Everything financial entities need on DORA audits — supervisory inspections, the mandatory internal audit of the ICT risk framework, audit scope by pillar, the evidence supervisors demand and how to be ready before they knock.
A DORA audit is any structured review of a financial entity's compliance with the Digital Operational Resilience Act — Regulation (EU) 2022/2554 — and its 13 supplementing Regulatory and Implementing Technical Standards. The word "audit" is used loosely across the industry, and the first step to preparing properly is to recognise that it refers to three quite different exercises with different owners, triggers and consequences.
What they share is the reference standard: every DORA audit measures the entity against the same body of binding rules — the 64 articles of DORA plus the RTS/ITS. What differs is who runs the review, whether participation is mandatory, and what happens when a gap is found. A gap discovered by your own internal audit becomes a remediation action. The same gap discovered by a competent authority during a supervisory inspection becomes a formal finding — with potential capital, enforcement and reputational consequences attached.
That asymmetry is the single most important idea on this page. It is why mature institutions invest in audit readiness: the cheapest place to find a DORA gap is in a review you commissioned yourself.
Run by the competent authority (ECB, BaFin, ACPR, DNB, Banca d'Italia, CSSF and others). Mandatory, scheduled by the supervisor, often part of the SREP cycle for banks. Produces formal findings and can drive enforcement.
Required by Art. 6(6). The ICT risk management framework must be independently reviewed by auditors with ICT expertise, following the entity's audit plan. Findings go to the management body for formal follow-up.
Voluntary. Commissioned by the entity — internally or via a specialist firm — to find and fix gaps before a supervisor does. Mirrors the supervisory scope but produces a remediation plan, not an enforcement notice.
Article 6(6) is the explicit DORA mandate for internal audit. It states that the ICT risk management framework must be subject to internal audit by auditors "on a regular basis in line with the financial entity's audit plan", and that those auditors must possess "sufficient knowledge, skills and expertise in ICT risk, as well as appropriate independence".
Three obligations flow from this short sentence, and supervisors test each of them:
The auditors must genuinely understand ICT risk — not just financial or process auditing. A generalist internal audit function that ticks "ICT framework reviewed" without the technical depth to challenge encryption design, network segmentation, recovery testing or sub-outsourcing chains will itself become a finding. Many institutions co-source the technical depth: internal audit owns the plan and the opinion, a specialist firm supplies the ICT expertise.
The auditor cannot review a function they help operate or design. Internal audit sits in the third line of defence; the ICT risk function and the CISO sit in the second and first. The reporting line of internal audit must run to the audit committee / management body, not to the CIO. Supervisors check the organisational chart and the reporting lines, not just the policy.
Article 6(6) is not satisfied by producing a report. The management body must formally receive audit findings, decide on remediation, allocate resources and track closure. Board minutes must evidence this loop. An audit finding that sits open for three cycles with no documented management response is, in supervisory eyes, worse than the original gap — it signals a governance failure under Article 5 accountability.
DORA sets no fixed interval — it is risk-based, governed by the audit plan. In practice: significant institutions and critical or important functions are reviewed at least annually; lower-risk areas on a 2-3 year rotation so that the whole ICT risk framework is covered within a defined cycle. The audit plan itself, and its risk-based rationale, is something supervisors will ask to see.
Supervisory review under DORA is exercised by national competent authorities and, for SSM-significant banks, by the ECB Joint Supervisory Teams. It takes two forms: off-site review (analysis of submitted documentation — the Register of Information, incident reports, the resilience testing programme) and on-site inspection (a supervisory team physically reviewing controls, interviewing staff, sampling evidence).
Under Articles 50 and related provisions, supervisors can require information, conduct on-site inspections, demand remediation within deadlines, impose administrative penalties (up to 2% of total annual worldwide turnover for entities, EUR 1 million for natural persons), issue public censure, and apply qualitative measures. For designated Critical ICT Third-Party Providers, the Lead Overseer regime adds direct ESA oversight (see third-party risk).
Whether internal or supervisory, a DORA audit walks the five pillars. Use the table below as the backbone of an audit programme — each row is a testable control area with its article anchor.
| Pillar | What the audit tests | Anchor |
|---|---|---|
| ICT risk management | Board-approved framework, ICT risk appetite, three-lines-of-defence model, asset classification, protection & detection controls, ICT business continuity policy, validated RTO/RPO | Art. 5-16 |
| Incident management | Detection, classification governance against RTS criteria, 4h/72h/1-month reporting, root-cause discipline, NCA portal readiness | Art. 17-23 |
| Resilience testing | Annual testing programme, independence of testers, coverage of critical functions, TLPT lifecycle and attestation where designated | Art. 24-27 |
| Third-party risk | Register of Information completeness, Article 30 mandatory clauses, concentration risk, sub-outsourcing visibility, tested exit strategies | Art. 28-44 |
| Information sharing | Participation arrangements, threat-intelligence handling, GDPR-compliant exchange | Art. 45 |
Run the free 45-point DORA compliance checklist to get a fast structured read across all five pillars before you scope a formal audit.
DORA audits are evidence-driven. A control that exists but is not documented is, in audit terms, a control that does not exist. Assemble and keep current the following audit file:
Audit readiness is a deliberate programme, not a scramble before the supervisor arrives. A proven sequence:
Map your entity against all five pillars and the 13 RTS. The free DORA compliance checklist gives a fast structured baseline; a formal gap analysis turns it into a prioritised backlog with ownership and effort estimates.
For every control, ask "could I hand a supervisor the evidence today?" Where the answer is no, the gap is documentation, not control design — and that is the fastest category to fix.
A readiness assessment that mirrors the supervisory scope, ideally run by people who have seen real inspections. It surfaces the findings a supervisor would raise — while they still cost only remediation effort.
The most common evidence failure is RTO/RPO that look fine on paper but were never tested end-to-end. Schedule and document the test before the audit, not during it.
Article 5 accountability means the board must be able to speak to the ICT risk position. A pre-audit board briefing is a standard part of readiness work.
This platform is operated by Cryptaguard, a specialist team focused exclusively on DORA, operational resilience and GRC for EU financial institutions. We help banks, insurers, investment firms and ICT providers walk into a supervisory inspection with a defensible, evidence-complete audit file — and we have run readiness work across institutions in more than 20 EU countries.
A 30-minute expert call plus a written compliance score and your top-5 audit-risk priorities, delivered within 48 hours. The fastest way to know where you stand.
A mock inspection across the five pillars and 13 RTS — run by people who have seen real supervisory reviews. You receive a prioritised remediation backlog, not an enforcement notice.
Our specialised SaaS keeps your Register of Information, incident log and audit evidence current and export-ready year-round — so a dip check or inspection is never a scramble.
Independent of software vendors and testing firms. NDA on every engagement. ISO 27001-aligned handling of client material.
The complete plain-language guide to the regulation, its 5 pillars and scope.
Free interactive 45-point self-assessment across all 5 pillars.
All 13 technical standards — the reference your audit is measured against.
Classification criteria and the 4h/72h/1-month reporting workflow.
Register of Information and Article 30 clauses — a top audit finding area.
Threat-Led Penetration Testing — scope, phases and supervisory attestation.
Identify compliance gaps against DORA requirements in under 15 minutes.
Expert audit-readiness and gap-assessment engagements.
Take our free 5-minute assessment and get an instant DORA compliance score with personalised recommendations.