An actionable DORA compliance checklist for financial entities

As of January 17, 2025, all financial entities and their information and communication technology (ICT) service providers catering to EU entities must comply with the Digital Operational Resilience Act (DORA).

‍

If you’re new to the regulation, you can reduce the potential overwhelm caused by its various requirements by using a concise compliance checklist. To help, we’ve created a robust guide that covers everything you should know, including:

• DORA applicability criteria
• The regulation’s key requirements
• An actionable DORA compliance checklist with the key steps you need to take

‍

Who needs DORA compliance?

DORA is aimed specifically at EU-based financial entities and ICT service providers. The following table provides examples of both:

‍

While financial entities affected by DORA are limited to those operating in the EU or serving EU customers, ICTs must comply with the regulation regardless of location if they provide services to EU-based financial organizations.

‍

{{cta_withimage22="/cta-blocks"}}

‍

5 key compliance requirements of DORA

While DORA mandates various security controls and procedures, the most important requirements are the regulation’s five pillars:

‍

1. ICT risk management
2. ICT-related incident management
3. Digital operational resilience testing
4. ICT third-party risk management
5. Information sharing

‍

Out of the five, information sharing is the only voluntary aspect. You are required to comply with the requirements outlined in the other four pillars. As all of them are comprehensive and call for specific actions, a reliable checklist can help you streamline the compliance process and keep you focused on the main deliverables.

‍

A 9-step DORA compliance checklist to follow

Before starting the DORA compliance process, you should determine the regulation’s scope and applicability to your organization. The best way to do this is to refer to DORA’s Article 2 to check whether your organization is impacted by it based on your services and location.

‍

If your organization must adhere to DORA, here are the baseline steps you can follow to get closer to full compliance:

‍

1. Outline the management’s responsibilities
2. Perform a gap analysis
3. Develop a remediation plan
4. Inventory your third-party ICT providers
5. Adopt a third-party risk management framework
6. Conduct digital operational resilience testing
7. Build an ICT business continuity policy
8. Define an incident response plan
9. Begin the attestation process

‍

Step 1: Outline the management’s responsibilities

DORA’s Article 5 requires organizations to establish effective governance of the compliance procedures and processes, especially those related to ICT risk management. It also designates the organization’s management body as the authority in charge of defining, approving, and overseeing those processes.

‍

DORA’s Article 5 outlines additional responsibilities of the organization’s board, most notably:

‍

• Being ultimately accountable for the entity’s ICT risk management
• Establishing clear roles and responsibilities related to ICT risk management processes
• Approving, overseeing, and periodically reviewing the entity’s business continuity plan, as well as incident response and recovery plans
• Allocating and reviewing the budget for digital operational resilience endeavors

‍

After the board scopes its key obligations, it can plan the task flows accordingly and define the policies, processes, and procedures necessary to ensure effective ICT risk management and other implementation tasks.

‍

Step 2: Perform a gap analysis

After reviewing DORA’s key requirements, you should perform a security review to determine the current state of your ICT system and overall security posture. You can then perform a gap analysis to see how close you are to full compliance.

‍

Some of the key security aspects to focus on include:

‍

• Access management policies
• Information security processes, roles, and responsibilities
• Security vulnerabilities
• Exposure to third-party risks (specifically related to ICTs)

‍

A robust gap analysis requires considerable time and effort, especially if you do it manually. To avoid extensive laborious work, you should automate your security reviews and related workflows using dedicated software.

‍

{{cta_withimage3="/cta-blocks"}}

‍

Step 3: Develop a remediation plan

Once you’ve identified all the relevant DORA compliance gaps, you need to devise a plan for bridging them. Your gap remediation strategy and timeline will depend on your current security standing, as well as the resources you need to plan for deploying new technology and updating existing policies.

Still, due to DORA’s overarching goals, there are a few areas where you’ll likely focus most of your remediation efforts:

‍

• Threat prevention, detection, and remediation processes
• Third-party risk management (TPRM) controls and processes
• Incident response, notification, and recovery procedures

‍

If your remediation plan contains numerous action items, you may have to structure them over a longer timeframe. What matters is having a clear roadmap for ensuring DORA compliance and minimizing guesswork for individual team members.

‍

Step 4: Inventory your third-party ICT providers

DORA requires financial entities to map all dependencies with their third-party ICT providers. This helps your organization understand how incidents on an ICT service provider's end may affect you, allowing you to anticipate and remediate them effectively.

‍

To create effective mappings, start with a robust inventory of your ICT providers. Ensure the inventory includes all systems and processes directly impacted by the provider’s services.

‍

Another important DORA requirement is to identify “critical” ICT providers. Criticality is determined by various factors outlined in Article 31, most notably:

‍

• Impact on the quality, stability, and continuity of the financial entity’s services
• An entity’s reliance on the ICT provider when it comes to the provision of key services
• An ICT provider’s substitutability

‍

Step 5: Adopt a third-party risk management framework

The primary purpose of making an inventory of ICT vendors and identifying the critical ones is to manage the risk they expose you to, for which you need a TPRM framework. Developing such a framework is required under DORA’s Article 6, so you need to formalize your risk management processes if you haven’t already.

‍

As per the Article, your framework must include the strategies, tools, policies, procedures, and ICT protocols used to protect your organization’s assets from ICT risks. Once defined, these components must be documented and reviewed annually to account for any changes in your organization’s risk landscape.

