DORA compliance checklist
DORA compliance checklist for financial entities and ICT providers: ICT risk, incidents, testing, third-party risk, registers and audit evidence.
Direct answer
A DORA compliance checklist should cover ICT risk management, incident classification and reporting, digital operational resilience testing, ICT third-party risk, contract registers, exit plans, threat-led testing where applicable, and management reporting. DORA has applied since 17 January 2025 to in-scope financial entities.
What should be on a DORA compliance checklist?
A DORA compliance checklist should cover ICT risk management, incident classification and reporting, digital operational resilience testing, ICT third-party risk, contract registers, exit plans, threat-led testing where applicable, and management reporting. DORA has applied since 17 January 2025 to in-scope financial entities.
- ICT risk framework
- Incident reporting
- Third-party register
| Applies from | 2025-01-17 |
| Sector | EU financial entities and critical ICT providers |
| Core pillars | ICT risk, incidents, testing, third-party risk, information sharing |
A DORA compliance checklist should cover ICT risk management, incident classification and reporting, digital operational resilience testing, ICT third-party risk, contract registers, exit plans, threat-led testing where applicable, and management reporting. DORA has applied since 17 January 2025 to in-scope financial entities.
DORA became applicable across the EU financial sector.
Source: ESMA DORA guidance
DORA compliance checklist checklist
Action checklistDocument governance, risk appetite, controls and review cadence.
Articles 5-16
Prepare classification and notification workflow for major ICT incidents.
Articles 17-23
Maintain ICT provider contracts, criticality, exit plans and concentration risk.
Articles 28-30
Key deadlines
| Date | Requirement | Source |
|---|---|---|
| 2025-01-17 | DORA application dateDORA became applicable across the EU financial sector. | ESMA DORA guidance |
30/60/90-day action plan
First 30 days
Confirm scope and assign an owner
Evidence needed: Applicability note, business owner, systems or product list, and source links.
DORA
Days 31-60
Close the evidence gaps
Evidence needed: Policies, supplier records, data maps, technical notes, training records, or process owners.
DORA
Days 61-90
Prepare for audit or customer review
Evidence needed: Versioned compliance file, action log, exception register, and next review date.
DORA
Evidence to retain
Applicability decision
Shows whether DORA compliance applies and why the SME made that decision.
Retain: Scope memo, trigger criteria, country notes, owner approval, and review date.
Action owner list
Regulators and enterprise customers expect named accountability, not generic intent.
Retain: Owner, backup owner, due date, status, and unresolved blocker notes.
Evidence folder
The fastest way to answer customer due diligence is a single audit-ready evidence file.
Retain: Policies, screenshots, registers, exports, supplier responses, and training records.
SME questions answered
Who needs DORA compliance?
DORA applies to many EU financial entities and establishes an oversight framework for critical ICT third-party providers.
What is the fastest DORA readiness step?
Build the ICT third-party register and map contracts, critical services, exit plans and incident contacts.
Turn this guide into a tracked action plan
Start with the Regulation Checker, save the result, and import the action plan into your EuroComply dashboard when you are ready to assign owners.
Informational only. This page is not legal advice and does not replace a qualified legal review of your business, systems, products or employment practices.