DORA Checklist: 10 Steps to Compliance

DORA Checklist: Your Path to Compliance

DORA (EU Regulation 2022/2554) has applied since 17 January 2025. Financial entities that have not yet achieved full compliance need a structured approach to close remaining gaps. This checklist provides 10 concrete steps that cover all five DORA pillars and guide you from initial assessment through to ongoing compliance management.

Each step includes a time estimate with and without GRC tooling to help you plan realistically. The steps are designed to be worked through sequentially, as later steps build on the outputs of earlier ones.

Step 1: Determine Scope and Applicability

Clarify which legal entities within your group fall under DORA and which category they belong to. DORA applies to 21 types of financial entities (Art. 2). Determine whether any entities qualify for the simplified framework under Art. 16. Document the applicability assessment and the rationale for each entity.

For entities with an existing ISMS (e.g. ISO 27001), assess the degree of overlap. Our ISO 27001 and DORA mapping can help identify covered and uncovered areas.

Step 2: Establish Governance and Ownership

Art. 5 assigns ultimate responsibility for ICT risk management to the management body. Define who on the management body is accountable, who acts as the operational ICT risk owner (e.g. CISO), and who leads the DORA compliance programme. Ensure the management body is aware of its personal accountability and has undergone or is scheduled for ICT risk training.

Establish a DORA project team with representatives from IT, risk, compliance, legal, and procurement. Without cross-functional involvement, critical aspects like third-party contractual review or incident reporting will fall through the cracks.

Step 3: Conduct a Gap Analysis

Map your existing ICT risk management practices against all DORA requirements. Use the five pillars as a framework: ICT risk management (Art. 5-16), incident reporting (Art. 17-23), resilience testing (Art. 24-27), third-party risk (Art. 28-44), and information sharing (Art. 45). For each article, assess your current maturity level and identify specific gaps.

Prioritise gaps by regulatory risk (what would a supervisor look at first?) and implementation effort. Typical high-priority gaps include: missing information register, incomplete incident reporting processes, and contracts without Art. 30-compliant clauses.

For a detailed breakdown of all requirements, see our DORA Requirements overview.

Step 4: Build the ICT Risk Management Framework

Establish or enhance your ICT risk management framework per Art. 6. This includes: a digital operational resilience strategy, policies for identification, protection, detection, response, and recovery, an independent ICT control function, and internal ICT audit capability. The framework must be documented, approved by the management body, and reviewed at least annually.

For entities migrating from German regulations like BAIT, see our BAIT/VAIT to DORA migration guide. For a deep dive into the framework requirements, see our ICT Risk Management page.

Step 5: Implement Incident Management and Reporting

Establish a DORA-compliant incident management process covering detection, classification, escalation, and reporting. Pre-configure reporting templates for all three stages (initial notification within 4h, intermediate report within 72h, final report within 1 month). Define clear escalation paths and assign roles for incident classification, authority communication, and forensic analysis.

Conduct at least one tabletop exercise simulating a major ICT incident from detection through authority notification. For full details, see our Incident Reporting guide.

Step 6: Build the Information Register

Create the information register required by Art. 28(3). Inventory all ICT third-party arrangements, classify them by criticality, and populate the register following the ITS data model. This is typically one of the most time-consuming steps, as it requires input from procurement, IT, legal, and business departments.

Establish maintenance processes so the register stays current. Detailed guidance is available on our Information Register page.

Step 7: Review and Amend Third-Party Contracts

Compare all contracts for ICT services supporting critical or important functions against the mandatory clauses in Art. 30. Key areas to review: SLAs, data location provisions, audit rights, incident notification obligations, exit strategies, and sub-outsourcing conditions.

Prioritise amendments by criticality of the supported function. For more on third-party risk management, see our Third-Party Risk page.

Step 8: Establish the Resilience Testing Programme

Design a risk-based testing programme covering all critical ICT systems. Plan for annual vulnerability assessments, penetration tests, and scenario-based testing at minimum. If your entity is designated for TLPT, begin procurement of qualified TLPT providers and engage with your competent authority on scope validation.

For details on testing types and TLPT requirements, see our Resilience Testing page.

Step 9: Train the Organisation

Ensure all relevant staff understand their DORA responsibilities. Priorities include: ICT risk training for the management body (Art. 5(4)), security awareness training for all staff with ICT access, specialised training for incident response teams, and compliance training for procurement staff involved in third-party management.

Document all training activities, participants, and outcomes. This documentation serves as evidence of compliance.

Step 10: Establish Continuous Compliance Management

DORA compliance is not a project with an end date. Establish ongoing processes for: annual framework review (Art. 6(5)), periodic risk assessments, continuous information register maintenance, testing programme execution, post-incident learning (Art. 13), and annual reporting to supervisory authorities. Integrate DORA requirements into your existing GRC processes.

Timeframes: With vs. Without GRC Tooling

These timeframes assume a mid-sized financial entity without an existing ISO 27001 ISMS. Entities with mature security management systems can typically accelerate Steps 3-4 significantly. For a breakdown of expected costs, see our DORA Costs and Timeline page.

Common Pitfalls to Avoid

• Treating DORA as an IT project: DORA requires cross-functional involvement. Legal must review contracts, procurement must manage the information register, and the management body must be actively engaged.
• Underestimating the information register: The register is often the most time-consuming deliverable. Start early and allocate sufficient resources.
• Ignoring proportionality: Smaller entities may qualify for the simplified framework (Art. 16). Check before investing in full compliance. See our Proportionality page.
• Neglecting incident reporting rehearsal: The 4-hour classification deadline is extremely tight. Without practiced processes and pre-configured templates, you will miss it.
• Overlooking the RTS and ITS: DORA is supplemented by detailed technical standards that add granularity to the Level 1 text. Ensure your compliance programme addresses these standards.