‍

Under Article 16, some organizations are eligible for a simplified risk management framework. Examples of such organizations include:

‍

• Small and non-interconnected investment firms
• Institutions exempt under Directive 2013/36/EU
• Payment institutions exempt under Directive (EU) 2015/2366

‍

Step 6: Conduct digital operational resilience testing

DORA requires your ICT risk management program to include comprehensive digital operational resilience testing that provides insights into your preparedness for ICT-related incidents and your organization’s vulnerabilities and gaps.

‍

Your testing program can include various procedures, such as:

‍

• Vulnerability scans
• Network security assessments
• Open source analyses
• Physical security reviews
• Security questionnaires

‍

DORA also requires threat-led penetration testing (TLPT) at least once every three years. The test needs to cover some or all of your critical functions and may be required more frequently, depending on your risk profile.

‍

Step 7: Build an ICT business continuity policy

While you may already have a business continuity plan, DORA requires you to enrich it with an ICT-related business continuity policy that includes all the relevant arrangements, procedures, plans, and mechanisms.

‍

Besides ensuring operational continuity, such a policy aims to help you effectively respond to incidents and execute containment and remediation plans.

‍

If you already have a comprehensive incident response plan, you may only need to update or add the relevant DORA-specific controls and processes. Once developed, ICT business continuity plans and ICT response and recovery plans must be reviewed annually.

‍

Your internal documentation practices also play an important role in meeting this requirement. Make sure to maintain robust documentation to have easy access to records of disruptions and resulting remediation actions.

‍

{{cta_withimage22="/cta-blocks"}}

‍

Step 8: Define an incident response plan

DORA obligates financial entities to report any major ICT-related incidents to a competent authority. Competent authorities vary among entities, so refer to Article 46 to understand which competent authority is designated for your organization.

‍

As part of the reporting process, you must submit the following three notifications:

‍

1. The initial notification of an incident
2. An intermediate report once the status of the incident has changed significantly
3. The final report as soon as you’ve completed the root cause analysis (whether or not you’ve implemented any remediation measures)

‍

If the incident impacts a client’s financial interest, the entity is also obligated to notify the client as soon as it becomes aware of it.

‍

All these notification and reporting processes should be structured in your incident response plan. Make sure to account for all the relevant notices and additional obligations regarding effective reporting.

‍

Step 9: Begin the attestation process

DORA isn’t a certifiable regulation yet, so there’s no formal audit or third-party attestation process—compliance involves self-attestation according to the regulation’s requirements. After implementing all the relevant processes, policies, and procedures, you can assess the in-scope system and functions to ensure adherence to DORA’s standards.

‍

Even though the compliance process requires a self-assessment, third-party oversight will be conducted ongoingly by the following three European Supervisory Authorities (ESAs):

‍

1. European Banking Authority (EBA)
2. European Insurance and Occupational Pensions Authority (EIOPA)
3. European Securities and Markets Authority (ESMA)

‍

How to meet DORA’s requirements more effortlessly

Due to DORA’s robust nature, the compliance activities that follow are usually extensive. You need a dedicated compliance team to oversee the process and ensure smooth remediation where necessary. Additionally, you’ll have to put procedures in place to ensure continuous compliance, especially to account for changes in DORA requirements or your risk profile.

‍

Without streamlining the compliance process, you’ll likely run into inefficiencies that can put unnecessary pressure on security and compliance teams. Such inefficiencies can be particularly visible in the following processes:

‍

• Security reviews
• Evidence collection
• Vendor inventory maintenance

‍

To improve workflow efficiency, it’s best to use a capable software solution that automates such repetitive tasks throughout the compliance process.

‍

Get—and stay—DORA compliant with Vanta

DORA compliance is complex spanning risk management, incident response, business continuity, and third-party risk oversight. Vanta is a comprehensive Trust Management Platform that helps you manage it all in one place. 

‍

As your DORA compliance partner, Vanta:

‍

• Comes with a comprehensive DORA compliance checklist that breaks down requirements into actionable steps so that your team always knows what to do next
• Provides 200+ re-built document and policy templates mapped to DORA’s key requirements including ICT risk, third-party risk, and operational resilience
• Automates up to 50% of DORA requirements leveraging 375+ integrations and pre-built control tests
• Cross-maps controls with existing frameworks like SOC 2, ISO 27001, and GDPR helping you reuse work and avoid duplication
• Streamlines vendor management by identifying, classifying, and assessing third-party ICT providers including shadow IT
• Supports ongoing compliance through real-time tracking, centralized dashboards, and automated evidence collection and evaluation
• Guides you every step of the way with help from Vanta’s in-house experts and partner ecosystem of DORA-specialized auditors 

‍

And it’s not just software—Vanta provides expert at support every step of the way, including:

‍

• A Customer Success Manager to guide your rollout and ongoing program
• Access to subject-matter experts who specialize in EU regulatory frameworks like NIS 2
• A global partner network of consultants and auditors for additional support if you need it
• The shared insight and scale of 12,000+ customers across industries and regions

‍

Vanta supports you throughout the DORA compliance process and also helps with ongoing monitoring to maintain compliance. It also offers an extensive partner network you can leverage to find security and compliance experts for additional guidance.

‍

Vanta can help you get DORA-ready in as little as six to ten weeks, although the effective duration would depend on the maturity of your compliance program.

‍

Schedule a custom product demo to see Vanta’s DORA product in action and experience its features firsthand.

‍

{{cta_simple27="/cta-blocks"}} ‍

‍

A note from Vanta: Vanta is not a law firm, and this article does not constitute or contain legal advice or create an attorney-client relationship. When determining your obligations and compliance with respect to relevant laws and regulations, you should consult a licensed attorney.