Understanding DORA Compliance: A Step-by-Step Checklist for Financial Institutions and ICT Providers

The Digital Operational Resilience Act (DORA) sets uniform rules to help financial firms and their ICT partners withstand cyber threats, system failures, and other operational disruptions. If you fall under DORA’s scope, banks, insurers, payment services, crypto-asset providers, or third-party ICT service providers, meeting its requirements is mandatory as of January 17, 2025.

This guide walks you through each compliance pillar with precise, actionable steps and timelines. Use this “DORA compliance checklist” to track progress, avoid last-minute scrambles, and build a resilient ICT ecosystem.

What Is DORA, And Who Must Comply?

Definition

The Digital Operational Resilience Act standardizes how covered entities manage ICT-related risks and report incidents across the European Union. It aligns oversight, testing, and third-party governance under one framework.

Covered Entities

• Financial firms: banks, insurers, investment firms, crypto-asset providers.
• ICT providers: cloud-service vendors, data-analytics platforms, cybersecurity consultants.
• Thresholds: Some small payment institutions or fintechs qualify only if their annual revenues or customer counts exceed set limits.

When does DORA apply to vendors?

Any ICT service that supports a covered financial firm, whether hosting, data storage, software development, or security monitoring, must obey DORA clauses on third-party risk management and incident reporting.

The Five Pillars of DORA

1. ICT Risk Management
   
   
2. ICT Incident Reporting
   
   
3. Digital Operational Resilience Testing
   
   
4. Information & Intelligence Sharing
   
   
5. ICT Third-Party Risk Management

This high-level view ensures that risk controls, reporting, testing, threat-sharing, and supplier governance work in lockstep.

Pillar #1: ICT Risk Management

DORA requires a formal process to spot, assess, and control ICT risks throughout your organization.

1. Gap Analysis

2. • Compare existing ICT policies against DORA requirements.
   • Identify missing risk categories (e.g., cloud-native vulnerabilities, API dependencies).
     
     

3. Governance Structure

4. • Senior Management oversight: Senior management must actively oversee DORA compliance efforts rather than delegating them entirely to IT or security teams.
   • Assign clear roles: Roles and responsibilities for ICT risk management should be well-documented to avoid confusion during disruptive incidents.
   • Culture of resilience: Fostering a culture of resilience requires organizations to move beyond merely establishing policies by actively cultivating a risk-aware environment in which employees recognize and internalize the significance of maintaining digital resilience.
   • Charter an ICT risk committee or dedicated functions, such as appointing a Chief Information Security Officer (CISO) or an equivalent role, provides clear accountability and ensures that a designated leader is responsible for overseeing and managing risks associated with information and communication technologies
   • Clear Policies: Organizations should establish comprehensive written policies that address ICT risk management, incident response procedures, and business continuity planning. The presence of clearly articulated policies facilitates the standardization of security practices across the organization, thereby promoting consistency and accountability in the management of risks and incidents.
     
     

5. Risk identification & assessment

6. • Risk inventory: Maintain an updated list of critical ICT assets, data, and processes to identify high-risk areas.
   • Risk assessment: Organizations should implement structured and repeatable risk assessment methodologies to systematically evaluate potential threats arising from cyberattacks, system failures, and dependencies on third-party service providers. 
   • Third-party dependencies: Conduct risk assessments on all external ICT service providers, ensuring they meet compliance standards.
   • Ongoing Monitoring: Organizations should establish continuous monitoring mechanisms to track system performance, detect security events, and observe key risk indicators in real time.
   • Risk Reporting: Clearly defined key performance indicators (KPIs) should be used to assess the state of digital resilience, with structured reporting processes in place to ensure that relevant risk information is communicated to senior management on a regular basis.

Pillar #2: ICT Incident Management

Incident Detection and Response

A well-defined incident response framework enables organizations to efficiently detect, contain, and recover from cybersecurity incidents, thereby minimizing operational disruption and financial impact.

• Incident Detection Capabilities: Implement automated monitoring solutions capable of identifying anomalies and indicators of compromise in real time. These tools form the first line of defense by providing early warnings of potential cyberattacks.
• Incident Response Plan (IRP): Develop and maintain a detailed incident response plan that outlines roles, responsibilities, and communication protocols. The plan should include predefined steps for containment, eradication, recovery, and post-incident review, ensuring a coordinated response across all relevant stakeholders.

Incident Classification and Escalation

Effective incident management requires a consistent approach to identifying the severity of security events and ensuring appropriate response measures are taken promptly.

