• January 16, 2026
  • 11 min read
DORA Compliance Checklist: EU’s Regulation for Finance Vendors Explained

Cyber threats are evolving rapidly, as they are powered by technology, like everything else in our increasingly digital world. With data being the most valuable resource, it’s no wonder that governments establish ever stricter rules for ICT (Information & Communication Technology) security and data protection. The Digital Operational Resilience Act, or DORA, is the EU’s recent set of regulations for ICT risk management by financial entities.

In this DORA compliance checklist article, we will explain exactly what these security requirements are, who must comply with them, and how you can ensure that compliance, whether you run a finance-related business or are partnered with one.

The guide below, written by our testing experts with assistance from the legal department, explains the denser parts of the regulations. We wanted to ensure that people without expert-level knowledge of the legalese can understand what the law expects from them with ease. If you are looking for more detailed and personalized answers, we provide DORA compliance consulting services to help you navigate these requirements.

Table of Contents

What Is DORA Compliance and Who Needs It

DORA is a set of regulations that covers ICT risk management (including third-party vendor interactions), operational resilience testing, and ICT incident reporting for financial entities operating in the EU. Immediately, note that various DORA metrics apply not only to EU-based financial institutions (banks, insurers, blockchain, and digital payment processing vendors), but also to those doing business with these financial entities.

Another important side note is that DORA came into force on January 16, 2023. However, the mandatory compliance period began on January 17, 2025. The point of the delay is to give financial businesses subject to this regulation time to prepare. However, according to Cisco’s Chief Privacy Officer, Harvey Jang, far from everyone is ready because the regulations are so complex. The good news is that partnering with an experienced team can help guide your business through the changes you must implement to become compliant.

For a broader understanding of the EU’s current regulations for financial entities, check out our overview of the DORA, MiCA, and DAC8. It will help you understand where your business should stand on data security when handling money in the EU.

DORA Compliance Checklist Explained Step-by-Step

First of all, let’s explain exactly what ‘DORA compliance’ entails, so that you can evaluate whether your business is compliant on every level. This term means that you can objectively demonstrate to a relevant authority and auditors that your end-to-end operating system for digital resilience covers:

  • ICT risk management (BCP/DR, governance, controls, monitoring, policies)
  • ICT incident reporting (classification, reporting templates, regulatory timelines)
  • Digital operational resilience testing (baseline testing for all, advanced testing where applicable)
  • ICT third-party risk management (outsourcing lifecycle, contract clauses, concentration risks)
  • Information-sharing arrangements (voluntary and governed)

We’ve provided a more detailed explanation of each point in our article on DORA regulation requirements, so be sure to check it out. Below is a list of basic questions to help with a basic assessment of your business for DORA compliance. Answering them will help determine whether you need professional assistance for a deeper audit or automated testing.

1. Does DORA apply to our business?

Step one is to confirm whether your business or organization needs to ensure DORA compliance at all. A generalized list of financial entities DORA applies to includes:

  • Banks
  • Payment processing vendors
  • E-money vendors
  • Investment management entities
  • Insurers
  • Crypto-asset service providers
  • Intermediaries for financial operations

As mentioned earlier, DORA is exceedingly complex, so in order to be 100% sure whether it applies to your business and to what extent, you’ll have to either parse through Article 2 of the regulation or consult a legal expert. This should also help you understand the proportionality of DORA’s application to your business. Simply put, it means that the size, specialization, and areas of operation of your company will affect the measure of controls you must implement. For example, think of this as scaling DevOps best practices that adapt to the system’s complexity, rather than blindly copying processes at a larger scale.

At this stage of DORA compliance verification, regulators will expect to see:

  • Documented decision that explains why you are in scope of the regulation
  • A brief explanation of how you measured the business’s size and complexity
  • Evidence that the proportionality is applied consistently

2. Who is responsible, and how do you enforce oversight?

A crucial part of meeting DORA compliance requirements is to hold senior business management directly accountable for managing technology resilience, as they would for any other major business risk. Auditors will expect to see clear documentation that outlines:

  • Who is accountable for DORA compliance management
  • Who oversees ICT risks
  • Who validates the controls independently
  • Approved ICT risk framework that defines risk appetites, acceptable downtime, and recovery thresholds
  • Clearly defined ownership of systems that support critical functions
  • DevOps performance testing workflows that ensure frequent deployments do not bypass risk oversight

3. What technology do we rely on, and what business processes rely on it?

To demonstrate your operational resilience, you must have a clear understanding of your operations. This means you must have a detailed inventory that includes:

  • Applications: core systems, SaaS solutions, internal software
  • Data stores: databases, file systems
  • Infrastructure: servers, networks, cloud resources
  • Privileged accounts: admin access
  • Dependencies: what breaks if this fails?
  • ICT services: all that support critical functions

Regulators will inspect to see the complete inventory, as well as architecture and dependency diagrams, and data flow maps. Overall, you need to demonstrate clear links between all systems and business functions.

4. What could go wrong, and how can we prevent it?

Your personal DORA compliance checklist must include a detailed analysis of technology risks and plans to address each point. DORA compliance requires you to assess ICT risks across four dimensions:

  • Confidentiality
  • Availability
  • Integrity
  • Authenticity

Regulators will expect you to provide specific controls for each risk scenario. Therefore, it’s essential to have a pipeline for collecting and storing concrete data, such as DevOps performance metrics and access monitoring logs. You must provide auditors with measurable evidence to prove DORA compliance.

Common metrics include:

  • System uptime
  • Mean time to recovery (MTTR)
  • Failed deployment rates
  • Backup success rates
  • Incident frequency

Setting up regular security testing will allow you to collect the relevant data and identify trends that auditors can inspect.

