Artifact GuideEU

EU DORA Requirements

A requirements map you can translate into controls, owners, and evidence.

Structured by how teams implement DORA: controls, reporting, testing, and third-party governance.

Back to main artifactReview sources
Author
Sorena AI
Published
Feb 23, 2026
Updated
Feb 23, 2026
Sections
6

Structured answer sets in this page tree.

Primary sources
3

Cited legal and guidance references.

Publication metadata
Sorena AI
Published Feb 23, 2026
Updated Feb 23, 2026
Overview

DORA is an implementation regulation. The fastest way to comply is to build a requirements matrix that maps each obligation to (1) a control or workflow, (2) an owner, (3) acceptance criteria, and (4) evidence you can export on demand. This page summarizes DORA requirements by workstream and highlights the artifacts teams usually miss (statement-of-work quality, register of information, and reporting pipelines).

Section 1

Workstream 1 - ICT risk management framework (Chapter II)

DORA requires financial entities to have an internal governance and control framework that ensures effective and prudent management of ICT risk and a high level of digital operational resilience.

Think "control baseline": governance, asset inventory, protection/detection, response/recovery, business continuity, and communications.

  • Management body accountability: define, approve, oversee and be responsible for arrangements related to ICT risk management (Article 5/6 context).
  • Asset inventory and classification: identify, classify and document ICT-supported business functions, information assets, and dependencies; review at least yearly (Article 8).
  • Protection and prevention controls: policies/tools to safeguard availability, authenticity, integrity and confidentiality of data and services (Chapter II control layers).
  • Detection and monitoring: mechanisms to detect anomalous activities and ICT-related incidents (Chapter II + Article 17 interface).
  • Business continuity and response/recovery plans: contain incidents, restore services, and run post-incident reviews to prevent recurrence (Articles 11-13).
Section 2

Workstream 2 - ICT incident management and reporting (Chapter III)

DORA requires an ICT incident management process to detect, manage and notify incidents, record all ICT-related incidents and significant cyber threats, and report major ICT-related incidents to competent authorities.

This is both an operational workflow and a data/reporting pipeline.

  • Incident management process: early warning indicators, tracking/logging/classification, roles and responsibilities, communication plans, and response procedures (Article 17).
  • Classification: classify incidents by priority/severity and criticality of services impacted; apply criteria and thresholds specified in DORA and RTS (Article 18 + RTS).
  • Reporting: submit initial notification, intermediate updates, and final report within RTS time limits; include information needed to assess significance and cross-border impacts (Article 19 + RTS).
  • Client communications: inform clients without undue delay where major incidents impact financial interests; inform potentially affected clients about protection measures for significant cyber threats where applicable (Article 19).
Section 3

Workstream 3 - Digital operational resilience testing and TLPT (Chapter IV)

DORA requires an ongoing testing program for ICT tools, systems and processes, including vulnerability assessments, scenario-based tests, and penetration testing.

For certain entities, DORA introduces advanced threat-led penetration testing (TLPT) on live production systems at least every three years.

  • Testing program: run tests appropriate to risk profile and criticality; ensure independence for non-microenterprises; remediate and validate weaknesses (Articles 24-25).
  • TLPT: advanced testing at least every 3 years for identified entities; cover critical or important functions; performed on live production systems; scope validated by competent authorities (Article 26).
  • Tester suitability: highest suitability and reputability; threat intelligence + penetration testing expertise; independence assurance; professional indemnity insurance (Article 27 context).
Section 4

Workstream 4 - ICT third-party risk management (Chapter V)

DORA makes third-party risk a first-class compliance domain: financial entities remain fully responsible for compliance and must manage ICT third-party risk as part of ICT risk management.

Operationally, this workstream is procurement/legal/security combined: contracts, oversight rights, exit plans, and evidence.

  • Third-party strategy: adopt and regularly review an ICT third-party risk strategy (with proportionality), including policy for ICT services supporting critical/important functions (Article 28).
  • Register of information: maintain and update a register covering all contractual arrangements for ICT services; provide the full register or sections on request (Article 28).
  • Concentration risk: assess substitutability and multi-vendor dependencies; consider subcontracting chains and third-country risks (Article 29).
  • Contract minimum clauses: allocate rights/obligations clearly in writing; include minimum contractual elements (Article 30) and RTS contractual arrangements requirements.
Section 5

Workstream 5 - Oversight of critical ICT third-party service providers

DORA establishes an EU oversight framework for critical ICT third-party service providers (CTPPs) supporting the financial sector.

For financial entities, the practical implication is stronger contract posture and exit strategy planning. For ICT providers, it's oversight readiness and evidence maturity.

  • Understand designation: criteria and process for designating ICT third-party providers as critical are specified in delegated regulation (Level 2).
  • Plan contractual adjustments: authorities can require adjustments to avoid resilience harms; build exit strategies and transition plans as standard artifacts.
  • Account for oversight costs: oversight fee methodologies apply to critical providers under delegated regulation.
Section 6

Evidence mapping model (requirement -> control -> evidence)

Compliance becomes low-friction when evidence is designed-in. Use this mapping model to build an exportable evidence pack.

