--- title: "EU DORA Compliance Guide" canonical_url: "https://www.sorena.io/artifacts/eu/dora/compliance" source_url: "https://www.sorena.io/artifacts/eu/digital-operational-resilience-act/compliance" author: "Sorena AI" description: "A practical EU DORA compliance guide (Regulation (EU) 2022/2554): how to set up a DORA program, build an ICT risk management control baseline." published_at: "2026-02-23" updated_at: "2026-02-23" keywords: - "EU DORA compliance guide" - "DORA implementation guide" - "DORA compliance program" - "ICT risk management DORA" - "DORA incident reporting implementation" - "TLPT implementation DORA" - "DORA third party risk implementation" - "DORA register of information implementation" - "DORA contract clauses" - "DORA compliance" - "implementation playbook" - "ICT risk management" - "incident reporting" - "TLPT" - "third-party risk" - "register of information" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # EU DORA Compliance Guide A practical EU DORA compliance guide (Regulation (EU) 2022/2554): how to set up a DORA program, build an ICT risk management control baseline. *Implementation Guide* *EU* ## EU DORA Compliance Playbook A step-by-step implementation playbook: controls, workflows, evidence and cadence. Designed for regulated entities: legal, security, IT, risk, and vendor management working together. DORA compliance succeeds when it's built as an operating model: a control baseline, a reporting pipeline, a testing program, and a vendor governance system - all tied together by an evidence pack. This playbook is a practical sequence you can execute per entity and scale to group level. ## Step 1 - Lock scope and proportionality (write the scope memo) Start with an entity-by-entity scope memo mapped to Article 2 categories, competent authorities, and group layers. Record proportionality/simplification decisions as management body artifacts and define when they are revisited. - Map each legal entity to Article 2 scope; identify supervisors and reporting routing. - Define critical or important functions and top ICT dependencies (including outsourced services). - Document proportionality decisions: what is simplified and why residual risk is acceptable. - Create the requirements matrix: Article -> obligation -> control -> owner -> evidence. ## Step 2 - Build the ICT risk management control baseline (Chapter II + RTS) Treat Chapter II as a control baseline: you need a coherent set of policies, controls and runbooks that cover the full lifecycle: protect -> detect -> respond -> recover. Define acceptance criteria and evidence for each control family. - Governance: risk tolerance, management body oversight, internal audit and independent reviews. - Asset inventory and classification: ICT-supported business functions, information assets, ICT assets, and dependency mapping (review at least yearly). - Protection controls: identity/access, secure configuration, change management, vulnerability management, backup and resilience patterns for critical functions. - Detection controls: monitoring, logging, anomaly detection, and alert QA for critical services. - Business continuity and recovery: response/recovery plans, switchover tests, restore objectives, and post-incident reviews. ## Step 3 - Ship the core workflow: major ICT incident reporting pipeline (Chapter III + RTS) Major incident reporting is a timed workflow: you need to classify, report, update, and produce a final root cause analysis output. Build it to function during outages: templates, alternate submission paths, and clear roles. - Incident management process (Article 17) implemented: recording, consistent handling, root cause analysis, and prevention improvements. - Classification implemented (Article 18 + RTS): thresholds, cross-border impact logic, and severity model. - Reporting artifacts implemented (Article 19 + RTS): initial notification, intermediate updates, final report; include cross-border impact information. - Client communications: notify clients without undue delay where their financial interests are impacted. - Evidence and QA: logs, timestamps, report copies, and periodic reporting drills. ## Step 4 - Build testing and TLPT readiness as a recurring program (Chapter IV) Testing is not a yearly