The Raptoric Journal/Security Program & Risk
Security Program & RiskMay 22, 2026 · 9 min read

DORA compliance checklist for financial entities

DORA has applied across the EU financial sector since January 2025. It rests on five pillars. This checklist turns them into concrete work you can assign and track.
Written by
R
Raptoric Program & Risk
Share
LinkedInX / TwitterCopy link

The Digital Operational Resilience Act, Regulation (EU) 2022/2554, has applied directly across the EU since January 2025. It is prescriptive, and it expects evidence rather than intent. If you are a financial entity or a critical ICT provider to one, this checklist maps the five pillars to the work that satisfies them.

Who DORA applies to

Banks, insurers, investment firms, payment and electronic money institutions, crypto-asset service providers, and many other financial entities, plus the critical ICT third parties they rely on. Because DORA is a regulation, it applies the same way in every member state.

The five pillars

  • ICT risk management. A governed framework to identify, protect, detect, respond, and recover.
  • ICT incident management and reporting. Classify incidents and report major ones to regulators on a defined timeline.
  • Digital operational resilience testing. Regular testing, including threat-led penetration testing for significant entities.
  • ICT third-party risk. Oversight of providers, with specific contractual requirements and a register of arrangements.
  • Information sharing. Voluntary exchange of threat intelligence among financial entities.

The checklist

  • Map your ICT assets and the business services that depend on them.
  • Stand up a documented ICT risk management framework, owned and overseen by the management body.
  • Define incident classification criteria and a reporting process that meets the regulatory clock.
  • Build detection and response capable of catching and containing major incidents. See managed detection and response.
  • Establish a testing programme, and arrange threat-led penetration testing if you are a significant entity.
  • Build a register of ICT third-party arrangements and review contracts against DORA requirements.
  • Assess concentration risk in your critical providers.
  • Run board-level oversight, because management accountability is explicit.

Threat-led penetration testing

For significant entities, DORA expects testing that mimics real threat actors against live systems, on a multi-year cycle. This is closer to a red team operation than a standard scan: it targets people, process, and technology, and it tests detection and response, not just prevention.

ICT third-party risk

DORA puts your providers in scope. You need a register of arrangements, contracts that meet specific requirements, and an assessment of what happens if a critical provider fails. Outsourcing the service never outsources the risk.

DORA is in force now. If you are in scope and not yet aligned, the gap is a live regulatory risk, not a future project.

We turn DORA into concrete work and produce the evidence. See DORA compliance, or book a scoping call.

Want this tested on your own systems?
A senior engineer will scope it with you on a 30-minute call.
Book a scoping call
Keep reading
All insights →