DORA compliance checklist for financial entities
The Digital Operational Resilience Act sets binding requirements for ICT risk management, incident reporting, resilience testing, and third-party oversight across EU financial services. This checklist covers the core obligations and what meeting them looks like in practice.
What DORA requires and why it matters
The Digital Operational Resilience Act, known as DORA, became fully applicable across the EU on 17 January 2025. It establishes binding requirements for how financial entities manage ICT risk, respond to operational incidents, test their resilience, and oversee the technology providers they depend on.
DORA applies to a wide range of financial entities: banks, investment firms, payment institutions, e-money institutions, crypto-asset service providers, insurance undertakings, pension funds, and more. It also creates direct obligations for certain ICT third-party service providers, particularly those classified as critical.
This checklist is structured around DORA’s five main pillars. For each pillar, it sets out what the regulation requires and what demonstrable compliance looks like. It is intended as a practical reference, not a substitute for legal advice on your specific situation.
For context on where DORA sits within the broader EU financial regulatory landscape, see EU financial regulation in 2026: what it covers, who it affects, and why horizon scanning matters.
Pillar 1: ICT risk management framework
DORA requires financial entities to have a comprehensive, documented ICT risk management framework that is approved and overseen by the management body. This is not a delegable function. Senior leadership bears direct accountability for the framework’s adequacy.
What the regulation requires:
- A documented ICT risk management framework covering identification, protection, detection, response, and recovery
- A digital operational resilience strategy derived from the framework
- Clear policies for ICT asset management, information classification, and access control
- Business continuity plans and disaster recovery plans for ICT systems that support critical functions
- Annual review of the framework, and review following any major ICT incident
What compliance looks like in practice:
- ICT risk management framework documented, approved by the board or equivalent management body, and reviewed within the last 12 months
- Digital operational resilience strategy in place, aligned to the risk framework, and communicated to relevant staff
- Complete inventory of ICT assets, including hardware, software, and data assets, with ownership assigned
- Information classification policy in place, with data assets classified according to criticality and sensitivity
- Access control policies implemented, including least-privilege principles and privileged access management
- Business continuity plan covering ICT disruption scenarios for critical or important functions
- Disaster recovery plan with defined recovery time objectives (RTOs) and recovery point objectives (RPOs) for critical systems
- Results of the last framework review documented, with findings addressed or in progress
Pillar 2: ICT-related incident management, classification, and reporting
DORA establishes a structured process for managing and reporting ICT-related incidents. The most significant incidents must be reported to the relevant national competent authority within defined timeframes.
What the regulation requires:
- A documented ICT incident management process covering detection, classification, escalation, response, and post-incident review
- A classification methodology for determining whether an incident is major based on criteria set out in regulatory technical standards, including the number of clients affected, the duration of the disruption, and the geographic spread
- Mandatory reporting of major ICT incidents to the competent authority in three stages: initial notification, intermediate report, and final report
- Voluntary reporting of significant cyber threats, even where no incident has occurred
Reporting timeframes for major incidents:
| Report | Deadline |
|---|---|
| Initial notification | Within 4 hours of classification as major, and no later than 24 hours after becoming aware |
| Intermediate report | Within 72 hours of initial notification |
| Final report | Within one month of the intermediate report |
What compliance looks like in practice:
- ICT incident management process documented, with defined roles for detection, escalation, and response
- Incident classification methodology in place, aligned to the criteria in the relevant regulatory technical standards
- Designated function or team responsible for managing the reporting process to the competent authority
- Templates prepared for initial notification, intermediate report, and final report
- Incident log maintained, including classification decisions and rationale for incidents not classified as major
- Post-incident review process defined, with findings feeding back into the risk management framework
- Process in place for voluntary notification of significant cyber threats
Pillar 3: Digital operational resilience testing
DORA requires financial entities to test their digital operational resilience on a regular basis. The requirements are tiered: all in-scope entities must conduct basic testing, while significant entities must conduct advanced threat-led penetration testing (TLPT).
Basic testing (all in-scope entities):
- Vulnerability assessments and scans
- Network security assessments
- Gap analyses and scenario-based reviews
- Physical security reviews where relevant to ICT infrastructure
- Reviews of ICT tools and systems
Basic testing must be conducted at least annually for systems and applications supporting critical or important functions.
Threat-led penetration testing (significant entities):
TLPT is a red-team exercise simulating the tactics, techniques, and procedures of real threat actors. It is conducted by accredited testers using a structured methodology aligned to the TIBER-EU framework. TLPT must be conducted at least every three years.
The entities required to conduct TLPT are identified by national competent authorities based on size, systemic importance, and risk profile. Not all DORA-subject entities will be required to conduct TLPT, but those that are must use testers that meet the accreditation criteria set out in the regulatory technical standards.