Aim to make every requirement verifiable via a small set of repeatable artifacts.

  • Policies: ICT risk management policy set, incident management policy, testing policy, third-party risk strategy, exit strategy policy.
  • Procedures/runbooks: notice/reporting runbooks, escalation paths, TLPT runbooks, vendor onboarding/checklists, contract clause playbooks.
  • Records/logs: asset inventory, incident records, reports submitted, remediation tickets, test results, register of information exports.
  • Governance evidence: management body approvals, periodic reviews, proportionality decisions, and KPI dashboards.
Recommended next step

Turn EU DORA Requirements into an operational assessment

Assessment Autopilot can take EU DORA Requirements from turning the requirements into assigned actions to a reusable workflow inside Sorena. Teams working on EU DORA can keep owners, evidence, and next steps aligned without copying this guide into separate documents.

Assessment workflow
Open Assessment Autopilot for EU DORA Requirements

Start from EU DORA Requirements and turn the guidance into owned tasks, evidence requests, and review checkpoints.

Explore next step
Talk to Sorena
Talk through EU DORA

Review your current process, evidence gaps, and next steps for EU DORA Requirements.

Explore next step
Primary sources

References and citations

Regulation (EU) 2022/2554 (DORA) - Official Journal
eur-lex.europa.eu
Referenced sections
  • Primary DORA requirements across the four main workstreams: ICT risk management (Chapter II), incident reporting (Chapter III), testing/TLPT (Chapter IV), and ICT third-party risk including contract clauses and the register of information (Chapter V).
Related guides

Explore more topics

DORA Applicability Test | Is EU DORA Applicable to Your Entity?
A step-by-step EU DORA applicability test (Regulation (EU) 2022/2554): determine if you are a covered financial entity under Article 2.
DORA FAQ (EU) - Scope, Deadlines, Reporting, TLPT, RoI, and Third-Party Risk
High-signal answers to the most searched DORA questions: who is in scope, when DORA applies (17 Jan 2025), what "critical or important functions" means.
DORA ICT Risk Management Control Baseline | Chapter II + RTS 2024/1774
A deep DORA ICT risk management baseline: how to implement Chapter II of Regulation (EU) 2022/2554 as controls with acceptance criteria and evidence.
DORA ICT Third-Party Risk Management + Contract Clauses | Article 28-30 + RTS 2024/1773 + RTS 2025/532
A deep guide to DORA ICT third-party risk: build the third-party risk strategy (Article 28), implement due diligence + ongoing monitoring.
DORA Major ICT Incident Reporting | Articles 17-20 + RTS 2024/1772 + 2025/301
A practical DORA major incident reporting guide: build the Article 17 and 19 workflow, apply RTS 2024/1772 classification and RTS 2025/301 timing rules.
DORA Penalties, Fines, and Enforcement | Articles 50-55 + Oversight Penalty Payments
A practical DORA enforcement guide: how competent authorities' supervisory/investigatory/sanctioning powers work (Article 50).
DORA Register of Information (RoI) - How to Build It | Article 28 + ITS 2024/2956
Build an audit-ready DORA Register of Information (RoI): define scope and relational keys.
DORA Register of Information (RoI) Template Guide | ITS 2024/2956 Annex Templates (B_01-B_07)
A practical guide to the DORA Register of Information templates: understand the ITS schema (Implementing Regulation (EU) 2024/2956).
DORA Testing & TLPT Readiness | Chapter IV + TIBER-EU Execution Guide
A deep DORA testing and TLPT readiness guide: build the Chapter IV testing program, prepare remediation and validation.
DORA vs ISO/IEC 27001:2022 | Mapping Controls, Evidence, and Audit Readiness
A deep DORA vs ISO 27001 comparison: where ISO/IEC 27001:2022 helps satisfy DORA ICT risk management and evidence expectations.
DORA vs NIS2 (EU) | Scope, Reporting, Controls, and Overlap for Financial Entities
A deep comparison of DORA and NIS2: who is in scope, what "security measures" mean, incident reporting differences, governance and enforcement posture.
EU DORA Checklist | DORA Compliance Checklist (Audit-Ready)
An audit-ready EU DORA checklist (Regulation (EU) 2022/2554): scope memo and proportionality, ICT risk management control baseline.
EU DORA Compliance Guide | DORA Implementation Playbook
A practical EU DORA compliance guide (Regulation (EU) 2022/2554): how to set up a DORA program, build an ICT risk management control baseline.
EU DORA Deadlines & Compliance Calendar | Key Dates, RTS/ITS and Cadence
A DORA compliance calendar for Regulation (EU) 2022/2554: publication, entry into force, application date, key RTS and ITS including 2024/2956, 2025/301.
EU DORA Scope & Covered Entities | Who Is In Scope (Article 2)
A practical scoping guide for EU DORA (Regulation (EU) 2022/2554): covered financial entities (Article 2), proportionality and simplified frameworks.