Implementation GuideEU

EU DORA Compliance Playbook

A step-by-step implementation playbook: controls, workflows, evidence and cadence.

Designed for regulated entities: legal, security, IT, risk, and vendor management working together.

Back to main artifactReview sources
Author
Sorena AI
Published
Feb 23, 2026
Updated
Feb 23, 2026
Sections
6

Structured answer sets in this page tree.

Primary sources
3

Cited legal and guidance references.

Publication metadata
Sorena AI
Published Feb 23, 2026
Updated Feb 23, 2026
Overview

DORA compliance succeeds when it's built as an operating model: a control baseline, a reporting pipeline, a testing program, and a vendor governance system - all tied together by an evidence pack. This playbook is a practical sequence you can execute per entity and scale to group level.

Section 1

Step 1 - Lock scope and proportionality (write the scope memo)

Start with an entity-by-entity scope memo mapped to Article 2 categories, competent authorities, and group layers.

Record proportionality/simplification decisions as management body artifacts and define when they are revisited.

  • Map each legal entity to Article 2 scope; identify supervisors and reporting routing.
  • Define critical or important functions and top ICT dependencies (including outsourced services).
  • Document proportionality decisions: what is simplified and why residual risk is acceptable.
  • Create the requirements matrix: Article -> obligation -> control -> owner -> evidence.
Section 2

Step 2 - Build the ICT risk management control baseline (Chapter II + RTS)

Treat Chapter II as a control baseline: you need a coherent set of policies, controls and runbooks that cover the full lifecycle: protect -> detect -> respond -> recover.

Define acceptance criteria and evidence for each control family.

  • Governance: risk tolerance, management body oversight, internal audit and independent reviews.
  • Asset inventory and classification: ICT-supported business functions, information assets, ICT assets, and dependency mapping (review at least yearly).
  • Protection controls: identity/access, secure configuration, change management, vulnerability management, backup and resilience patterns for critical functions.
  • Detection controls: monitoring, logging, anomaly detection, and alert QA for critical services.
  • Business continuity and recovery: response/recovery plans, switchover tests, restore objectives, and post-incident reviews.
Section 3

Step 3 - Ship the core workflow: major ICT incident reporting pipeline (Chapter III + RTS)

Major incident reporting is a timed workflow: you need to classify, report, update, and produce a final root cause analysis output.

Build it to function during outages: templates, alternate submission paths, and clear roles.

  • Incident management process (Article 17) implemented: recording, consistent handling, root cause analysis, and prevention improvements.
  • Classification implemented (Article 18 + RTS): thresholds, cross-border impact logic, and severity model.
  • Reporting artifacts implemented (Article 19 + RTS): initial notification, intermediate updates, final report; include cross-border impact information.
  • Client communications: notify clients without undue delay where their financial interests are impacted.
  • Evidence and QA: logs, timestamps, report copies, and periodic reporting drills.
Section 4

Step 4 - Build testing and TLPT readiness as a recurring program (Chapter IV)

Testing is not a yearly checkbox. Build a program that generates remediation backlog and evidence.

If TLPT is in scope for your entity, build the governance, supplier model and production-safe execution controls early.

  • Testing program (Articles 24-25): annual plan, coverage for critical/important functions, independent testing where required, remediation and validation methodology.
  • TLPT (Article 26): scope definition and authority validation process; multi-asset test coverage; production-safe controls.
  • Tester qualification and contracts (Article 27): suitability, independence, confidentiality, and indemnity.
  • Evidence: test reports, remediation tracking, retest evidence, and management summaries.
Section 5

Step 5 - Operationalize third-party risk: contract posture + register of information (Chapter V + RTS)

DORA third-party risk is not a procurement memo. It's contracts, oversight rights, concentration risk analysis, exit planning, and a continuously updated register of information.

Make vendor governance produce exportable evidence.

  • ICT third-party risk strategy and policy for critical/important ICT services exists and is reviewed periodically (Article 28).
  • Register of information implemented and updated (Article 28): entity and group layers; exportable sections for supervisors.
  • Concentration/substitutability analysis performed (Article 29), including subcontracting chains and third-country risk considerations.
  • Contract clause baseline implemented (Article 30 + RTS 2024/1773): audit/access rights, security requirements, incident cooperation, subcontractor transparency, portability and exit rights.
  • Exit strategies and transition plans documented and tested for high-criticality services.
Section 6

Step 6 - Governance cadence, KPIs, and evidence pack (sustaining compliance)

DORA compliance is sustained by cadence: quarterly reviews, annual program planning, and evidence retention rules.

