The Digital Operational Resilience Act is now live across the EU, and regulators aren’t messing around. If you’re in financial services – whether you run a traditional bank or provide crypto services – or if you’re one of the tech partners keeping those operations running, you need to prove resilience under stress, not just talk about it. That responsibility doesn’t stop at your firewall. Under DORA, your operational resilience is only as strong as your weakest cloud provider, SaaS vendor, or third-party ICT service. If you’re looking for a clear DORA compliance checklist that actually makes sense, you’re in the right place.
For most organizations, the problem is the sheer complexity. Your internal systems change constantly. Integration maps evolve weekly. Supplier dependencies shift. Contracts get updated. Subcontractor chains grow longer. What looked clean and organized last quarter can turn into a compliance blind spot by next month.
DORA raises the bar with testable requirements that cover everything from how you manage risk to how you test your defenses and oversee vendors. These aren’t optional suggestions – they’re enforceable standards that apply across entities and borders.
This guide provides a complete DORA compliance checklist you can use to build your program. We’ll break down the regulation’s pillars, explain why manual approaches don’t work, and walk you through a step-by-step plan to make DORA part of your day-to-day workflows. Think of it as your blueprint to get executive buy-in, upgrade your controls, and prove continuous compliance.
What is the Digital Operational Resilience Act (DORA)?
DORA – officially Regulation (EU) 2022/2554 – creates a single, directly applicable framework to strengthen the digital operational resilience of EU financial entities and their ICT service providers. In plain terms, it requires you to identify, protect, detect, respond to, and recover from ICT-related disruptions. And you need to prove that capability to supervisors through tests, metrics, and timely reporting.
The regulation casts a wide net. It applies across the entire financial sector – from traditional banking and insurance to emerging payment technologies and market infrastructures. It also extends obligations to ICT third-party service providers that support those entities, with even stricter oversight for critical providers.
DORA’s goal is straightforward: keep essential financial services running even during severe operational shocks. It does this by setting uniform, enforceable standards for resilience across the entire sector and its supply chain.
The 5 Pillars of DORA Compliance
DORA’s requirements are organized into five pillars that work together as a continuous lifecycle. You need to stay on top of your ICT risks while detecting incidents early, testing your defenses regularly, and keeping a sharp eye on vendor relationships – all while sharing intelligence that helps everyone spot threats faster.
Let’s break down what each pillar actually demands in practice.
Pillar 1: ICT Risk Management
DORA wants you to build a documented ICT risk management framework that your management team actually approves, and your people actually use every day. This isn’t a binder that sits on a shelf. It’s a living system that defines your risk tolerance, assigns clear ownership, and weaves together your policies for protection, detection, response, and recovery.
You also need to continuously map your critical or important functions and all the ICT assets, data, and dependencies that keep them running. That means understanding every connection point in your infrastructure, whether it’s an internal integration or a service running across borders. Think of it like maintaining a real-time blueprint of your entire operation – one that shows you exactly what’s connected to what, so when something breaks, you know exactly where to look and who needs to act.
Pillar 2: Incident Management and Reporting
This is where things get tight. You’re required to classify ICT incidents using standardized criteria and report major incidents on strict timelines. Under the current rules, you’ve got four hours to send an initial notification once you’ve classified an incident as major. Then you’ve got 72 hours for an intermediate update and one month for a final report.
That means you need clear playbooks, defined accountability, and tools that can capture facts fast, keep evidence synchronized, and maintain direct communication with your competent authority. If personal data is involved, you’ll also need to coordinate DORA and data-protection notifications separately – don’t try to blend them into one.
Pillar 3: Digital Operational Resilience Testing
DORA doesn’t want you running the same generic security tests year after year. You need a proportionate testing program that includes:
- Vulnerability assessments
- Configuration reviews
- Backup and restore exercises
- Disaster recovery drills
- Scenario-based tests
And if your supervisor designates you, you’ll need to run advanced threat-led penetration testing against live production systems at least every three years. This isn’t your standard pen test. Threat-led testing follows TIBER-EU principles – it focuses on your critical functions, uses current threat intelligence, relies on qualified teams, and doesn’t stop until you’ve verified remediation. In other words, it’s designed to show you exactly how a real attacker would move through your systems.