5. Are our controls effective in real life?

Of course, it’s essential to have policies that cover the deployment pipeline and continuous delivery alongside DevOps best practices. However, DORA compliance auditors will require not only your business documentation but also tangible proof that the ICT risk controls you use are active and effective. They will expect to see:

  • Full access control breakdown
  • Incident logging and monitoring practices (logs must be included)
  • System change management (including approval pipelines and change failure rate logs)
  • System stability, security configurations, and how they are monitored
  • Backup practices with a detailed breakdown of how backups are performed and tested
  • Continuous delivery and disaster recovery plans (including DevOps performance metrics)
  • Practical exercises carried out by the staff to demonstrate they know what to do in case of disruptions in IT performance

6. How do we detect, classify, and report incidents in a timely manner?

According to the DORA compliance checklist, it’s now essential to not only handle ICT incidents internally but also to report major cases to relevant regulators. You’ll need to show auditors that you have:

  • Clear incident severity definitions to identify ‘major’ incidents that require quick reporting
  • Automated alerting and escalation systems integrated into your software reliability assessment flows
  • Runbooks that cover incident response and regulatory reporting
  • Clearly defined pipeline of who decides whether the incident needs reporting, who reports it, and who provides any necessary approvals

7. Can we withstand real-world disruptions?

Compliance checks are good and necessary, but DORA metrics require regular testing of your IT performance and security as a whole. Baseline testing that every business that requires DORA compliance must undergo regularly includes:

  • Vulnerability scans
  • Configuration reviews
  • SDLC security testing
  • Incident response tabletop exercises
  • Backup restore testing

Some of the entities under DORA regulations must also undergo regular threat-led penetration testing. In order to prove to the regulators that you run a high-performing business that prioritizes security at the DORA level, you must provide them with annual testing plans, test results, and tracked remediation activities. Bear in mind that you need to design these testing plans with your deployment frequency in mind, as per DevOps best practices.

8. Do our vendors/suppliers pose additional risks?

According to the DORA metrics, ICT suppliers are a part of your risk surface. Therefore, it’s essential to manage the risk they pose and fit it into your overall digital security strategy. Here’s how you should go about it:

  • Perform due diligence and risk assessment before signing the contract.
  • Make sure the supplier/vendor is informed and agrees to comply with the necessary security and resilience requirements.
  • Organize regular performance and incident evaluations, measure risks, and adjust your interactions accordingly.
  • Ensure you can quickly switch or terminate your business relationship with the vendor without compromising your security.
  • Maintain a structured register of ICT outsourcing contracts using EU-mandated templates.

The auditors will be checking all of the above, so you must be ready to provide all the necessary documents that meet EU regulations.

9. What if our providers are classified as ‘critical’?

When you are working with ICT providers that are classified as ‘critical’ under EU regulations and oversight, you will have to ensure the following:

  • Develop a strategy and workflows for managing dependency and concentration risks.
  • Have a thorough strategy for managing your own business’s risks.
  • Present auditors with contingency and exit plans.
  • Provide clear dependency mapping, supported by explanations of why dependencies are acceptable.

10. Can we prove DORA compliance at any time?

The point of going through a DORA compliance checklist is to ensure you can prove you meet all necessary requirements in an audit. Much like continuous integration and delivery are core of DevOps best practices, DORA is continuous as well. It means that you can’t just ensure DORA compliance once, get through an audit, and forget about it. Regular testing and adjustment must become a part of your routine. It’s just one more step in ensuring your software reliability and overall digital security.

Your goal from a compliance point of view is to ensure you maintain a solid evidence pack, ready to present to auditors at any time. It must include:

  • Control-to-requirement mapping
  • Centralized evidence repositories
  • Audit trails (logs, tickets, approvals)
  • Internal audit reviews and remediation tracking

When evaluating your business for DORA compliance, regulators will look for consistency among policies, practices, and evidence. You prove this by conducting regular testing and reviews, consistent updates, and documenting remediation activities and their results.

What If You Fail to Comply?

Going through a DORA compliance checklist is a great option to start. However, if you are serious about meeting such complex regulations, you will require professional assistance and at least a legal consultation. The penalties you might face for non-compliance will be determined by individual EU states on a case-by-case basis.

The penalties may range from administrative, such as public statements, to criminal charges under the national law of the EU member state. As there is no single fine or EU-wide penalty system under DORA, each breach and non-compliance is investigated and penalized individually. However, one thing is for sure: this will leave a black mark on your business reputation. In the financial industry, where being reliable and unimpeachable is paramount, such a slight can ruin a brand completely.

How QAwerk Can Help You Ensure and Maintain DORA Compliance

At QAwerk, we provide a wide range of testing services, including penetration testing and even specialized blockchain testing. Over the last decade in operation, we’ve completed over 300 projects and helped businesses from all over the world identify and remedy their vulnerabilities.

Regarding DORA compliance, our teams can guide you through:

  • Control verification and evidence engineering
  • Resilience testing
  • Incident readiness drills
  • Third-party assurance testing
  • Continuous compliance testing

We will work with you to ensure that all your defenses and reporting mechanisms are continually updated to meet the top-level standards expected of financial institutions and their partners operating in the EU. Contact us today to start your compliance journey!

Discover how we helped a crypto asset management platform decrease user drop-off by 15%

Please enter your business email isn′t a business email
Created by
Valentyn Havryliuk
QA Engineer at QAwerk
linkedin
Valentyn excels in API and web application testing, skillfully employing tools like Postman to guarantee software reliability and performance. His extensive experience has cultivated a profound knowledge of quality assurance, guiding precise and effective testing strategies. More by Author