Legal Operations

The DORA Compliance Checklist: A Step-by-Step Guide for Financial Firms

A practical, step-by-step DORA compliance checklist for financial firms and their ICT providers — from gap analysis and risk management to third-party contracts, testing, and staying audit-ready.

AC
July 12, 2026
10 min read
More on this topic

A practical, step-by-step DORA compliance checklist for financial firms and their ICT providers — from gap analysis and risk management to third-party contracts, testing, and staying audit-ready.

Financial firms are under growing regulatory pressure to protect themselves against IT disruption. Because banks, insurers, and other financial entities depend on complex digital systems and external technology providers, the risk of a cyber incident is higher than ever. The Digital Operational Resilience Act (DORA) responds by setting stricter, harmonised standards that make sure financial firms can withstand — and quickly recover from — technology failures.

This article walks you through a practical DORA compliance checklist so your organisation can meet the requirements step by step. Whether you are a bank, an insurer, a technology provider, or a supervisory function, you will come away with a clear view of the scope and a checklist that runs from initial gap analysis all the way to ongoing monitoring.

Understanding DORA

DORA (Regulation EU 2022/2554) is an EU regulation designed to protect the financial sector against digital disruption. It entered into force in January 2023 and has been fully applicable since 17 January 2025. It ensures that banks, investment firms, insurers, payment institutions, and other financial entities can keep operating even through major IT disruptions — shifting the regulatory focus from financial stability alone to operational resilience in an increasingly digital world.

Start with the basics: for a plain-language overview of what DORA is, who it covers, and the key deadlines, see our guide to the DORA regulation. To understand how an audit actually plays out, read our DORA compliance guide.

Who must comply?

DORA has broad reach, capturing roughly 22,000 organisations across the financial and technology sectors.

Financial entities in scope:

  • Banks and credit institutions
  • Insurance and reinsurance companies
  • Fund managers (AIFMs, UCITS management companies)
  • Crypto-asset service providers
  • Payment processors and e-money institutions
  • Trading venues and market operators
  • Central securities depositories (CSDs) and central counterparties (CCPs)
  • Investment firms and financial intermediaries
  • Pension funds and credit rating agencies

ICT service providers:

  • Cloud computing providers
  • Core banking and financial software vendors
  • Data analytics and cybersecurity providers
  • Hosting services and data centres

DORA also creates an EU-wide oversight framework for ICT third-party providers that regulators designate as "critical". Supervisory authorities (EBA, ESMA, EIOPA, and national regulators) enforce compliance and oversee those critical technology suppliers.

Why compliance matters

DORA compliance is essential for three reasons — legal, operational, and reputational:

  • Legal obligation. DORA is legally binding across the EU, and serious breaches can attract fines of up to 2% of total annual worldwide turnover.
  • Stronger operations. Continuous risk monitoring, incident-response planning, and resilience testing help you avoid cyberattacks, IT outages, and service interruptions.
  • Reputation and trust. Demonstrating that you take security and stability seriously builds confidence with customers and regulators — and avoids the reputational damage a major IT incident brings.

Key terms to know

  • ICT risk: any technology-related threat that could disrupt your operations — cyberattacks, system failures, data breaches, anything that endangers the security or availability of your IT systems and data.
  • Critical or important functions: activities essential to a firm's stability, where disruption would materially affect operations or customers (for example, online banking, or transaction processing for a payments firm). These get extra protection and closer supervision.
  • Major ICT-related incidents and reporting: DORA sets strict reporting rules. A significant incident often requires an initial notification within hours, an intermediate report within days, and a final report within a month — so you need a clear process to detect, assess, and report incidents on time.

The DORA compliance checklist: step by step

Compliance can feel daunting, but breaking it into manageable steps makes it clear and actionable. The seven steps below take your organisation from preparation through implementation to ongoing compliance.

1. Assess your current compliance status

Start by benchmarking your current state against DORA's core requirements. Assemble a cross-functional team (IT, cybersecurity, compliance, operations) to run a gap analysis. Confirm you have, for example, a solid inventory of critical business services and clearly documented incident-escalation procedures. Review your existing security controls, audit findings, and any informal processes that need more structure. A thorough baseline surfaces the high-risk gaps that need immediate attention.

2. Map the regulatory requirements

Translate DORA into specific obligations for your entity. Work through each area — ICT risk management, incident reporting, resilience testing, third-party risk, and information sharing — and outline the compliance practices each demands. Where possible, fold these into frameworks you already run, such as ISO/IEC 27001, PSD2, or EBA guidelines. For instance, if you already have an incident-response policy, make sure it now covers DORA's external reporting obligations and deadlines.

3. Build a comprehensive risk-management framework

Upgrade your ICT risk management to DORA's standard: identify your main risks (cyberattacks, technology failures, third-party weaknesses), assess their impact on critical services, and define mitigation strategies such as access controls, network monitoring, and incident playbooks. Make sure the framework addresses third-party risk by evaluating provider resilience and requiring incident reporting in contracts — with senior management holding oversight.

