DORA Compliance Checklist for 2026: 50 Requirements Every Financial Entity Must Meet
How to Use This Checklist
DORA (Digital Operational Resilience Act) became fully applicable on January 17, 2025. If you're a financial entity or crypto-asset service provider in the EU, you should already be compliant. If you're not, you have a problem.
This checklist breaks down DORA's requirements into practical, assessable items. Use it to:
- Audit your current compliance status
- Identify gaps requiring immediate attention
- Prioritize remediation efforts
- Prepare for regulatory examinations
Each section corresponds to a pillar of DORA. Check off items you've completed, note items in progress, and flag items that need work.
---
Pillar 1: ICT Risk Management Framework
The foundation of DORA compliance is a comprehensive ICT risk management framework. This isn't about having documents on a shelf. It's about operational practices.
Governance and Organization
DORA Article 5 places ultimate responsibility on the management body. They must approve the ICT risk management framework and bear responsibility for its implementation.
A dedicated function responsible for ICT risk management, with appropriate independence from ICT operations. Smaller entities may combine this with other control functions.
Documented assignment of ICT risk responsibilities across the organization, including clear escalation paths.
At least annual reporting on ICT risk status, though most entities need quarterly or more frequent updates.
Resources sufficient to achieve digital operational resilience, including investments in security, training, and testing.
A comprehensive policy covering all aspects of ICT risk management, approved by management body, reviewed at least annually.
Risk Identification and Assessment
Hardware, software, systems, networks, and data assets. Include cloud services and third-party provided ICT.
Which business processes depend on which ICT systems? Classification by criticality and sensitivity.
Systematic identification of threats and vulnerabilities affecting your ICT assets and business functions.
Assessment of likelihood and impact for identified risks. Include scenario analysis.
What level of ICT risk is acceptable? Documented thresholds that trigger escalation.
Clear understanding of reliance on external providers, including substitutability assessments.
Or more frequently when significant changes occur to systems, threats, or business functions.
Protection and Prevention
Comprehensive policies covering data classification, access control, encryption, and security standards.
Least privilege access, strong authentication (MFA for critical systems), regular access reviews.
Segmentation, firewalls, intrusion detection/prevention, monitoring.
Encryption of data at rest and in transit for sensitive information. Key management procedures.
Server rooms, data centers, critical infrastructure protected against physical threats.
Timely application of security patches. Documented procedures for testing and deployment.
Secure coding standards, code review, security testing before deployment.
Antivirus/antimalware on endpoints and servers, regular updates, monitoring.
Regular backups of critical data and systems. Offsite/offline copies for ransomware resilience.
Detection
Security information and event management (SIEM), log collection and analysis, alerting.
Behavioral analytics, baseline monitoring, detection of unusual activities.
At least quarterly scanning of external-facing systems, more frequent for critical assets.
Information on current threats, attack techniques, and indicators of compromise.
Gaps in monitoring identified and addressed.
Response and Recovery
Clear steps for responding to incidents, including roles, communications, and escalation.
Named individuals with defined responsibilities, regular training and exercises.
Internal notifications, regulatory reporting, client communications, media handling.
Approved by management body, covering all critical functions.
Maximum acceptable downtime for each critical function, aligned with business requirements.
Maximum acceptable data loss, informing backup frequency requirements.
Technical procedures for recovering systems and data following disruptive events.
Decision-making during major incidents, including authority to invoke business continuity plans.
Not just backup procedures, but verified ability to restore from backups.
---
Pillar 2: ICT Incident Management and Reporting
DORA creates a harmonized incident reporting framework across the EU financial sector.
Incident Detection and Classification
Systems and processes to detect ICT incidents, including security events.
Classification based on: clients affected, duration, geographic spread, data losses, economic impact, criticality of services.
Clear criteria aligned with DORA and regulatory technical standards for identifying reportable incidents.
All ICT incidents recorded with sufficient detail for analysis and reporting.
Incident Reporting
Steps for notifying competent authority of major incidents within required timeframes.
Ability to submit initial notification to competent authority within one business day of classifying incident as major.
Procedures for submitting intermediate reports with updated information.
Procedures for comprehensive final reports including root cause analysis.
Correct forms, submission portals, and contact details ready.
Process for reporting significant cyber threats even if they don't result in incidents.
Post-Incident Analysis
Systematic analysis to understand why incidents occurred and how to prevent recurrence.
Insights from incidents fed back into risk management and control improvements.
Trends in incidents, response effectiveness, recovery times.
---
Pillar 3: Digital Operational Resilience Testing
DORA mandates testing of ICT systems to verify resilience.
Basic Testing (All Entities)
Documented program covering all required testing activities with schedules.
