Free Tool — No Login Required
DORA Compliance Checklist
Assess your organisation's readiness against the Digital Operational Resilience Act (Regulation (EU) 2022/2554). This interactive checklist covers all five DORA pillars with article-level references.
DORA has applied since 17 January 2025. All in-scope financial entities must comply.
Overall Progress
0 / 35
0% complete
Pillar 1
0/10
Pillar 2
0/8
Pillar 3
0/6
Pillar 4
0/8
Pillar 5
0/3
Disclaimer: This checklist is provided for informational purposes only and does not constitute legal advice. It is intended as a starting point for your DORA compliance assessment. The actual requirements may vary based on your entity type, size, and the proportionality principle under DORA Article 4. Always verify requirements against the full regulatory text and consult qualified legal counsel for your specific situation.
Frequently Asked Questions
Who needs to comply with DORA?
DORA (Regulation (EU) 2022/2554) applies to virtually all EU-regulated financial entities: credit institutions, investment firms, fund managers (AIFMs and UCITS ManCos), insurance and reinsurance undertakings, payment institutions, e-money institutions, CASPs authorised under MiCAR, central counterparties, trade repositories, central securities depositories, and critical ICT third-party service providers. The regulation has applied since 17 January 2025.
What are the 5 pillars of DORA?
DORA is structured around five pillars: (1) ICT risk management framework (Articles 5-16), covering governance, risk identification, protection, detection, response, and recovery; (2) ICT-related incident management and reporting (Articles 17-23); (3) Digital operational resilience testing (Articles 24-27), including threat-led penetration testing (TLPT); (4) ICT third-party risk management (Articles 28-44); and (5) Information sharing arrangements (Article 45).
What is the difference between DORA and NIS2?
DORA is the lex specialis (sector-specific law) for the financial sector, while NIS2 is the general cybersecurity framework. Financial entities that are in scope of DORA are primarily governed by DORA rather than NIS2 for ICT risk management and incident reporting. However, NIS2 may still apply for aspects not covered by DORA.
What are the DORA incident reporting timelines?
Under DORA Article 19, once an ICT-related incident is classified as major, three reports must be submitted: (1) initial notification within 4 hours of classification (and no later than 24 hours after detection); (2) intermediate report within 72 hours of the initial notification; and (3) final report within 1 month of the intermediate report.
Does DORA require penetration testing?
Yes. Article 25 requires all in-scope financial entities to perform digital operational resilience testing. Additionally, certain entities identified by competent authorities must carry out advanced threat-led penetration testing (TLPT) at least every 3 years, in accordance with the TIBER-EU framework. TLPT must be conducted by external testers, though internal resources can participate under strict conditions.
Need Detailed DORA Guidance?
financialregulations.eu covers the full text of DORA, all RTS/ITS, and ESA guidelines. Ask specific questions about your ICT risk management obligations and get cited answers from the regulatory text.