Pillar 4: ICT Third-Party Risk Management
This is where DORA really digs into your vendor relationships. You need to keep a detailed register of every ICT service contract. That means doing your homework before you bring a new provider on board and keeping tabs on them (and their subcontractors) once they’re in. If a service is critical or important, your contract has to cover everything from audit rights to exit planning, with clear terms on data sovereignty and what happens when the relationship ends. And if a provider gets tagged as critical at the EU level? You’re looking at even more oversight obligations.
Pillar 5: Information and Intelligence Sharing
DORA wants you to share what you’re seeing with other financial entities. When you swap cyber threat intelligence in a trusted community (with the right safeguards for confidentiality, competition law, and data protection), everyone gets better at spotting trouble early. Think of it like this: if one bank sees a new attack pattern, sharing that with others means the whole ecosystem can tighten defenses faster. You’re trading real-world intelligence that helps everyone cut detection and response times while attackers are still developing their playbooks.
Why Manual Processes Fail in DORA Compliance
DORA exposes just how outdated spreadsheet-based governance really is. When your data is scattered across files, and your team is manually piecing together dependency maps, contract clauses, sub-outsourcing chains, and incident evidence, you’re creating blind spots in the exact areas regulators are watching. Case in point: in the European Supervisory Authorities’ 2024 dry run of the Register of Information, 93.5% of firms failed at least one data quality check. The most common problem? Basic information about ICT providers was either missing or incomplete. This is what happens when supplier and subcontractor data lives in email threads instead of a connected system.
Bottom line, managing third-party ICT risks across countries, entities, and regulators is simply unworkable without connected systems. You need tools that pull data automatically, validate it against standard templates, orchestrate workflows, and give everyone a single view of vendor risk. Without that backbone, your team wastes time hunting for basic facts instead of actually managing risk. And you’ll fall behind on the timelines and traceability DORA demands.
The Ultimate DORA Compliance Checklist
Use this step-by-step checklist to structure your work, align your teams, and show real progress. Each step builds the capability you need for continuous, audit-ready compliance.
Step 1: Conduct a Comprehensive Gap Analysis
Start here. Compare your current security posture against DORA’s requirements and the technical standards that support them.
You’ll need to review:
- Governance elements like board approval, role definitions, and training programs
- Asset inventories and dependency maps
- Incident classification and reporting playbooks
- Testing coverage across your systems
- Third-party due diligence processes
- Contractual clauses and exit plans for critical vendors
A focused gap analysis shows you exactly where controls are missing, where processes exist but lack documentation, and where vendor oversight is weak. Score your findings by business impact and regulatory risk. That gives you a clear, executable remediation plan your teams can actually follow.
Step 2: Inventory Critical ICT Assets and Vendors
DORA requires an accurate, up-to-date register of every ICT service and provider that supports your critical or important functions. Think of this as building a complete map of your digital infrastructure.
Your inventory should include:
- Software and hardware
- Data flows and APIs
- Cloud services
- The third parties behind each one
Classify each asset and vendor by criticality, then map the dependencies between them. When an incident happens, you’ll know exactly what’s affected and how to contain it quickly.
The key is to connect this inventory to your CMDBs, contract repositories, and identity systems. That keeps ownership details, locations, and access models in sync without manual updates.
Step 3: Upgrade Incident Response Workflows
Classification and clock start to trip up more teams than you’d think. You need to define clear thresholds for major incidents, lockdown decision rights, and build a single escalation path that fires off all required notifications automatically. No guessing, no delays.
Set up your alerts to trigger updates whenever something material happens – whether it’s containment progress, a shift in impact, confirmed data loss, or the moment a service comes back online. Your compliance authority needs to know about these events within DORA’s tight windows, so make sure those notifications go out on time, every time.
And don’t forget the dashboard, because you want one unified view that brings together your logs, evidence, and timeline in a way that tells the complete story. This isn’t just about surviving the incident. It’s about building a clean record for post-incident reviews and proving you handled everything by the book. Map DORA timelines right alongside your internal SLAs so when an event hits, nothing slips through the cracks.
Step 4: Implement Continuous Resilience Testing
Periodic checks won’t cut it anymore. You need a steady, evidence-rich testing rhythm that keeps your defenses sharp.
