DORA Compliance Checklist: Step-by-Step Implementation Guide

DORA became fully applicable on January 17, 2025. If you are starting now, prioritize foundational elements and near-term deadlines while building toward comprehensive compliance.

Key Takeaways

Point	Summary
Phased approach	Address foundational elements first, then build comprehensive capabilities
Proportionality	Scale implementation to your size and risk profile
Documentation focus	Many requirements center on documented policies and procedures
Third-party priority	Register of Information has specific submission deadlines
Ongoing obligation	Compliance requires continuous maintenance, not one-time implementation

Quick Answer: DORA compliance involves establishing an ICT risk management framework, implementing incident reporting processes, conducting resilience testing, managing third-party ICT risks, and considering information sharing. This checklist breaks down each area into actionable steps, from governance foundations through operational implementation to ongoing maintenance.

Phase 1: Governance and Foundation

Step 1: Establish Governance Structure

• Assign management body responsibility for ICT risk management
• Define roles and responsibilities for ICT risk oversight
• Establish reporting lines to senior management and board
• Schedule management body training on ICT risks
• Allocate budget for DORA compliance activities

Step 2: Assess Current State

• Inventory existing ICT policies and procedures
• Map current controls against DORA requirements
• Identify gaps requiring remediation
• Document systems supporting critical or important functions
• Catalog ICT third-party service providers

Step 3: Develop ICT Risk Management Strategy

• Define ICT risk appetite
• Establish risk assessment methodology
• Document ICT risk management strategy
• Obtain management body approval
• Communicate strategy across organization

Phase 2: ICT Risk Management Framework

Step 4: Build Identification Capabilities

• Create comprehensive ICT asset inventory
• Classify assets by criticality and sensitivity
• Identify critical and important business functions
• Map ICT dependencies for critical functions
• Document network architecture and data flows

Step 5: Implement Protection Measures

• Establish information security policy
• Implement access control procedures
• Deploy encryption for data at rest and in transit
• Configure network security controls
• Establish patch management process
• Implement secure configuration standards
• Deploy endpoint protection solutions

Step 6: Develop Detection Capabilities

• Implement security monitoring and logging
• Establish anomaly detection capabilities
• Define alert thresholds and escalation procedures
• Ensure 24/7 monitoring for critical systems
• Integrate threat intelligence where appropriate

Step 7: Establish Response Procedures

• Document incident response procedures
• Define incident classification criteria
• Establish incident response team and roles
• Create communication templates for incidents
• Develop containment and eradication procedures
• Prepare evidence preservation guidelines

Step 8: Plan for Recovery

• Document business continuity plans
• Establish disaster recovery procedures
• Define recovery time objectives (RTOs)
• Define recovery point objectives (RPOs)
• Implement backup procedures
• Document crisis management arrangements

Phase 3: Incident Reporting

Step 9: Implement Incident Classification

• Establish incident classification criteria aligned with DORA
• Create decision tree for major incident determination
• Document classification approval process
• Train staff on classification criteria

Step 10: Develop Reporting Procedures

• Create initial notification template
• Create intermediate report template
• Create final report template
• Document reporting timeline and responsibilities
• Establish communication channel with competent authority
• Integrate reporting with incident response process

Step 11: Prepare Client Notification

• Define criteria for client notification
• Create client communication templates
• Establish client notification process
• Train customer-facing staff

Phase 4: Third-Party Risk Management

Step 12: Develop Third-Party Risk Strategy

• Document ICT third-party risk policy
• Define due diligence requirements
• Establish concentration risk appetite
• Create provider assessment criteria

Step 13: Build Register of Information

• Identify all ICT third-party service providers
• Document contract details for each provider
• Classify services by criticality
• Record data locations and sub-outsourcing
• Prepare for regulatory submission

Step 14: Review and Update Contracts

• Audit existing contracts against DORA Article 30
• Identify contracts requiring amendments
• Negotiate updated terms with providers
• Prioritize critical function providers
• Document non-compliance and risk acceptance where needed

Step 15: Implement Ongoing Oversight

• Establish provider performance monitoring
• Schedule periodic risk reassessments
• Define audit and inspection approach
• Create provider incident notification process