• Classification Criteria: Establish standardized criteria to categorize incidents based on DORA RTS requirements.
• Escalation Procedures: Define clear escalation paths for high-priority or high-impact incidents, ensuring timely communication with senior leadership, relevant advisors, and regulatory authorities when a Major incident occurs.

Post-Incident Analysis and Regulatory Reporting

Conducting post-incident reviews is essential for identifying systemic weaknesses and improving the organization’s overall security posture.

• Root Cause Analysis: Perform comprehensive analyses of incidents to determine underlying causes, assess control failures, and identify recurring patterns. Findings should be documented and used to inform future prevention and response strategies.
• Regulatory Reporting: Ensure compliance with legal and regulatory requirements of the Digital Operational Resilience Act (DORA), by adhering to mandated timelines and disclosure obligations for reporting Major cybersecurity incidents to the regulators.

Pillar #3: Digital Operational Resilience Testing

DORA requires financial entities to proactively act for resilience and recovery from ICT disruptions efficiently.

1. Vulnerability Scans & Penetration Tests

2. • Schedule quarterly scans for all internet-facing systems.
   • Perform annual internal pen tests focused on critical applications.
     
     

3. Scenario-Based Exercises

4. • Business impact analysis (BIA): Assess which business functions rely most heavily on ICT systems and establish acceptable downtime limits (RTOs) and data loss thresholds (RPOs).
   • Simulate major ICT outages through tabletop exercises (data-center failure, ransomware attack).
   • Involve cross-functional teams like IT ops, security and business continuity and use the outcomes for further improvement as DORA Art 13 mandates.
     
     

5. Threat-Led Penetration Tests

6. • Required for high-impact entities every three years.
   • Engage external experts to emulate advanced attackers who attack the internal predefined defenders team and the results must be shared with regulators.
     
     

7. Documentation & Retesting

8. • Record findings, assign remediation owners, and set due dates.
   • Verify fixes in follow-up scans before closing tickets.

Pillar #4: ICT Third-Party Risk Management

Vendors can introduce risk just as easily as internal systems.

1. Inventory of Providers

2. • Maintain a Register of Information (RoI) of all ICT contracts, services, and their criticality.
     
     

3. Due-Diligence & Ratings

4. • Conduct background checks before engaging ICT service providers.
     
     

5. Contractual Clauses

6. • Include DORA-specific terms: mandatory incident reporting, audit rights, service-level objectives.
   • What should be included in third-party contracts to ensure DORA compliance? Requirements for notification within 24 hours of any ICT disruption, right to audit, exit support clauses.
     
     

7. Exit Strategies

8. • Plan for orderly migration if a vendor fails to meet DORA mandates.
   • Store backup data, define transition-period SLAs.

Pillar #5: Information & Intelligence Sharing

DORA explicitly encourages financial entities to engage in voluntary sharing of cyber threat intelligence, vulnerabilities, and response tactics with other regulated entities. While not mandatory, this practice is recognized as a critical enabler of sector-wide situational awareness and faster collective response to evolving threats.

Compliance Roadmap 

Tracking Progress with DORA Metrics

Ensure compliance, not just activities.

• Incident Response Time: average hours from detection to report filing.
• System Downtime: total minutes of critical-service unavailability.
• Vendor Performance: percentage of SLAs met across critical suppliers.
• Test Effectiveness: ratio of findings remediated vs. total findings.

Publish a monthly dashboard to show improvement trends and spot slippages early.

Common Pitfalls & How to Avoid Them

1. Under-reporting minor incidents: Log every anomaly, even if it doesn’t meet “major” thresholds.

2. Siloed testing: Ensure developers, ops, and security teams run joint exercises.

3. Weak contracts: Don’t rely on generic SLAs, adjust clauses to DORA’s deadlines, and audit rights.

4. Overcomplicated toolchains: Stick to essential tools; avoid “one more plugin” syndrome that delays execution.

Conclusion & Next Steps

Achieving compliance with the Digital Operational Resilience Act (DORA) extends beyond regulatory adherence and represents a strategic investment in building a robust, flexible, and secure digital operational environment. By adopting the principles outlined in a comprehensive DORA compliance checklist, financial entities can proactively identify ICT risks, enhance incident response capabilities, and sustain critical operations even amid cyber threats and technological disruptions.

A well-prepared organization not only meets DORA’s regulatory standards but also positions itself to operate confidently and securely in a digital-first, interconnected financial ecosystem. Compliance, in this context, becomes an enabler of long-term operational stability, customer trust, and market competitiveness.

Learn More