Here’s what that looks like:
- Regular backup verification and restore tests to prove your data recovery actually works
- Disaster recovery exercises focused on your critical and important functions
- Rolling vulnerability scans with clear remediation tracking
If you’re subject to threat-led penetration testing, plan out a three-year cycle. Root it in current threat intelligence and scope it to your most business-critical processes and systems. This isn’t a box-ticking exercise – it’s about finding real weaknesses before attackers do.
Automated testing tools take a huge load off your team’s shoulders. And when you keep everything in a centralized register – tests, results, fixes – you can show auditors exactly what you’ve done without scrambling to pull reports together at the last minute.
Step 5: Automate Vendor Risk Management
Point-in-time questionnaires can’t keep pace with DORA’s expectations, and they definitely can’t keep pace with how fast your vendor landscape changes.
You need continuous monitoring. That means validating provider controls, contract clauses, service locations, and sub-outsourcing changes as they happen – not six months later when you remember to send out another spreadsheet.
Build workflows that enforce due diligence before you sign anything, require approvals when vendors bring on subcontractors, and keep your register of information current without constant manual updates. Automate checks for the contractual terms DORA cares about – everything from audit rights to exit planning and how smoothly you can transition away if needed. If a vendor doesn’t meet the standard, you’ll know immediately.
Track remediation actions against hard deadlines. When obligations start to drift, that’s when risk piles up. Automation keeps everything on rails, so you’re not chasing down vendors or scrambling to close gaps right before an audit.
Step 6: Define Board and Governance Responsibilities
DORA puts your management body on the hook for ICT risk. That’s not just a formality – it’s a mandate. So you need to make governance real. Build a calendar that brings leadership through the critical decisions: approving your ICT risk strategy, setting tolerance levels, reviewing performance against those benchmarks, and signing off when major tests or incidents require attention. And don’t stop there. Run regular executive training on ICT risks and bring together the teams that make this work – security, legal, procurement, operations – so everyone knows who owns what.
When leadership shows fluency and follow-through, the rest of your program moves faster and holds up under supervisory scrutiny. It’s that simple.
Navigating the DORA Compliance Checklist
A structured checklist turns DORA from a legal text into an operating model. It brings order to cross-team work, reduces rework, and makes your results measurable. When you can show supervisors a well-organized picture of your assets, vendors, incident protocols, test history, and contract terms, they see a program that’s resilient by design – not by exception.
The final accelerator? Tooling. Systems that pull data automatically, validate it against standard templates, and keep workflows connected replace the fragile handoffs and spreadsheet sprawl that slow everything down. That shift matters beyond compliance. It reduces outage impact, cuts supplier surprises, and strengthens recovery under pressure. Better resilience protects your organization and the broader financial system it serves.
Panorays helps you operationalize third-party oversight that aligns with DORA by centralizing vendor risk workflows and making assessments adaptable to each relationship. As a leading provider of third-party cyber risk management solutions, Panorays delivers AI-powered assessments that stay relevant as conditions change and provides actionable remediations to reduce exposure over time. Our focus on compliance and regulations, including DORA, reflects a broader commitment to helping teams keep a clear picture of their third-party posture as they scale. The mission is simple: reduce supply chain cyber risk so companies can do business together with greater confidence and speed.
Ready to see how Panorays can support your DORA program with continuous visibility and audit-ready evidence across your vendor ecosystem? Book a personalized demo.
DORA Compliance FAQs
-
Entities across the EU financial sector are in scope: banks, insurers, investment firms, payment and e-money institutions, market infrastructures, and more. ICT third-party service providers that support them are also covered. If a provider is designated critical, they face heightened, EU-level oversight.
-
National competent authorities can impose administrative measures and penalties that are effective, proportionate, and dissuasive. For critical ICT third-party providers, the EU framework allows periodic penalty payments of up to 1% of average daily worldwide turnover for continued non-compliance. Beyond fines, authorities can mandate corrective actions, publish decisions, and restrict certain activities until you fix the deficiencies.
-
Automation unifies scattered data and enforces repeatable workflows. The right tools sync your asset and vendor inventories, validate register fields against standard templates, track contract terms and sub-outsourcing approvals, orchestrate incident timelines, and centralize your testing plans and remediation efforts. You get real-time visibility and audit-ready evidence while reducing effort and improving control quality.
