assessment: work through each item and mark what is in place, what is partially addressed, and what is missing.

Micro-enterprises (fewer than 10 employees, turnover/balance sheet under €2 million) benefit from proportionality provisions in Pillars 1 and 3 — these are noted where relevant. Core obligations in Pillars 2, 4, and 5 apply to all entities regardless of size.

I. ICT Risk Management Framework

DORA requires a unified, organisation-wide ICT risk management structure. The management body is personally responsible for approving and overseeing this framework.

• Formal ICT risk management framework adopted and approved by the management body
• Defined roles and responsibilities for ICT risk — including named accountable individuals
• Complete inventory of ICT assets (hardware, software, data, third-party dependencies)
• ICT risk identification, classification, and continuous monitoring processes in place
• Preventive controls (access management, encryption, patch management) documented
• Detective controls (logging, monitoring, anomaly detection) operational and tested
• ICT business continuity plan (BCP) and disaster recovery (DR) runbook documented
• BCP/DR tested at least annually — results and remediation actions recorded
• Digital operational resilience strategy aligned to the overall business strategy
• All policies, frameworks and decisions maintained with version control and evidence trail

II. ICT-Related Incident Management & Reporting

DORA introduces strict obligations for classifying, recording, and reporting ICT-related incidents. Major incidents must be reported to your national competent authority under defined timelines.

• Incident classification framework aligned to DORA RTS thresholds (clients affected, downtime, data loss, financial impact)
• Internal incident log maintained — all ICT-related events recorded regardless of severity
• Defined escalation path from ICT team to management body for major incidents
• Initial notification to NCA within 4 hours of classifying a major incident
• Intermediate report submitted within 72 hours of initial notification
• Final report submitted within one month of incident resolution
• Evidence collection process in place from the moment an incident is detected
• Post-incident review conducted — root cause, timeline, and remediation documented
• Lessons learned fed back into risk management framework and controls

III. Digital Operational Resilience Testing

Entities must perform regular resilience testing proportionate to their size and risk profile. Threat-Led Penetration Testing (TLPT) is mandatory only for significant entities — micro-enterprises are exempt.

• Annual testing programme documented and approved by management
• Vulnerability assessments performed on all critical ICT systems
• Scenario-based tests covering key threat scenarios relevant to your business model
• BCP/DR tested in practice — tabletop exercises at minimum, live failover where possible
• All test results recorded with identified gaps and remediation plans
• Remediation actions tracked to completion and re-tested where material
• (Significant entities only) TLPT conducted by qualified external testers every three years

IV. ICT Third-Party Risk Management

DORA introduces the EU's strictest rules for outsourcing and ICT third-party service providers. The Register of Information — a complete inventory of all ICT provider contracts — was the first live supervisory deliverable, due April 2025.

• Register of Information (RoI) complete, accurate, and up to date
• All ICT providers classified: critical, important, or standard
• Contracts with critical/important providers reviewed for mandatory DORA clauses
• Mandatory contractual provisions in place: audit rights, SLAs, data portability, exit assistance
• Due diligence performed before onboarding new ICT providers
• Ongoing performance monitoring and annual risk reviews for critical providers
• Concentration risk assessed — single points of failure in the supply chain identified
• Exit strategies and substitution plans documented for each critical provider
• Sub-outsourcing arrangements mapped and reviewed

V. Information Sharing Arrangements

Under DORA, organisations may voluntarily join trusted cyber-threat intelligence communities to share threat information. Participation is not mandatory but is increasingly expected by supervisors as evidence of an active security culture.

• Management decision made on whether to participate in information-sharing arrangements
• If participating: arrangement reviewed for DORA eligibility criteria
• Confidentiality safeguards in place for shared intelligence
• Safe-sharing processes established — sensitive operational data protected
• Threat intelligence received from arrangements fed into ICT risk monitoring processes
• Participation (or reasoned decision not to participate) documented for supervisory record

Implementation approach

If you are using this checklist to build your framework from scratch, a three-phase approach keeps the work manageable: