Skip to content
TECHNOMATON | Docs SAI Certified Trainers

DORA Checklist

Regulation: EU 2022/2554 (Digital Operational Resilience Act) Deadline: 17.1.2025 (fully applicable) Scope: EU financial institutions (banks, insurers, investment firms, payment institutions)

About DORA

DORA is a lex specialis for the financial sector --- it replaces NIS2 requirements for ICT risk management, incident reporting and resilience testing in the financial sector.

Who falls under DORA?

CategoryExamples
Credit institutionsBanks, savings banks
Payment institutionsPayment services, e-money
Investment firmsSecurities dealers
Insurance undertakingsLife and non-life insurance
Reinsurance undertakingsReinsurance companies
Pension fundsIORPs
Crypto-assetsCrypto-asset service providers (from MiCA)
ICT third partiesCritical ICT providers to the financial sector

Part E: DORA Compliance

#ActivityReferencePhaseDescription
E1Scope DeterminationArt. 2PreparationDetermine whether the organisation falls under DORA
E1.1— Entity typeArt. 2(1)PreparationBank, insurer, investment firm, payment institution?
E1.2— Simplified regime?Art. 16PreparationDo we qualify for the simplified regime?
E1.3— Regulatory registrationArt. 2PreparationRegistration/notification with the national authority
E2GAP AnalysisArt. 4, 6AnalysisAssessment of current state vs. DORA
E2.1— Current state assessmentArt. 6AnalysisAudit of current ICT risk management
E2.2— Gap identificationArt. 6-15AnalysisIdentify gaps vs. DORA requirements
E2.3— Remediation roadmapArt. 6AnalysisRemediation plan with priorities
E3Governance StructureArt. 5GovernanceGovernance for ICT risk management
E3.1— Board accountabilityArt. 5(1)GovernanceBoard fully responsible for ICT risk management
E3.2— ICT risk management functionArt. 5(2)GovernanceDefine ICT risk management function
E3.3— Security committeeArt. 5GovernanceSecurity committee with regular reporting
E3.4— Management trainingArt. 5(4)GovernanceManagement training in ICT risks
E4ICT Risk Management FrameworkArt. 6FrameworkComprehensive ICT risk management framework
E4.1— ICT risk management policyArt. 6(1)FrameworkDocumented ICT risk management policy
E4.2— ICT risk management strategyArt. 6(8)FrameworkDigital Operational Resilience Strategy
E4.3— Risk toleranceArt. 6(8)(b)FrameworkRisk tolerance definition for ICT risks
E4.4— Framework reviewArt. 6(5)FrameworkAt least annual framework review
E5ICT Asset ManagementArt. 8IdentificationIdentification and classification of ICT assets
E5.1— ICT asset inventoryArt. 8(1)IdentificationComplete ICT asset inventory
E5.2— Asset classificationArt. 8(1)IdentificationClassification by criticality
E5.3— Business function mappingArt. 8(2)IdentificationMapping ICT to business functions
E5.4— Dependencies mappingArt. 8(3)IdentificationMapping dependencies between systems
E6ICT Risk AssessmentArt. 8RiskRegular ICT risk assessment
E6.1— Risk identificationArt. 8(4)RiskIdentify ICT risks
E6.2— Risk analysisArt. 8(4)RiskAnalyse likelihood and impact
E6.3— Risk treatmentArt. 8(4)RiskRisk treatment plan (mitigate/accept/transfer/avoid)
E6.4— Risk reportingArt. 8RiskRegular ICT risk reporting to the board
E7Protection & PreventionArt. 9, 10ProtectionImplementation of protective measures
E7.1— ICT security policiesArt. 9(1)ProtectionICT security policies
E7.2— Network securityArt. 9(2)ProtectionNetwork security
E7.3— Access controlArt. 9(3)ProtectionAccess management, MFA, RBAC
E7.4— EncryptionArt. 9(3)(b)ProtectionData encryption at rest and in transit
E7.5— Patch managementArt. 9(4)(c)ProtectionPatch management process
E7.6— Data protectionArt. 10ProtectionData and system protection
E8DetectionArt. 10DetectionAnomaly and incident detection
E8.1— Monitoring capabilityArt. 10(1)DetectionContinuous ICT system monitoring
E8.2— Anomaly detectionArt. 10(1)DetectionDetection of anomalies and suspicious activities
E8.3— SIEM implementationArt. 10DetectionSIEM for centralised monitoring
E9Business ContinuityArt. 11, 12ContinuityICT Business Continuity Management
E9.1— ICT BCP policyArt. 11(1)ContinuityICT Business Continuity Policy
E9.2— BIA (Business Impact Analysis)Art. 11(3)ContinuityBusiness impact analysis
E9.3— Recovery plansArt. 11(4)ContinuityICT response and recovery plans
E9.4— Backup strategyArt. 12(1)ContinuityBackup and restore strategy
E9.5— Recovery testingArt. 12(2)ContinuityRecovery testing (min. annually)
E9.6— Crisis communicationArt. 11(5)ContinuityCrisis communication
E10Incident ManagementArt. 17-19IncidentICT incident management process
E10.1— Incident management policyArt. 17(1)IncidentICT incident management policy
E10.2— Incident classificationArt. 18IncidentIncident severity classification
E10.3— Incident response teamArt. 17IncidentIncident Response Team (IRT)
E10.4— Root cause analysisArt. 17(3)IncidentPost-incident analysis
E11Incident ReportingArt. 19ReportingICT incident reporting
E11.1— Major incident criteriaArt. 18(1)ReportingMajor incident criteria
E11.2— Initial notificationArt. 19(4)(a)ReportingInitial notification to authority
E11.3— Intermediate reportArt. 19(4)(b)ReportingIntermediate report
E11.4— Final reportArt. 19(4)(c)ReportingFinal report (1 month)
E12Resilience TestingArt. 24, 25TestingRegular resilience testing
E12.1— Testing programmeArt. 24(1)TestingDigital resilience testing programme
E12.2— Vulnerability assessmentsArt. 24(2)TestingRegular vulnerability scanning
E12.3— Penetration testingArt. 24(2)TestingAnnual penetration tests
E12.4— Scenario-based testingArt. 24(2)TestingScenario testing (DR, incident)
E13TLPT (Advanced Testing)Art. 26TLPTThreat-Led Penetration Testing
E13.1— TLPT scopeArt. 26(1)TLPTDetermine scope for TLPT (if required)
E13.2— TLPT provider selectionArt. 26(4)TLPTSelect certified TLPT provider
E13.3— TLPT executionArt. 26TLPTExecute TLPT
E14Third-Party RiskArt. 28-30Third-PartyICT third-party risk management
E14.1— ICT third-party policyArt. 28(1)Third-PartyICT third-party policy
E14.2— Third-party registerArt. 28(3)Third-PartyICT third-party register
E14.3— Due diligenceArt. 28(4)Third-PartyDue diligence for ICT providers
E14.4— Contractual requirementsArt. 30Third-PartyContractual requirements (DORA Art. 30)
E14.5— Exit strategiesArt. 28(8)Third-PartyExit strategies for critical ICT providers
E15Critical ICT RegistryArt. 28(3)RegistryRegistry of critical ICT third parties
E15.1— Critical ICT identificationArt. 28(3)RegistryIdentify critical ICT providers
E15.2— Registry submission to ESAsArt. 28(3)RegistrySubmit register to ESAs (via national authority)
E15.3— Registry updatesArt. 28(3)RegistryOngoing register updates
E16Learning & EvolvingArt. 13ContinuousContinuous improvement
E16.1— Lessons learnedArt. 13(1)ContinuousLessons learned process from incidents
E16.2— Post-incident reviewsArt. 13(2)ContinuousMandatory post-incident reviews
E16.3— Threat intelligenceArt. 13ContinuousThreat intelligence integration
E17CommunicationArt. 14CommunicationICT communication protocols
E17.1— Internal communicationArt. 14(1)CommunicationInternal communication during incidents
E17.2— External communicationArt. 14(2)CommunicationExternal communication (clients, media)
E18Regulatory ReportingArt. 37-38ReportingReporting to national authority and ESAs
E18.1— Compliance reportingArt. 37ReportingRegular compliance reporting
E18.2— Audit cooperationArt. 38ReportingCooperation with auditors and regulators

Key DORA milestones

DateMilestone
16.1.2023DORA entered into force
17.1.2025DORA fully applicable
30.4.2025ICT third-party registries -> ESAs
July 2025ESAs designate critical ICT providers
Every 3 yearsTLPT for significant institutions

Relationship of DORA to other regulations

Critical path

  1. E1 Scope Determination -> IMMEDIATELY (DORA already in effect)
  2. E2 GAP Analysis -> by 28.2.2025
  3. E3 Governance Structure -> by 28.2.2025
  4. E4 ICT Risk Management Framework -> by 30.4.2025
  5. E10-E11 Incident Management & Reporting -> by 30.4.2025
  6. E14-E15 Third-Party Risk & Registry -> by 30.4.2025
  7. E12 Resilience Testing Programme -> by 30.9.2025

Implementation phases

Sources