checkbox. Build a program that generates remediation backlog and evidence. If TLPT is in scope for your entity, build the governance, supplier model and production-safe execution controls early. - Testing program (Articles 24-25): annual plan, coverage for critical/important functions, independent testing where required, remediation and validation methodology. - TLPT (Article 26): scope definition and authority validation process; multi-asset test coverage; production-safe controls. - Tester qualification and contracts (Article 27): suitability, independence, confidentiality, and indemnity. - Evidence: test reports, remediation tracking, retest evidence, and management summaries. ## Step 5 - Operationalize third-party risk: contract posture + register of information (Chapter V + RTS) DORA third-party risk is not a procurement memo. It's contracts, oversight rights, concentration risk analysis, exit planning, and a continuously updated register of information. Make vendor governance produce exportable evidence. - ICT third-party risk strategy and policy for critical/important ICT services exists and is reviewed periodically (Article 28). - Register of information implemented and updated (Article 28): entity and group layers; exportable sections for supervisors. - Concentration/substitutability analysis performed (Article 29), including subcontracting chains and third-country risk considerations. - Contract clause baseline implemented (Article 30 + RTS 2024/1773): audit/access rights, security requirements, incident cooperation, subcontractor transparency, portability and exit rights. - Exit strategies and transition plans documented and tested for high-criticality services. ## Step 6 - Governance cadence, KPIs, and evidence pack (sustaining compliance) DORA compliance is sustained by cadence: quarterly reviews, annual program planning, and evidence retention rules. Your goal is to make regulatory responses predictable and fast. - RACI for each workstream; escalation paths; approval authorities for exceptions. - Quarterly reviews: control exceptions, incident trends, vendor concentration, register accuracy. - Annual planning: testing calendar, TLPT readiness review, incident reporting drills. - Evidence pack: versioned policies, runbooks, logs, reports, test results, register exports, and management body approvals. *Recommended next step* *Placement: after the compliance steps* ## Turn EU DORA Compliance Playbook into an operational assessment Assessment Autopilot can take EU DORA Compliance Playbook from operationalizing the guidance into a tracked program to a reusable workflow inside Sorena. Teams working on EU DORA can keep owners, evidence, and next steps aligned without copying this guide into separate documents. - [Open Assessment Autopilot for EU DORA Compliance Playbook](/solutions/assessment.md): Start from EU DORA Compliance Playbook and turn the guidance into owned tasks, evidence requests, and review checkpoints. - [Talk through EU DORA](/contact.md): Review your current process, evidence gaps, and next steps for EU DORA Compliance Playbook. ## Primary sources - [Regulation (EU) 2022/2554 (DORA) - Official Journal](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022R2554&ref=sorena.io) - Primary DORA obligations and program structure (Chapters II-V). DORA applies from 17 January 2025 (Article 64). - [Commission Delegated Regulation (EU) 2024/1773 - Contractual arrangements for ICT services supporting critical or important functions (RTS)](https://eur-lex.europa.eu/eli/reg_del/2024/1773/oj/eng?ref=sorena.io) - Level 2 RTS for DORA contractual clauses: audit/access, security, subcontracting, incident cooperation, exit/portability and more. - [Commission Delegated Regulation (EU) 2024/1774 - ICT risk management tools and simplified framework (RTS)](https://eur-lex.europa.eu/eli/reg_del/2024/1774/oj/eng?ref=sorena.io) - Level 2 RTS that operationalizes the ICT risk management framework and simplified approach. ## Related Topic Guides - [DORA Applicability Test | Is EU DORA Applicable to Your Entity?](/artifacts/eu/digital-operational-resilience-act/applicability-test.md): A step-by-step EU DORA applicability test (Regulation (EU) 2022/2554): determine if you are a covered financial entity