4. Implement resilience and recovery strategies

DORA mandates thorough testing — vulnerability assessments, penetration tests, and scenario-based disaster-recovery exercises. Test backups regularly against your recovery-time objectives, and eliminate single points of failure by using multiple data centres or redundant network providers. Refine your resilience strategies continuously based on test results and real incidents.

5. Set up ongoing monitoring and reporting

Compliance is continuous, not a one-off. Deploy real-time detection tools (such as SIEM) to catch anomalies early, and track key indicators like incident frequency, response times, and provider SLA performance. Schedule regular internal audits, report clearly to leadership and regulators, and consider joining industry information-sharing groups to stay ahead of emerging threats.

6. Ensure effective governance and oversight

DORA puts accountability at the top. Management and the board must formally approve the ICT risk-management framework, review resilience metrics regularly, and stay informed about critical incidents. Assign clear roles for risk assessments, incident escalation, and vendor management, and give third-party oversight the attention DORA's scrutiny of critical ICT providers demands.

7. Document everything and prepare for audits

Keep detailed records to prove compliance: policies and risk assessments, test results and incident logs, and minutes capturing key compliance decisions. Store evidence — like backup drills and access reviews — securely and retrievably, and run mock inspections to test your audit readiness. Proper documentation is the strongest evidence of your commitment to digital resilience.

Contracts are where much of this is decided. Steps 3 and 6 both hinge on your ICT third-party agreements. For what a compliant contract must contain, and how to bring existing ones up to standard, see contract compliance management.

Best practices for staying DORA-compliant

Reaching compliance by the deadline is only half the job; sustaining it as threats and your business change is the next challenge. Treat compliance as a continuous cycle rather than a project with an end date.

1AssessGap analysisagainst DORA2ImplementClose gaps,fix contracts3MonitorTrack KPIs,audit, report4ReassessRe-run yearlyor on change
  • Keep policies and plans current. Review ICT risk policies, incident-response plans, and continuity plans at least annually — or whenever your IT environment changes materially (a new cloud service, a regulatory clarification).
  • Train continuously. Run general awareness training for all staff, targeted workshops for IT teams, and regular incident-response drills. Build compliance into onboarding.
  • Use technology to your advantage. Incident-management systems auto-generate reports and notify regulators; risk-assessment tools continuously scan for vulnerabilities; third-party risk platforms monitor provider security; and contract-management tools centralise agreements, automate renewals, and track obligations.
  • Stay on top of regulatory updates. European regulators will keep issuing new guidance and technical standards — follow announcements, subscribe to compliance newsletters, and join operational-resilience working groups.
  • Collaborate and share information. DORA encourages sharing intelligence on cyber threats. Learning from others' incidents and joining sector-wide simulations strengthens the whole industry's resilience.
  • Reassess regularly. Revisit this checklist annually or after major business change, running small gap analyses so you do not silently drift out of compliance.

How contract management supports the checklist

Several steps above — third-party risk (step 3), governance (step 6), and audit-ready documentation (step 7) — depend on how well you manage your ICT provider contracts. A single financial firm can hold hundreds of supplier agreements, signed at different times under different templates. Proving to an auditor that every critical-provider contract meets DORA's requirements, and finding the ones that do not, is exactly what a structured contract-management approach is built for: a central, searchable repository with obligation tracking, audit trails, and automatic reminders for every renewal, review, and reporting date.

Frequently Asked Questions

What is a DORA compliance checklist?

A DORA compliance checklist is a structured, step-by-step list of the actions a financial firm must take to meet the Digital Operational Resilience Act — typically covering gap analysis, ICT risk management, resilience testing, third-party contracts, ongoing monitoring, governance, and audit documentation.

When did DORA become mandatory?

DORA entered into force on 16 January 2023 and has been fully applicable since 17 January 2025. Firms are now expected to be compliant and audit-ready.

Who does the DORA checklist apply to?

It applies to the roughly 22,000 EU financial entities in scope — banks, insurers, investment firms, payment institutions, crypto-asset service providers, and others — as well as the critical ICT third-party providers that serve them.

What are the main steps to DORA compliance?

Assess your current state, map DORA's requirements to your obligations, build a risk-management framework, implement resilience and recovery measures, set up ongoing monitoring, ensure board-level governance, and document everything for audits.

How do contracts fit into DORA compliance?

DORA (Article 30) sets minimum contractual requirements for ICT third-party arrangements — audit rights, incident reporting, security and availability standards, and exit strategies. Bringing every critical-provider contract up to that standard, and keeping the evidence audit-ready, is a core part of the checklist.

Ready to make your contracts DORA-ready? With top.legal, financial firms store, search, and monitor every ICT provider agreement in one place — with audit trails, obligation tracking, and automatic reminders for every deadline.

Book a free demo

Ready for the next step?

Book a demo with our team and see top.legal in action

More on the topic