Preparing for DORA compliance requires a systematic approach. This comprehensive checklist covers all key requirements across the five pillars of DORA regulation.

DORA Compliance Checklist Overview

Before beginning implementation, ensure your organization has:

  • Executive sponsorship and board awareness
  • Dedicated compliance team or project lead
  • Budget allocation for technology and consulting
  • Timeline and milestones established
  • Regular reporting mechanism to leadership

Pillar 1: ICT Risk Management

Governance & Strategy

  • ☐ Define ICT risk appetite and tolerance levels
  • ☐ Establish ICT risk management framework
  • ☐ Assign Chief Information Security Officer (CISO) responsibility
  • ☐ Create ICT risk policies and procedures
  • ☐ Document ICT risk governance structure

Risk Assessment & Identification

  • ☐ Inventory all critical ICT assets and systems
  • ☐ Map system dependencies and interconnections
  • ☐ Identify single points of failure
  • ☐ Document critical business processes
  • ☐ Conduct baseline vulnerability assessment
  • ☐ Classify data by sensitivity level

Risk Protection & Mitigation

  • ☐ Implement encryption for data at rest and in transit
  • ☐ Deploy multi-factor authentication (MFA)
  • ☐ Establish access control policies
  • ☐ Implement intrusion detection systems
  • ☐ Deploy endpoint protection solutions
  • ☐ Establish privileged access management (PAM)
  • ☐ Implement security monitoring and logging

Pillar 2: Incident Management

  • ☐ Develop incident classification framework
  • ☐ Define incident reporting procedures
  • ☐ Create incident response playbooks
  • ☐ Establish alert mechanisms
  • ☐ Train incident response team
  • ☐ Conduct incident response drills quarterly
  • ☐ Document all incidents and near-misses
  • ☐ Establish communication protocols for incidents
  • ☐ Set up regulatory notification procedures

Pillar 3: Digital Operational Resilience Testing

Threat-Led Penetration Testing (TLPT)

  • ☐ Select qualified TLPT provider
  • ☐ Define scope and scenarios
  • ☐ Conduct annual TLPT assessments
  • ☐ Document findings and remediation
  • ☐ Test incident response procedures

Advanced Security Testing

  • ☐ Perform vulnerability scanning (monthly minimum)
  • ☐ Conduct security code reviews
  • ☐ Execute penetration testing
  • ☐ Perform configuration reviews
  • ☐ Document testing results

Backup and Recovery Testing

  • ☐ Test backup integrity quarterly
  • ☐ Conduct recovery time objective (RTO) tests
  • ☐ Verify recovery point objective (RPO) compliance
  • ☐ Test restoration of critical systems
  • ☐ Document results and improvements

Pillar 4: Third-Party Risk Management

  • ☐ Inventory all critical ICT service providers
  • ☐ Assess third-party criticality rating
  • ☐ Due diligence before contracting
  • ☐ Include DORA clauses in all ICT contracts
  • ☐ Establish service level agreements (SLAs)
  • ☐ Right to audit vendor compliance
  • ☐ Plan exit strategies for critical vendors
  • ☐ Monitor concentration risk
  • ☐ Quarterly vendor compliance reviews
  • ☐ Test exit procedures annually

Pillar 5: Information Sharing

  • ☐ Identify relevant information sharing entities
  • ☐ Join ISAC (Information Sharing and Analysis Center)
  • ☐ Establish information sharing protocols
  • ☐ Share threat intelligence appropriately
  • ☐ Participate in information sharing meetings

Documentation & Record Keeping

  • ☐ Maintain audit trails for all ICT changes
  • ☐ Document all risk assessments
  • ☐ Keep testing reports and results
  • ☐ Archive incident reports
  • ☐ Store vendor assessment results
  • ☐ Maintain ICT risk register
  • ☐ Document training and awareness programs

Compliance Timeline

  • Q4 2024: Complete gap analysis and remediation planning
  • January 2025: Full compliance required
  • Ongoing: Continuous monitoring and improvement
  • Q3 2025: First assessment period begins

Implementation Tips

  • Prioritize: Focus on high-impact items first
  • Automate: Use tools to streamline compliance tracking
  • Collaborate: Involve all relevant departments
  • Document: Maintain clear records of all decisions and actions
  • Train: Ensure staff understands DORA requirements
  • Review: Regularly assess progress against timeline

Common Mistakes to Avoid

  • ❌ Waiting until last minute to begin
  • ❌ Treating DORA as IT-only responsibility
  • ❌ Ignoring third-party risk management
  • ❌ Insufficient documentation
  • ❌ One-time compliance vs. continuous improvement
  • ❌ Inadequate budget allocation