under Article 2. - [DORA FAQ (EU) - Scope, Deadlines, Reporting, TLPT, RoI, and Third-Party Risk](/artifacts/eu/digital-operational-resilience-act/faq.md): High-signal answers to the most searched DORA questions: who is in scope, when DORA applies (17 Jan 2025), what "critical or important functions" means. - [DORA ICT Risk Management Control Baseline | Chapter II + RTS 2024/1774](/artifacts/eu/digital-operational-resilience-act/ict-risk-management-control-baseline.md): A deep DORA ICT risk management baseline: how to implement Chapter II of Regulation (EU) 2022/2554 as controls with acceptance criteria and evidence. - [DORA ICT Third-Party Risk Management + Contract Clauses | Article 28-30 + RTS 2024/1773 + RTS 2025/532](/artifacts/eu/digital-operational-resilience-act/third-party-risk-and-contract-clauses.md): A deep guide to DORA ICT third-party risk: build the third-party risk strategy (Article 28), implement due diligence + ongoing monitoring. - [DORA Major ICT Incident Reporting | Articles 17-20 + RTS 2024/1772 + 2025/301](/artifacts/eu/digital-operational-resilience-act/major-incident-reporting.md): A practical DORA major incident reporting guide: build the Article 17 and 19 workflow, apply RTS 2024/1772 classification and RTS 2025/301 timing rules. - [DORA Penalties, Fines, and Enforcement | Articles 50-55 + Oversight Penalty Payments](/artifacts/eu/digital-operational-resilience-act/penalties-and-fines.md): A practical DORA enforcement guide: how competent authorities' supervisory/investigatory/sanctioning powers work (Article 50). - [DORA Register of Information (RoI) - How to Build It | Article 28 + ITS 2024/2956](/artifacts/eu/digital-operational-resilience-act/register-of-information-how-to-build.md): Build an audit-ready DORA Register of Information (RoI): define scope and relational keys. - [DORA Register of Information (RoI) Template Guide | ITS 2024/2956 Annex Templates (B_01-B_07)](/artifacts/eu/digital-operational-resilience-act/dora-register-of-information-template.md): A practical guide to the DORA Register of Information templates: understand the ITS schema (Implementing Regulation (EU) 2024/2956). - [DORA Testing & TLPT Readiness | Chapter IV + TIBER-EU Execution Guide](/artifacts/eu/digital-operational-resilience-act/testing-and-tlpt-readiness.md): A deep DORA testing and TLPT readiness guide: build the Chapter IV testing program, prepare remediation and validation. - [DORA vs ISO/IEC 27001:2022 | Mapping Controls, Evidence, and Audit Readiness](/artifacts/eu/digital-operational-resilience-act/dora-vs-iso-27001.md): A deep DORA vs ISO 27001 comparison: where ISO/IEC 27001:2022 helps satisfy DORA ICT risk management and evidence expectations. - [DORA vs NIS2 (EU) | Scope, Reporting, Controls, and Overlap for Financial Entities](/artifacts/eu/digital-operational-resilience-act/dora-vs-nis2.md): A deep comparison of DORA and NIS2: who is in scope, what "security measures" mean, incident reporting differences, governance and enforcement posture. - [EU DORA Checklist | DORA Compliance Checklist (Audit-Ready)](/artifacts/eu/digital-operational-resilience-act/checklist.md): An audit-ready EU DORA checklist (Regulation (EU) 2022/2554): scope memo and proportionality, ICT risk management control baseline. - [EU DORA Deadlines & Compliance Calendar | Key Dates, RTS/ITS and Cadence](/artifacts/eu/digital-operational-resilience-act/deadlines-and-compliance-calendar.md): A DORA compliance calendar for Regulation (EU) 2022/2554: publication, entry into force, application date, key RTS and ITS including 2024/2956, 2025/301. - [EU DORA Requirements | Obligations by Workstream (ICT Risk, Incidents, TLPT, Third Parties)](/artifacts/eu/digital-operational-resilience-act/requirements.md): A practical breakdown of EU DORA (Regulation (EU) 2022/2554) requirements: ICT risk management framework (Chapter II). - [EU DORA Scope & Covered Entities | Who Is In Scope (Article 2)](/artifacts/eu/digital-operational-resilience-act/scope-and-covered-entities.md): A practical scoping guide for EU DORA (Regulation (EU) 2022/2554): covered financial entities (Article 2), proportionality and simplified frameworks. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/eu/digital-operational-resilience-act/compliance