--- title: "EU DORA Checklist" canonical_url: "https://www.sorena.io/artifacts/eu/dora/checklist" source_url: "https://www.sorena.io/artifacts/eu/dora/checklist" author: "Sorena AI" description: "An audit-ready EU DORA checklist (Regulation (EU) 2022/2554): scope memo and proportionality, ICT risk management control baseline." keywords: - "EU DORA checklist" - "DORA compliance checklist" - "DORA audit checklist" - "Digital Operational Resilience Act checklist" - "ICT risk management checklist DORA" - "DORA incident reporting checklist" - "TLPT readiness checklist" - "DORA third party risk checklist" - "DORA register of information checklist" - "DORA contract clauses checklist" - "DORA checklist" - "ICT risk management" - "major incident reporting" - "TLPT" - "third-party risk" - "register of information" - "audit evidence" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # EU DORA Checklist An audit-ready EU DORA checklist (Regulation (EU) 2022/2554): scope memo and proportionality, ICT risk management control baseline. *Checklist* *EU* ## EU DORA Checklist A checklist you can run per entity - and reuse for audits and supervisory requests. Structured the way teams execute: scope -> controls -> reporting -> testing -> third parties -> evidence. DORA compliance is a system rollout. This checklist is built as a program plan you can run per regulated entity and per group layer. For each item: assign an owner, define acceptance criteria, and keep evidence that is exportable and reproducible. ## Checklist A - Scope memo and proportionality (do this before building controls) Your first deliverable should be a scope memo per entity (and a group summary) that maps DORA scope and proportionality to concrete workstreams and owners. This prevents scope drift and mismatched control builds. - Map each legal entity to Article 2 scope category; record competent authority and reporting perimeter. - Document proportionality decisions and any simplified framework usage; record management body approvals. - Identify critical or important functions and top ICT dependencies (including outsourced services). - Define workstreams and owners: ICT risk controls, incident reporting, testing/TLPT, third-party risk + register, governance cadence. - Create an evidence map: where each required artifact lives and how to export it quickly. *Recommended next step* *Placement: after the checklist block* ## Turn EU DORA Checklist into an operational assessment Assessment Autopilot can take EU DORA Checklist from turning this checklist into an operational workflow to a reusable workflow inside Sorena. Teams working on EU DORA can keep owners, evidence, and next steps aligned without copying this guide into separate documents. - [Open Assessment Autopilot for EU DORA Checklist](/solutions/assessment.md): Start from EU DORA Checklist and turn the guidance into owned tasks, evidence requests, and review checkpoints. - [Talk through EU DORA](/contact.md): Review your current process, evidence gaps, and next steps for EU DORA Checklist. ## Checklist B - ICT risk management control baseline (Chapter II + RTS) DORA expects a coherent ICT risk management framework: governance + asset inventory + control layers + continuity + communications. Build this baseline as a control library with acceptance criteria and evidence. - Governance: management body accountability, risk tolerance, and periodic reviews. - Asset inventory and dependency mapping: ICT-supported business functions, information assets, ICT assets, and criticality classification (review at least yearly). - Protection: access control, secure configuration, change management, vulnerability management, backup and resilience patterns for critical services. - Detection: monitoring, alerting, anomaly detection, and log integrity for critical functions. - Response and recovery: runbooks, containment procedures, restore objectives, and post-incident reviews. - Communications: internal escalation, external stakeholder communications, and crisis communications integration. ## Checklist C - Incident management + major incident reporting (Chapter III + RTS) This is both an operational workflow and a data pipeline. Build a repeatable process with structured outputs and QA. Your reporting capability is tested under stress; design it to work during outages. - Incident management process exists (Article 17): early warning indicators, tracking/logging/classification, roles and responsibilities, communications, response procedures. - All ICT incidents and significant cyber threats are recorded consistently; root causes are identified, documented and addressed. - Classification criteria and materiality thresholds are implemented (Article 18 + RTS). - Reporting pipeline can produce: initial notification, intermediate updates, and final report with root cause analysis and actual impact figures (Article 19 + RTS time limits). - Client communications workflow exists for major incidents impacting financial interests. - Evidence: incident register exports, report copies, timestamps, and decision logs. ## Checklist D - Testing program + TLPT readiness (Chapter IV) Testing should be planned, risk-based, and repeatable. TLPT is a specialized program: build the governance and supplier model early. Treat testing outputs as compliance evidence and as engineering backlog inputs. - Testing program (Article 24/25): annual plan, test coverage for critical or important functions, independent testing where required, remediation and validation methodology. - Penetration testing and scenario-based testing are scheduled and evidence retained. - TLPT readiness (Article 26): scoping methodology, production-safe testing controls, and authority interaction plan. - Tester selection and contracts satisfy suitability/independence and confidentiality requirements; professional indemnity coverage verified. - Evidence: test reports, remediation tracking, re-test evidence, management summaries. ## Checklist E - ICT third-party risk: strategy, contracts, concentration, exit, register (Chapter V + RTS) Third-party risk is a top enforcement focus because it compounds operational risk across the sector. Build a vendor governance system that produces contract posture and evidence on demand. - ICT third-party risk strategy exists and is reviewed periodically; includes