Checklist for DORA Compliance

The Digital Operational Resilience Act (DORA) sets strict new requirements for how financial entities in the EU manage ICT risks—especially those involving third-party service providers. As of January 2025, compliance is no longer optional. This checklist offers ICT professionals, compliance teams, and consultants a practical, article-by-article starting point for becoming DORA-compliant.

Each of the 14+1 steps is mapped to a specific DORA article and explains in plain language what you need to do to “check the box”.

• Governance, board-level oversight, and reporting

• ICT risk frameworks and internal audits

• Asset inventories and security policies

• Incident management and regulatory reporting

• Business continuity planning and resilience testing

• Third-party ICT risk management and Article 28 compliance

• Optional ICT insurance coverage

The intended audience of this guide is ICT professionals and other people helping financial companies comply with DORA.