Your goal is to make regulatory responses predictable and fast.

  • RACI for each workstream; escalation paths; approval authorities for exceptions.
  • Quarterly reviews: control exceptions, incident trends, vendor concentration, register accuracy.
  • Annual planning: testing calendar, TLPT readiness review, incident reporting drills.
  • Evidence pack: versioned policies, runbooks, logs, reports, test results, register exports, and management body approvals.
Recommended next step

Turn EU DORA Compliance Playbook into an operational assessment

Assessment Autopilot can take EU DORA Compliance Playbook from operationalizing the guidance into a tracked program to a reusable workflow inside Sorena. Teams working on EU DORA can keep owners, evidence, and next steps aligned without copying this guide into separate documents.

Assessment workflow
Open Assessment Autopilot for EU DORA Compliance Playbook

Start from EU DORA Compliance Playbook and turn the guidance into owned tasks, evidence requests, and review checkpoints.

Explore next step
Talk to Sorena
Talk through EU DORA

Review your current process, evidence gaps, and next steps for EU DORA Compliance Playbook.

Explore next step
Primary sources

References and citations

Related guides

Explore more topics

DORA Applicability Test | Is EU DORA Applicable to Your Entity?
A step-by-step EU DORA applicability test (Regulation (EU) 2022/2554): determine if you are a covered financial entity under Article 2.
DORA FAQ (EU) - Scope, Deadlines, Reporting, TLPT, RoI, and Third-Party Risk
High-signal answers to the most searched DORA questions: who is in scope, when DORA applies (17 Jan 2025), what "critical or important functions" means.
DORA ICT Risk Management Control Baseline | Chapter II + RTS 2024/1774
A deep DORA ICT risk management baseline: how to implement Chapter II of Regulation (EU) 2022/2554 as controls with acceptance criteria and evidence.
DORA ICT Third-Party Risk Management + Contract Clauses | Article 28-30 + RTS 2024/1773 + RTS 2025/532
A deep guide to DORA ICT third-party risk: build the third-party risk strategy (Article 28), implement due diligence + ongoing monitoring.
DORA Major ICT Incident Reporting | Articles 17-20 + RTS 2024/1772 + 2025/301
A practical DORA major incident reporting guide: build the Article 17 and 19 workflow, apply RTS 2024/1772 classification and RTS 2025/301 timing rules.
DORA Penalties, Fines, and Enforcement | Articles 50-55 + Oversight Penalty Payments
A practical DORA enforcement guide: how competent authorities' supervisory/investigatory/sanctioning powers work (Article 50).
DORA Register of Information (RoI) - How to Build It | Article 28 + ITS 2024/2956
Build an audit-ready DORA Register of Information (RoI): define scope and relational keys.
DORA Register of Information (RoI) Template Guide | ITS 2024/2956 Annex Templates (B_01-B_07)
A practical guide to the DORA Register of Information templates: understand the ITS schema (Implementing Regulation (EU) 2024/2956).
DORA Testing & TLPT Readiness | Chapter IV + TIBER-EU Execution Guide
A deep DORA testing and TLPT readiness guide: build the Chapter IV testing program, prepare remediation and validation.
DORA vs ISO/IEC 27001:2022 | Mapping Controls, Evidence, and Audit Readiness
A deep DORA vs ISO 27001 comparison: where ISO/IEC 27001:2022 helps satisfy DORA ICT risk management and evidence expectations.
DORA vs NIS2 (EU) | Scope, Reporting, Controls, and Overlap for Financial Entities
A deep comparison of DORA and NIS2: who is in scope, what "security measures" mean, incident reporting differences, governance and enforcement posture.
EU DORA Checklist | DORA Compliance Checklist (Audit-Ready)
An audit-ready EU DORA checklist (Regulation (EU) 2022/2554): scope memo and proportionality, ICT risk management control baseline.
EU DORA Deadlines & Compliance Calendar | Key Dates, RTS/ITS and Cadence
A DORA compliance calendar for Regulation (EU) 2022/2554: publication, entry into force, application date, key RTS and ITS including 2024/2956, 2025/301.
EU DORA Requirements | Obligations by Workstream (ICT Risk, Incidents, TLPT, Third Parties)
A practical breakdown of EU DORA (Regulation (EU) 2022/2554) requirements: ICT risk management framework (Chapter II).
EU DORA Scope & Covered Entities | Who Is In Scope (Article 2)
A practical scoping guide for EU DORA (Regulation (EU) 2022/2554): covered financial entities (Article 2), proportionality and simplified frameworks.