What compliance looks like in practice:
- Testing programme documented, covering all systems and applications supporting critical or important functions
- Vulnerability assessments and network security assessments conducted within the last 12 months
- Testing results documented, with findings tracked through to remediation or accepted risk
- Confirmation from the competent authority (or absence of a designation) on whether TLPT is required
- If TLPT is required: accredited external tester engaged, TLPT conducted within the three-year window, and results reported to the competent authority
- Lessons from testing fed back into the ICT risk management framework
Pillar 4: ICT third-party risk management
DORA introduces the most demanding third-party risk requirements seen in EU financial regulation to date. Financial entities must manage the ICT risk arising from their reliance on third-party providers, with specific obligations around contract content, oversight, and exit planning.
What the regulation requires:
- A register of all contractual arrangements with ICT third-party service providers, distinguishing arrangements supporting critical or important functions
- Pre-contract due diligence on ICT third-party providers
- Minimum contractual provisions for all ICT third-party contracts, with enhanced provisions for contracts covering critical or important functions
- Ongoing monitoring and oversight of ICT third-party providers
- Exit strategies and documented plans for exiting material contractual arrangements
Minimum contractual provisions (all ICT contracts):
- Clear description of services provided
- Locations where data is processed and stored
- Provisions on data availability, confidentiality, and integrity
- Accessibility and recoverability of data in the event of the provider’s insolvency
- Service level descriptions and performance monitoring
- Cooperation obligations in the event of an ICT incident
- Rights of audit and inspection for the financial entity and its competent authority
Enhanced provisions (critical or important functions):
All of the above, plus:
- Full service level descriptions with quantitative performance targets
- Notice periods and reporting obligations for changes that may affect the financial entity
- Termination rights in defined circumstances, including regulatory direction
- Exit assistance obligations, including data migration support
What compliance looks like in practice:
- Register of all ICT third-party contractual arrangements maintained and current, with critical or important function arrangements identified
- Pre-contract due diligence process documented and applied to new and renewed contracts
- All existing ICT contracts reviewed against the minimum contractual provision requirements, with a remediation plan for gaps
- Enhanced contractual provisions in place for all contracts covering critical or important functions
- Ongoing monitoring programme in place for ICT third-party providers, with frequency proportionate to criticality
- Exit strategies documented for material ICT third-party arrangements, with exit plans tested where critical functions are involved
- Sub-outsourcing chains identified and assessed where third-party providers further sub-contract services
Pillar 5: Information and intelligence sharing
DORA encourages financial entities to participate in information sharing arrangements on cyber threats, vulnerabilities, and tactics with other financial sector participants. Participation is voluntary, but entities that do share information must do so through trusted arrangements that protect the confidentiality of what is shared.
What the regulation requires:
- Voluntary participation in information sharing arrangements is explicitly permitted and encouraged
- Information shared must be protected in terms of confidentiality, and sharing must comply with applicable data protection rules
- The competent authority must be notified of participation in information sharing arrangements
What compliance looks like in practice:
- Assessment made of whether relevant information sharing arrangements exist in your sector or jurisdiction
- Decision documented on participation, including rationale if not participating
- If participating: competent authority notified, confidentiality controls in place, and data protection obligations assessed
Oversight of critical ICT third-party providers
Separately from the obligations on financial entities, DORA establishes an oversight framework for ICT third-party service providers designated as critical by the European Supervisory Authorities. These providers, which include major cloud infrastructure and SaaS providers serving the financial sector at scale, are subject to direct supervision by a lead overseer drawn from ESMA, EBA, or EIOPA depending on the services they provide.
Financial entities contracting with critical ICT third-party providers must cooperate with the oversight process and ensure their contracts include the cooperation obligations required by DORA. The list of designated critical third-party providers is published by the European Supervisory Authorities and should be checked when reviewing third-party risk registers.
Proportionality
DORA includes a proportionality principle. Microenterprises, defined as financial entities with fewer than ten employees and an annual turnover or balance sheet below two million euros, are subject to a simplified ICT risk management framework and are exempt from some of the more demanding requirements, including the advanced testing pillar.
National competent authorities have some discretion in applying proportionality to smaller entities beyond the microenterprise threshold. In practice, the core obligations around ICT risk management, incident reporting, and third-party contracts apply across the board. The areas where proportionality is most likely to reduce the burden are testing frequency and the depth of third-party oversight documentation.
What to watch in 2026
The regulatory technical standards and implementing technical standards under DORA were published in stages through 2024 and 2025. Most are now final, but supervisory guidance on specific areas continues to develop.
Third-party risk is the area attracting the most ongoing supervisory attention. The interaction between DORA’s third-party requirements and existing outsourcing guidelines under EBA and EIOPA is a source of practical complexity for firms that built their outsourcing frameworks before DORA.
Enforcement is also developing. January 2025 marked the start of the full application period, and national competent authorities are at different stages of readiness to conduct DORA-specific supervision. Firms should not interpret supervisory quietness as a signal that compliance timelines are relaxed.
Forseti, Citium’s EU regulatory intelligence platform, is in development and will monitor DORA implementation guidance, enforcement developments, and the broader EU financial regulatory landscape continuously. If you want to be kept informed ahead of launch, get in touch.