policy for ICT services supporting critical or important functions (Article 28). - Register of information built and maintained (Article 28): entity + (where relevant) sub-consolidated/consolidated; exportable sections for supervisors. - Concentration/substitutability analysis performed for critical/important ICT services; multi-vendor strategy considered (Article 29). - Contract clause baseline implemented (Article 30 + RTS 2024/1773): audit/access, security, subcontracting transparency, incident cooperation, portability and exit rights. - Exit strategies and transition plans documented and tested for key critical/important services. ## Checklist F - Governance cadence and evidence pack (make compliance sustainable) DORA is not a one-off. Build a cadence that keeps controls and reporting accurate and current. Your objective is to reduce "scramble risk" when supervisors request evidence. - RACI per workstream (controls, incident reporting, testing, third-party governance). - Quarterly review: incident trends, control exceptions, vendor concentration, register accuracy. - Annual review: proportionality decisions, testing program effectiveness, TLPT readiness status. - Evidence repository: versioned policies, procedures, control tests, reports, register exports, management approvals. ## Primary sources - [Regulation (EU) 2022/2554 (DORA) - Official Journal](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022R2554&ref=sorena.io) - Primary legal text for DORA workstreams: ICT risk management (Chapter II), incident reporting (Chapter III), testing/TLPT (Chapter IV), and ICT third-party risk + register of information (Chapter V). - [Commission Delegated Regulation (EU) 2024/1773 - Contractual arrangements for ICT services supporting critical or important functions (RTS)](https://eur-lex.europa.eu/eli/reg_del/2024/1773/oj/eng?ref=sorena.io) - Level 2 RTS detailing DORA contractual clause expectations for critical/important ICT services. - [Commission Delegated Regulation (EU) 2024/1774 - ICT risk management tools and simplified framework (RTS)](https://eur-lex.europa.eu/eli/reg_del/2024/1774/oj/eng?ref=sorena.io) - Level 2 RTS specifying ICT risk management tools/methods/processes and the simplified framework. ## Related Topic Guides - [DORA Applicability Test | Is EU DORA Applicable to Your Entity?](/artifacts/eu/dora/applicability-test.md): A step-by-step EU DORA applicability test (Regulation (EU) 2022/2554): determine if you are a covered financial entity under Article 2. - [DORA FAQ (EU) - Scope, Deadlines, Reporting, TLPT, RoI, and Third-Party Risk](/artifacts/eu/dora/faq.md): High-signal answers to the most searched DORA questions: who is in scope, when DORA applies (17 Jan 2025), what "critical or important functions" means. - [DORA ICT Risk Management Control Baseline | Chapter II + RTS 2024/1774](/artifacts/eu/dora/ict-risk-management-control-baseline.md): A deep DORA ICT risk management baseline: how to implement Chapter II of Regulation (EU) 2022/2554 as controls with acceptance criteria and evidence. - [DORA ICT Third-Party Risk Management + Contract Clauses | Article 28-30 + RTS 2024/1773 + RTS 2025/532](/artifacts/eu/dora/third-party-risk-and-contract-clauses.md): A deep guide to DORA ICT third-party risk: build the third-party risk strategy (Article 28), implement due diligence + ongoing monitoring. - [DORA Major ICT Incident Reporting | Articles 17-20 + RTS 2024/1772 + 2025/301](/artifacts/eu/dora/major-incident-reporting.md): A practical DORA major incident reporting guide: build the Article 17 and 19 workflow, apply RTS 2024/1772 classification and RTS 2025/301 timing rules. - [DORA Penalties, Fines, and Enforcement | Articles 50-55 + Oversight Penalty Payments](/artifacts/eu/dora/penalties-and-fines.md): A practical DORA enforcement guide: how competent authorities' supervisory/investigatory/sanctioning powers work (Article 50). - [DORA Register of Information (RoI) - How to Build It | Article 28 + ITS 2024/2956](/artifacts/eu/dora/register-of-information-how-to-build.md): Build an audit-ready DORA Register of Information (RoI): define scope and relational keys. - [DORA Register of Information (RoI) Template Guide | ITS 2024/2956 Annex Templates (B_01-B_07)](/artifacts/eu/dora/dora-register-of-information-template.md): A practical guide to the DORA Register of Information templates: understand the ITS schema (Implementing Regulation (EU) 2024/2956). - [DORA Testing & TLPT Readiness | Chapter IV + TIBER-EU Execution Guide](/artifacts/eu/dora/testing-and-tlpt-readiness.md): A deep DORA testing and TLPT readiness guide: build the Chapter IV testing program, prepare remediation and validation. - [DORA vs ISO/IEC 27001:2022 | Mapping Controls, Evidence, and Audit Readiness](/artifacts/eu/dora/dora-vs-iso-27001.md): A deep DORA vs ISO 27001 comparison: where ISO/IEC 27001:2022 helps satisfy DORA ICT risk management and evidence expectations. - [DORA vs NIS2 (EU) | Scope, Reporting, Controls, and Overlap for Financial Entities](/artifacts/eu/dora/dora-vs-nis2.md): A deep comparison of DORA and NIS2: who is in scope, what "security measures" mean, incident reporting differences, governance and enforcement posture. - [EU DORA Compliance Guide | DORA Implementation Playbook](/artifacts/eu/dora/compliance.md): A practical EU DORA compliance guide (Regulation (EU) 2022/2554): how to set up a DORA program, build an ICT risk management control baseline. - [EU DORA Deadlines & Compliance Calendar | Key Dates, RTS/ITS and Cadence](/artifacts/eu/dora/deadlines-and-compliance-calendar.md): A DORA compliance calendar for Regulation (EU) 2022/2554: publication, entry into force, application date, key RTS and ITS including 2024/2956, 2025/301. - [EU DORA Requirements | Obligations by Workstream (ICT Risk, Incidents, TLPT, Third Parties)](/artifacts/eu/dora/requirements.md): A practical breakdown of EU DORA (Regulation (EU) 2022/2554) requirements: ICT risk management framework (Chapter II). - [EU DORA Scope & Covered Entities | Who Is In Scope (Article 2)](/artifacts/eu/dora/scope-and-covered-entities.md): A practical scoping guide for EU DORA (Regulation (EU) 2022/2554): covered financial entities (Article 2), proportionality and simplified frameworks. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/eu/dora/checklist