Is DORA compliance mandatory for all financial institutions?

Yes. DORA applies to 21 categories of financial entities in the EU including banks, investment firms, insurance companies, payment institutions, crypto-asset service providers, and others. It has been fully applicable since 17 January 2025.

How many items are in the DORA compliance checklist?

This checklist covers 45 key compliance items across 5 DORA pillars: ICT Risk Management (11 items), Incident Management (7 items), Digital Resilience Testing (9 items), Third-Party Risk Management (8 items), Information Sharing (4 items), plus 6 governance items.

What is the penalty for DORA non-compliance?

For financial entities, national competent authorities can impose periodic penalty payments up to 1% of average daily worldwide turnover per day, for up to 6 months. Critical ICT third-party providers face fines up to 1% of average daily global turnover, or up to 2% for repeated infringements.

Is TLPT required for all financial entities under DORA?

No. TLPT (Threat-Led Penetration Testing) is only mandatory for "significant" entities — typically large banks with assets over EUR 30bn, major insurance groups, and systemically important financial market infrastructures. Competent authorities designate which entities must conduct TLPT, at least every 3 years.

DORA Compliance Checklist 2026: 45-Point Assessment Across All 5 Pillars

ICT risk management framework documented and formally approved by the management body CRITICAL ICT risk appetite defined, quantified and integrated into the overall enterprise risk framework CRITICAL Dedicated ICT security function (or equivalent) with sufficient authority, independence and resources CRITICAL ICT asset inventory complete, classified by criticality and maintained up-to-date CRITICAL Business impact analysis (BIA) performed covering all critical and important functions CRITICAL ICT risk assessment performed at least annually and after any major ICT change or incident IMPORTANT Protection measures in place: encryption, multi-factor authentication, access controls, network segmentation CRITICAL Detection capabilities operational: continuous monitoring, logging, anomaly detection and alerting IMPORTANT ICT business continuity and disaster recovery plans formally adopted, tested and validated CRITICAL Recovery time objectives (RTO) and recovery point objectives (RPO) defined for critical functions IMPORTANT ICT risk management framework reviewed at least annually and updated following major incidents IMPORTANT

Incident classification criteria formally defined and aligned with DORA RTS on major ICT incidents CRITICAL Major incident reporting process operational: 4-hour initial, 72-hour interim, 1-month final report CRITICAL Incident response team (IRT) formally identified, trained and reachable 24/7 CRITICAL Crisis communication plan covering internal escalation, client notification and regulatory reporting IMPORTANT Post-incident root cause analysis (RCA) process defined, with findings formally documented IMPORTANT Voluntary reporting mechanism for significant cyber threats to competent authority in place (Art. 19) RECOMMENDED Methodology in place to estimate aggregated annual costs and losses from major ICT incidents IMPORTANT

Digital operational resilience testing programme established, documented and approved CRITICAL Annual vulnerability assessments performed on all critical and important ICT systems CRITICAL Network and infrastructure security assessments completed at least annually IMPORTANT Scenario-based testing conducted covering major threat scenarios (ransomware, DDoS, insider threat, cloud outage) IMPORTANT Source code security reviews conducted where applicable for critical applications RECOMMENDED TLPT performed (significant entities only) within the last 3 years, following TIBER-EU/RTS methodology CRITICAL TLPT scope mapping completed: critical business services and all supporting ICT infrastructure identified IMPORTANT Testing providers meet independence requirements (internal or external; no conflict of interest) IMPORTANT Test results formally shared with competent authority; remediation plans tracked through to completion CRITICAL

Register of Information (RoI) complete, accurate and maintained in the required xBRL-CSV format CRITICAL RoI submitted to competent authority by Q1 2026 deadline (31 March 2026) CRITICAL Pre-contractual due diligence process documented for all new critical ICT service providers CRITICAL ICT contracts include all mandatory clauses required by DORA Article 30 (access, audit, termination, SLAs) CRITICAL ICT concentration risk assessment performed; cross-sector dependencies with CTPPs analysed IMPORTANT Exit strategies documented for all critical ICT providers; transition plans tested IMPORTANT Ongoing performance monitoring and audit rights exercised for critical ICT service providers IMPORTANT Sub-outsourcing chains fully mapped, material sub-contractors approved and contractually bound IMPORTANT

Voluntary cyber threat information sharing arrangements assessed and established where appropriate RECOMMENDED Threat intelligence feeds integrated into ICT security monitoring and incident detection processes RECOMMENDED Participation in relevant ISACs, national cybersecurity bodies or DORA information sharing communities RECOMMENDED Confidentiality and data protection safeguards in place for any information shared externally IMPORTANT

Management body formally and individually accountable for ICT risk oversight under DORA Art. 5 CRITICAL Board-level training on digital operational resilience completed for all management body members CRITICAL ICT risk formally reported to the management body at least quarterly, with action tracking IMPORTANT DORA responsible officer or equivalent role formally appointed within the organisation RECOMMENDED DORA governance committee or cross-functional working group established to coordinate implementation RECOMMENDED ICT risk appetite formally documented and communicated across all relevant business lines and functions IMPORTANT

Core Pillars

Need Help?

DORA Compliance Checklist 2026:
Are You Fully Compliant?

How to use this checklist

Compliance by Pillar

Get the PDF Checklist

DORA Compliance Checklist 2026:Are You Fully Compliant?

How to use this checklist

Compliance by Pillar

Get the PDF Checklist

Related Resources

DORA Compliance Checklist 2026:
Are You Fully Compliant?