Step 16: Develop Exit Strategies

• Document exit strategies for critical function providers
• Identify alternative providers or in-house options
• Estimate transition timelines and resources
• Test exit strategy feasibility
• Include exit provisions in contracts

Phase 5: Resilience Testing

Step 17: Establish Testing Program

• Document testing policy and strategy
• Define testing scope based on risk assessment
• Establish testing calendar
• Identify testing resources (internal/external)
• Create testing documentation standards

Step 18: Implement Basic Testing

• Conduct vulnerability assessments
• Perform network security testing
• Execute scenario-based testing
• Test business continuity plans
• Test disaster recovery procedures
• Document and track remediation

Step 19: Prepare for TLPT (If Designated)

• Determine if TLPT designation applies
• Establish control team
• Engage threat intelligence provider
• Select red team (internal or external as appropriate)
• Define TLPT scope covering critical functions
• Plan purple teaming phase
• Prepare for regulatory reporting

Phase 6: Information Sharing (Optional)

Step 20: Consider Information Sharing

• Assess readiness for threat intelligence consumption
• Identify appropriate sharing communities
• Evaluate contribution capability
• Implement technical infrastructure
• Notify competent authority of participation

Phase 7: Ongoing Compliance

Step 21: Maintain Documentation

• Schedule annual policy and procedure reviews
• Update documentation following changes
• Maintain evidence of compliance activities
• Archive records according to retention requirements

Step 22: Conduct Regular Reviews

• Perform annual ICT risk management framework review
• Update risk assessments periodically
• Review provider risk assessments annually
• Assess control effectiveness
• Report to management body regularly

Step 23: Support Continuous Improvement

• Incorporate lessons learned from incidents
• Update controls based on testing results
• Track regulatory developments
• Adapt to evolving threats

Priority Timeline

For entities starting compliance now, prioritize activities as follows:

Priority	Activities	Rationale
Immediate	Governance structure, incident reporting capability, Register of Information	Core obligations with near-term deadlines
Short-term	ICT risk management framework, critical contract updates	Foundation for other requirements
Medium-term	Comprehensive testing program, third-party oversight	Building on established foundation
Ongoing	Reviews, updates, continuous improvement	Maintaining compliance over time

Documentation Checklist

Ensure you have documented:

Document	Status
ICT risk management strategy	☐
Information security policy	☐
ICT asset inventory	☐
Risk assessment methodology	☐
Business impact analysis	☐
Business continuity plans	☐
Disaster recovery plans	☐
Incident response procedures	☐
Incident classification criteria	☐
Incident reporting templates	☐
Third-party risk policy	☐
Register of Information	☐
Exit strategies	☐
Testing policy	☐
Test plans and reports	☐

Common Questions

Where should we start if we have limited compliance today?

Start with governance (management accountability and roles) and immediate obligations (incident reporting capability). Build the ICT asset inventory and Register of Information in parallel, as these inform everything else.

How long does full compliance take?

Timeline depends on your starting point and resources. Organizations with mature security programs may achieve reasonable compliance in 3-6 months. Those starting from scratch may need 12-18 months for comprehensive implementation. Proportionality allows smaller entities to implement simpler approaches more quickly.

Can we use existing ISO 27001 controls?

Yes. ISO 27001 provides significant overlap with DORA requirements. Conduct a mapping exercise to identify which ISO controls satisfy DORA requirements and where gaps exist.

What evidence should we retain?

Retain evidence of all compliance activities: policies, procedures, risk assessments, testing reports, incident records, training records, contract reviews, and management approvals. Ensure records are accessible for regulatory review.

How Bastion Helps

Bastion provides structured support for DORA implementation:

• Gap assessment: Evaluation of current state against DORA requirements
• Roadmap development: Prioritized implementation plan
• Policy development: Creation of required documentation
• Implementation support: Hands-on assistance with control implementation
• Register of Information: Preparation and submission support
• Testing coordination: Management of testing activities
• Ongoing compliance: Continuous support for maintenance and improvement

Ready to start your DORA compliance journey? Talk to our team

---

Sources

• DORA Full Text - Complete regulation for reference during implementation
• ESA Technical Standards - Detailed implementation requirements
• EIOPA DORA Guidance - Supervisory perspectives on compliance