Free Compliance Tool
DORA ICT Risk Checklist
Assess your institution's compliance with the Digital Operational Resilience Act (DORA). Evaluate readiness across all 5 pillars and generate a detailed gap analysis report.
🏛️
5 Pillar Assessment
Risk management, incident reporting, testing, third-party risk, information sharing
📊
Gap Analysis
Per-pillar scoring with specific DORA article references and remediation recommendations
📄
PDF Report
Download a comprehensive compliance report for your records and stakeholders
Entity Classification
DORA Checklist
Results & Gaps
Step 1 of 3Entity
Entity Classification
DORA applies to 20+ categories of financial entities and their ICT third-party service providers. Select the entity type and provide basic size information.
EURmillion
Share this tool
Help colleagues assess their cyber risk
About the DORA ICT Risk Checklist
The Digital Operational Resilience Act (DORA) — Regulation (EU) 2022/2554 — became applicable on 17 January 2025. It requires all EU financial entities to implement comprehensive ICT risk management across five pillars: risk management governance, incident reporting, resilience testing, third-party risk management, and threat intelligence sharing.
This interactive checklist helps cyber insurance underwriters, risk engineers, and compliance teams evaluate an institution's DORA readiness. It covers all five pillars with questions mapped to specific DORA articles, provides per-pillar scoring, identifies compliance gaps, and generates a downloadable PDF report for documentation.
Who Should Use This Tool
- Cyber insurance underwriters assessing DORA compliance as part of risk evaluation for EU financial institution risks
- Risk engineers conducting pre-placement due diligence on insured financial entities
- Compliance officers at banks, insurers, investment firms, and payment institutions benchmarking their DORA posture
- Audit teams preparing for supervisory examinations under DORA
- ICT third-party service providers to financial entities assessing their alignment with DORA requirements
DORA's Five Pillars Explained
Pillar 1: ICT Risk Management (Articles 5–16)
The backbone of DORA — requires a comprehensive, board-approved ICT risk management framework covering identification, protection, detection, response, and learning. Must be reviewed annually and integrated into overall enterprise risk management.
Pillar 2: ICT Incident Reporting (Articles 17–23)
Tiered incident reporting regime with 4-hour initial notification, 72-hour intermediate report, and 1-month final report. Uses standardized ESA ITS templates for harmonized cross-sector reporting.
Pillar 3: Digital Operational Resilience Testing (Articles 24–27)
Annual vulnerability assessments, scenario-based testing, and risk-based penetration testing. Significant entities must conduct Threat-Led Penetration Testing (TLPT) on live production systems every 3 years using independent external parties.
Pillar 4: ICT Third-Party Risk Management (Articles 28–44)
Comprehensive third-party oversight including the Register of Information, contractual requirements (audit rights, exit strategies), concentration risk assessment, and direct oversight of critical ICT providers by ESAs through the Joint Examinations Network.
Pillar 5: Information Sharing (Article 45)
Enables — but does not mandate — sharing of cyber threat intelligence through Information Sharing Arrangements (ISAs) with liability protections for good-faith participants.
DORA and NIS2: Understanding the Overlap
DORA operates as lex specialis to NIS2 for financial entities — it takes precedence on matters it covers. However, financial entities may still need to comply with NIS2 for certain incident reporting obligations (particularly CSIRT notification). ICT service providers to financial entities that are not themselves financial entities may fall primarily under NIS2 rather than DORA.
For a complete regulatory picture, also use our NIS2 Compliance Checker.