DORA Compliance Checklist
This DORA compliance checklist covers every requirement across the five pillars, mapped to the relevant articles of Regulation (EU) 2022/2554. Use it to scope your programme, assign owners, and track evidence. The full checklist is available as a free downloadable PDF and spreadsheet below.
DORA Compliance Checklist
Every requirement across all five DORA pillars, mapped to the relevant articles. Formatted PDF plus an editable XLSX tracker with status columns.
Enter your details to unlock the download
Version 2026-07 · updated 2026-07-10
Pillar 1, ICT risk management (Article 6)
- Documented ICT risk-management framework approved by the management body.
- ICT risk tolerance defined and linked to business strategy.
- Inventory and classification of ICT-supported business functions and assets.
- Protection and prevention controls (access management, encryption, patching).
- Continuous monitoring and anomaly-detection mechanisms in place.
- ICT business-continuity policy and disaster-recovery plans, tested regularly.
- Backup, restoration, and recovery procedures with defined RTOs/RPOs.
- Post-incident review process feeding lessons back into the framework.
- Board-level ICT knowledge and training maintained.
Pillar 2, ICT-related incident reporting (Articles 17–23)
- Process to detect, log, and manage all ICT-related incidents.
- Classification methodology aligned to the RTS criteria (clients affected, duration, data loss, economic impact).
- Procedures to identify major incidents that trigger reporting.
- Templates and channels for initial, intermediate, and final reports to the competent authority.
- Timelines and escalation paths documented and rehearsed.
- Optional process for voluntary reporting of significant cyber threats.
Pillar 3, Digital operational resilience testing (Articles 24–27)
- Risk-based testing programme covering all ICT systems supporting critical or important functions.
- Annual testing of critical systems (vulnerability assessments, scans, scenario tests).
- Process to remediate and re-test findings.
- Threat-led penetration testing (TLPT) scheduled at least every three years (significant entities).
- Independent, qualified testers engaged where required.
Pillar 4, ICT third-party risk management (Articles 28–30)
- Register of information covering all ICT third-party arrangements maintained and reportable.
- Pre-contract due diligence and concentration-risk assessment.
- Mandatory contractual provisions (access, audit, exit strategy, sub-outsourcing, service levels).
- Ongoing monitoring of third-party performance and risk.
- Documented exit and substitutability strategies for critical/important functions.
Pillar 5, Information sharing (Article 45)
- Decision recorded on whether to participate in threat-intelligence sharing arrangements.
- If participating: arrangements protect confidentiality and comply with data-protection law.
How to use this checklist
Work through each pillar, assign an owner and evidence location to every item, and rate maturity honestly. Items you cannot evidence become your remediation backlog. For a scored view of the same ground, take the DORA Readiness Score; for the underlying obligations, see the DORA requirements. When you need external validation, a formal gap assessment turns the checklist into an auditable baseline.
Frequently asked questions
Is the DORA checklist free to download?
Yes. The checklist is available as a free PDF and spreadsheet. Enter a few details and the download unlocks right here on the page, no waiting for an email. See the download section above.
Does the checklist cover all five DORA pillars?
Yes. It is organised by the five pillars, ICT risk management, incident reporting, resilience testing, third-party risk, and information sharing, with each item mapped to the relevant DORA article.
Is completing the checklist enough to be DORA compliant?
The checklist is a structured starting point, not a substitute for a formal gap assessment. Proportionality means the depth of evidence expected varies by entity type and size. Use the checklist to scope work, then validate with the Readiness Score or a provider.