The DORA Compliance Checklist cover image
Guide / ReportDORA

The DORA Compliance Checklist

Written by
No items found.
Reviewed by
No items found.

Accelerating security solutions for small businesses 

Tagore offers strategic services to small businesses. 

A partnership that can scale 

Tagore prioritized finding a managed compliance partner with an established product, dedicated support team, and rapid release rate.

Standing out from competitors

Tagore's partnership with Vanta enhances its strategic focus and deepens client value, creating differentiation in a competitive market.

As of January 17, 2025, all financial entities and their information and communication technology (ICT) service providers catering to EU entities must comply with the Digital Operational Resilience Act (DORA).

If you’re new to the regulation, you can reduce the potential overwhelm caused by its various requirements by using a concise compliance checklist. To help, we created this guide that covers everything you should know, including:

  • DORA applicability criteria
  • The regulation’s key requirements
  • An actionable DORA compliance checklist with the key steps you need to take

Who needs DORA compliance?

DORA is aimed specifically at EU-based financial entities and ICT service providers. The following table provides examples of both:

Entity Examples
Financial entities
  • Payment and credit institutions
  • Electronic money institutions
  • Investment firms
  • Insurance companies
  • Trade repositories
ICT service providers
  • Cloud providers
  • Network security companies
  • IT consulting firms
  • Managed IT service providers
  • Help desk service providers

While financial entities affected by DORA are limited to those operating in the EU or serving EU customers, ICTs must comply with the regulation regardless of location if they provide services to EU-based financial organizations.

5 key compliance requirements of DORA

While DORA mandates various security controls and procedures, the most important requirements are the regulation’s five pillars:

  1. ICT risk management
  2. ICT-related incident management
  3. Digital operational resilience testing
  4. ICT third-party risk management
  5. Information sharing

Out of the five, information sharing is the only voluntary aspect. You are required to comply with the requirements outlined in the other four pillars. As all of them are comprehensive and call for specific actions, a reliable checklist can help you streamline the compliance process and keep you focused on the main deliverables.

Your DORA compliance checklist: 9 key steps

Before starting the DORA compliance process, you should determine the regulation’s scope and applicability to your organization. The best way to do this is to refer to DORA’s Article 2 to check whether your organization is impacted by it based on your services and location.

If your organization must adhere to DORA, here are the baseline steps you can follow to get closer to full compliance:

{{dora="/checklists"}}

Access Review Stage Content / Functionality
Across all stages
  • Easily create and save a new access review at a point in time
  • View detailed audit evidence of historical access reviews
Setup access review procedures
  • Define a global access review procedure that stakeholders can follow, ensuring consistency and mitigation of human error in reviews
  • Set your access review frequency (monthly, quarterly, etc.) and working period/deadlines
Consolidate account access data from systems
  • Integrate systems using dozens of pre-built integrations, or “connectors”. System account and HRIS data is pulled into Vanta.
  • Upcoming integrations include Zoom and Intercom (account access), and Personio (HRIS)
  • Upload access files from non-integrated systems
  • View and select systems in-scope for the review
Review, approve, and deny user access
  • Select the appropriate systems reviewer and due date
  • Get automatic notifications and reminders to systems reviewer of deadlines
  • Automatic flagging of “risky” employee accounts that have been terminated or switched departments
  • Intuitive interface to see all accounts with access, account accept/deny buttons, and notes section
  • Track progress of individual systems access reviews and see accounts that need to be removed or have access modified
  • Bulk sort, filter, and alter accounts based on account roles and employee title
Assign remediation tasks to system owners
  • Built-in remediation workflow for reviewers to request access changes and for admin to view and manage requests
  • Optional task tracker integration to create tickets for any access changes and provide visibility to the status of tickets and remediation
Verify changes to access
  • Focused view of accounts flagged for access changes for easy tracking and management
  • Automated evidence of remediation completion displayed for integrated systems
  • Manual evidence of remediation can be uploaded for non-integrated systems
Report and re-evaluate results
  • Auditor can log into Vanta to see history of all completed access reviews
  • Internals can see status of reviews in progress and also historical review detail
Logo of incident.io
Incident.io
Logo of Lumos
Lumos
Icepanel logo on a white background.
IcePanel
Epsilon Logo
Epsilon3
The logo for supabase.
Supabase
EasyLLama Logo
EasyLlama
Qualifi Logo
Qualifi
Logo of toku
Toku
FEATURED VANTA RESOURCE

The ultimate guide to scaling your compliance program

Learn how to scale, manage, and optimize alongside your business goals.

DOWNLOAD FOR FREE

Table of contents

No titles!

Share this article

Share this article

Related Resources

Vendor Risk Management
Events

Demo: Navigating Third-Party Risk Through Vanta’s Vendor Risk Management

Register for our product demo that will showcase Vanta’s Vendor Risk Management Solution.

eBook: Fortifying Fintech: Security Must-Haves for APAC’s Trailblazers cover image
Compliance
Guide / Report

eBook: Fortifying Fintech: Security Must-Haves for APAC’s Trailblazers

Get our free guide to the biggest trends and challenges that fintechs face, how they can streamline security, and why good security means good business

Compliance
Blog

The founder’s guide to accelerating growth with compliance

Compliance isn’t just a box to check when a customer asks to see a SOC 2 report. It’s a revenue accelerator for your startup. Find out how security compliance opens new doors to growth.

UK Cyber Essentials Checklist cover image
Cyber Essentials
Guide / Report

Cyber Essentials UK Checklist

Our Cyber Essentials checklist outlines how to comply with the Cyber Essentials requirements and secure your organisation’s IT infrastructure.

Related Resources

DORA Compliance Checklist cover image
DORA
Guide / Report
DORA Compliance Checklist

Get the clarity you need to navigate DORA—and the structure to act on it with our step-by-step checklist.

DORA
Blog
DORA and NIS 2: Importance and key differences explained

Learn about the importance of complying with DORA and NIS 2 to avoid security threats and regulatory disruptions.

Get compliant and build trust—fast

Request a demo
G2 Badge 2025 - Best Software | Top 50 Governance, Risk, & Compliance ProductsG2 Badge 2025 - Best Software | Top 50 Security ProductsG2 Badge 2025 - Best Software | Top 100 Best Software Products