Systematic identification of vulnerabilities in systems and configurations.
Active testing by qualified testers to identify exploitable vulnerabilities.
Testing of network segmentation, firewall rules, and network security controls.
Assessment of compliance with applicable security frameworks and standards.
Where feasible, review of in-house developed software for security issues.
Testing against realistic scenarios including cyber attacks and system failures.
Verification that systems can handle peak loads and adverse conditions.
Testing that systems work together correctly, especially after changes.
Testing complete processes from initiation to completion.
Assessment of physical controls protecting ICT assets.
Advanced Testing (Significant Entities)
If your entity meets DORA's significance criteria, additional requirements apply:
Program for TLPT at least every three years.
Testing scope includes live production environments supporting critical functions.
Internal or external testers meeting DORA qualification requirements.
Testing methodology aligned with the EU's threat intelligence-based testing framework.
Summary results shared with your supervisory authority.
Formal attestation that testing met DORA requirements.
Testing Documentation
Records of all testing activities, findings, and remediation.
Identified issues addressed within defined timeframes.
Regular updates on testing activities and findings.
---
Pillar 4: ICT Third-Party Risk Management
DORA imposes extensive requirements for managing risk from ICT service providers.
Register of ICT Third-Party Providers
All providers of ICT services, not just "critical" ones.
For each provider: services provided, locations, subcontracting, contractual dates.
New providers added, terminated providers removed, changes documented.
Ability to provide register to regulators on request.
Pre-Contractual Assessment
Standard assessment before engaging new ICT providers.
Assessment of risks associated with using each provider.
Evaluation of over-reliance on individual providers or provider characteristics.
Clear determination of which functions supported by third parties are critical or important.
Contractual Requirements
Existing contracts assessed for compliance with mandatory contractual provisions.
Clear, measurable service levels for availability, performance, and security.
Right to audit provider or access audit reports.
Provisions for transitioning away from provider, including data portability.
Requirement for provider to notify you of incidents affecting your services.
Compliance with GDPR requirements for data processing.
Controls on provider's ability to subcontract, notification requirements.
Provider obligations for security measures, including specific standards.
Ongoing Monitoring
Regular assessment of provider service delivery against SLAs.
Assessment of provider security posture, including review of certifications and audit reports.
Comprehensive review of arrangements supporting critical functions.
Verification that exit strategies are viable.
---
Pillar 5: Information Sharing
DORA encourages voluntary information sharing about cyber threats.
Management decision on whether to participate in threat sharing communities.
Appropriate protections for shared information.
If participating, procedure for sharing relevant threat information.
If participating, how shared intelligence feeds into your detection and response.
---
Additional Requirements for Specific Entities
Crypto-Asset Service Providers (CASPs)
If you're a CASP authorized under MiCA, DORA applies in full. Additional considerations:
MiCA-specific ICT security requirements integrated with DORA framework.
Enhanced security for systems holding crypto-assets.
Hot/cold wallet policies, key management, transaction controls.
Trading Platforms and Exchanges
Detection of manipulation and abuse attempts through ICT systems.
Performance under extreme conditions, circuit breakers, failover.
---
Compliance Verification
Documentation
Policies listed in this checklist exist, are approved by appropriate authority, and are current.
Documentation demonstrating controls are actually operating, not just documented.
Records of staff training on ICT security and resilience procedures.
Self-Assessment
Systematic comparison of your practices against all DORA requirements.
Prioritized plan to address compliance gaps with timelines and resources.
Board/management informed of DORA compliance status and any gaps.
---
What Happens If You Fail?
Non-compliance with DORA isn't theoretical risk. Competent authorities have powers to:
- Issue administrative sanctions and fines
- Require remediation within defined timeframes
- Restrict business activities until compliance achieved
- Withdraw authorizations in severe cases
Beyond regulatory action, DORA non-compliance creates operational risk. The requirements exist because ICT failures and cyber attacks can destroy financial entities.
How FinlexPro Supports Your DORA Compliance
DORA contains 64 articles, but that's just the beginning. Compliance requires understanding:
- Regulatory Technical Standards (RTS) on ICT risk management
- Implementing Technical Standards (ITS) on incident reporting
- RTS on threat-led penetration testing
- RTS on ICT third-party register
- Supervisory guidance from ESAs
FinlexPro indexes all of these documents. You can:
- Search specific DORA requirements
- Get AI explanations of technical provisions
- Cross-reference with related regulations (MiCA, PSD2)
- Access direct links to official sources
Turn this checklist into action with comprehensive regulatory research on FinlexPro.
Search Related Regulations
Use FinlexPro to find specific articles mentioned in this post.
Start Searching