DORA Compliance Checklist

This checklist provides a hands-on guide for Compliance, Risk, and IT teams in financial entities navigating the reporting requirements of the Digital Operational Resilience Act (DORA), particularly focusing on the period following the initial application date of 17 January 2025 and considering the critical deadlines around mid-March 2025.

It highlights key priorities, responsibilities, and actionable steps to ensure effective and efficient compliance in line with supervisory expectations.

Actions completed by January 17, 2025

The DORA reporting implementation deadline is 17 January 2025. From this date forward, financial entities are required to comply with DORA's reporting standards.

Establish core governance and frameworks

Define and document a comprehensive ICT risk management framework.
Set and approve the digital operational resilience strategy at board/senior management level.
Define ICT risk appetite and impact tolerances, and integrate them into your framework.
Map and document all critical ICT assets and their link to essential business services, including identification of ICT risk scenarios, interdependencies, and single points of failure.

Implement ICT incident detection and response

Develop and implement clear processes to detect, classify, and manage ICT incidents.
Apply RTS-defined criteria to determine major incidents.
Establish protocols for incident notification to regulators, including timelines and required templates.
Ensure capacity to report significant cyber threats to competent authorities.

Launch digital operational resilience testing programme

Design and document a digital operational resilience (DOR) testing programme.
Include testing methods such as vulnerability assessments, scenario-based testing, and penetration testing.

Next Critical Milestones – Focus by April 2025

Implement ICT third-party risk controls and reporting

Compile and maintain a complete Register of Information (RoI) covering all ICT third-party service contracts.
Prepare the RoI submission in the required plain-CSV format and submit it to the National Competent Authority (NCA), in full compliance with the EBA’s Implementing Technical Standards (ITS), taxonomy, and Filing Rules v5.5 — including domain codes, multi-dimensional key structures, and validation logic as defined in DPM 4.0. For Banking System Integrators (SI), the format will differ - An Excel sheet will be directly collected by the European Central Bank (ECB) through the CASPER platform. Assign responsibilities for RoI data collection, validation, and timely submission.

Ensure contracts include DORA-mandated provisions: audit rights, SLAs, subcontracting disclosure, and testing participation.
Develop and maintain exit strategies for critical ICT third-party service providers. Where applicable, ensure contractual obligations include participation in resilience testing.
Perform a gap analysis of your third-party risk management approach against DORA requirements.

Ongoing and continuous actions – From 2025 onwards

Maintain and review governance structures

Review and update the ICT risk management framework at least annually (or periodically for microenterprises).
Document reviews and demonstrate alignment with business objectives and regulatory expectations.

Strengthen incident and threat management

Continuously assess and enhance your ICT incident management and classification processes.
Log and analyse incidents to improve root cause analysis and response time.
Monitor incident reporting timelines and adjust internal processes to ensure regulatory compliance.
Prepare for the standardization of incident and cyber threat reporting formats for future submissions.

Ensure quality and accuracy of RoI reporting

Implement data quality checks to ensure RoI is accurate, complete, and consistent.
Update the RoI regularly to reflect changes in third-party relationships and contract terms.
Engage with your NCA (e.g., Central Bank of Ireland, BaFin) to stay informed about updates to technical specifications or templates.

Continue digital resilience testing

Use a risk-based approach to determine the scope and frequency of testing activities.
Engage with your regulator if TLPT (Threat-Led Penetration Testing) applies to your firm.
Ensure third-party providers participate in resilience testing if they support critical services.

Participate in threat intelligence and crisis exercises

Join voluntary cyber threat information-sharing initiatives with other financial entities.
Take part in cyber crisis simulations and document key takeaways for resilience improvement.

Best practices to support all phases

Check if your institution falls under the mandatory TLPT scope (e.g. G-SIIs, O-SIIs, large payment/e-money institutions, CCPs, CSDs). Authorities may adjust scope based on systemic risk and ICT maturity.
Automate risk, incident, third-party, and RoI data collection where possible.
Train staff and assign roles for each compliance area to ensure ownership.
Monitor guidance from ESAs and NCAs to stay aligned with expectations and avoid reporting errors.

By diligently following this checklist and focusing on the underlying principles of DORA, financial entities can effectively meet their reporting obligations, enhance their digital operational resilience, and align with supervisory expectations.

Contenus similaires

Contenu

In conversation with Google Cloud — Building best practices for DORA compliance - Part 1

DORA is coming: an overview of the new regulation
Lire
Contenu

In conversation with Google Cloud — Building best practices for DORA compliance - Part 2

Regnology and Google Cloud’s collaborative approach and a practical checklist for FSIs.
Lire
Sujet réglementaire

DORA
Lire