DORA Compliance Checklist Template

It depends on your regulatory status. DORA applies to all EU-regulated financial entities, including payment institutions, e-money institutions, and crypto-asset service providers. If you hold an EU financial license, DORA applies. If you are a technology provider to regulated entities, DORA's third-party risk requirements affect you indirectly through contractual obligations. Microenterprises (fewer than 10 employees, turnover under 2 million euros) have lighter requirements: they are exempt from advanced resilience testing and some governance obligations.

DORA is a directly applicable EU regulation, meaning it has the same legal force across all 27 member states without national transposition. Previous ICT risk requirements (EBA Guidelines on ICT and Security Risk Management, PSD2 operational resilience requirements) were guidelines or directive-based, leading to fragmented implementation. DORA harmonizes and raises the bar. It also introduces the oversight framework for critical ICT third-party providers, which is entirely new.

DORA is a sector-specific regulation for financial services. NIS2 is a broader cybersecurity directive covering essential and important entities across multiple sectors. For financial entities, DORA is the primary framework (DORA is "lex specialis" over NIS2). However, if your organization operates across sectors (e.g., a conglomerate with financial and non-financial subsidiaries), you may need to comply with both. The key difference: DORA's incident reporting timelines (4 hours initial, 72 hours intermediate) are tighter than NIS2's 24-hour initial notification.

Start with the third-party risk register. Financial supervisors have indicated that third-party oversight will be an early enforcement focus. Second priority is incident reporting. The 4-hour notification window for major incidents means your detection and escalation processes must work smoothly under pressure. Third, address resilience testing gaps. TLPT has a 3-year cycle, so plan the first test well in advance. For frameworks on prioritizing compliance alongside feature work, the [RICE prioritization framework](/frameworks/rice-framework) helps score competing initiatives.

DORA enforcement is handled by national competent authorities (financial supervisors in each EU member state), not a single EU body. Penalties vary by member state but include fines, remediation orders, and in severe cases, license restrictions. The oversight framework for critical ICT third-party providers allows the lead overseer to impose periodic penalty payments of up to 1% of average daily worldwide turnover until compliance is achieved. ---