DORA Compliance Checklist
Directly applicable since 17 January 2025. Covers applicability, ICT risk framework, incident reporting, resilience testing, third-party risk (Art. 30 register), and information sharing.
Counsel-grade external checklist for Regulation (EU) 2022/2554 (DORA). Directly applicable across the EU since 17 January 2025. Level 2 RTS/ITS flesh out most obligations — verify current RTS/ITS versions before relying on any specific threshold or timeline. Competent authority in Sweden: Finansinspektionen. This checklist is a working reference, not legal advice.
A. Applicability gate
- Entity type in Art. 2 scope confirmed: credit institutions, payment / e-money institutions, investment firms, fund managers, insurers and reinsurers, crypto-asset service providers, crowdfunding service providers, etc. — or ICT third-party service provider to such entities.
- Proportionality position established (Art. 4): eligibility for the simplified framework (e.g. small and non-interconnected investment firms) documented.
- Microenterprise exemptions mapped where applicable.
- DORA-vs-NIS2 lex specialis position documented — financial entities apply DORA, not NIS2, for the matters DORA covers.
B. ICT risk-management framework (Arts. 5–16)
- Management body bears final responsibility (Art. 5) — approved digital operational resilience strategy, board training on ICT risk, documented oversight.
- ICT risk-management framework documented, reviewed at least annually and after major incidents (Art. 6).
- Independence: ICT risk-control function separated from operations and audit per the three-lines-of-defence model.
- Identification (Art. 8): inventory of ICT-supported business functions, information assets and dependencies — classified by criticality, reviewed annually.
- Protection and prevention (Art. 9): security policies, network segmentation, patching, strong authentication, cryptographic controls.
- Detection (Art. 10): anomaly-detection mechanisms with alert thresholds and multiple layers of control.
- Response and recovery (Art. 11): ICT business-continuity policy, response plans per severity scenario, crisis communication (Art. 14).
- Backup and restoration (Art. 12): backup policies, restoration procedures, segregated backup environment, tested.
- Learning and evolving (Art. 13): post-incident reviews, threat-landscape monitoring, lessons fed back into the framework.
- RPO / RTO defined per critical function and evidenced by test results.
C. ICT incident management and reporting (Arts. 17–23)
- Incident-management process capturing, classifying and logging all ICT-related incidents (Art. 17).
- Classification per Art. 18 criteria and current RTS thresholds (clients affected, duration, geographic spread, data losses, criticality, economic impact).
- Major-incident reporting to the competent authority per current ITS timelines: initial notification (4 hours from classification / 24 hours from awareness), intermediate report (72 hours), final report (1 month) — verify current ITS values before relying on them.
- Client-notification duty for major incidents affecting their financial interests.
- Voluntary reporting position on significant cyber threats decided.
- Root-cause analysis standard for major incidents.
D. Digital operational resilience testing (Arts. 24–27)
- Testing programme proportionate to size and risk: vulnerability assessments and scans, network security assessments, scenario-based tests, penetration testing.
- Critical systems tested at least yearly.
- TLPT (threat-led penetration testing) applicability determined — designated entities every three years, TIBER-EU aligned; scope covers critical functions including those outsourced.
- Remediation tracking: findings classified, owners assigned, closure evidenced.
E. ICT third-party risk (Arts. 28–30) — supervisory priority #1
- Register of information on all ICT third-party arrangements maintained in the mandated ITS template, submittable to the authority on request or annual cycle.
- Pre-contract due diligence and risk assessment for every ICT contract; concentration-risk assessment for critical providers.
- Contracts contain Art. 30 mandatory provisions — full catalogue for contracts supporting critical or important functions: service descriptions, data locations, security standards, audit and access rights, incident cooperation, sub-outsourcing conditions, exit and transition assistance, termination rights.
- Legacy-contract remediation completed or gap-tracked (pre-DORA contracts rarely satisfy Art. 30).
- Exit strategies documented for critical-function providers, including a stressed-exit scenario.
- Critical ICT third-party provider (CTPP) oversight regime monitored — whether any of your providers are designated and what designation changes.
- Intra-group ICT arrangements treated as third-party arrangements (they are in scope).
F. Information sharing (Art. 45)
- Position taken on participation in cyber-threat information-sharing arrangements; if participating, notification to the authority handled.
Related
Last reviewed: July 2026. RTS/ITS timelines and thresholds evolve — verify against current EBA/ESMA/EIOPA texts before relying on specific values.