DORA Compliance Checklist: What Financial Services Firms Must Do in 2025–2026

Written byHubSecure Editorial Team

Practical guides for secure client portals, RBAC, onboarding and regulated client operations.

Reviewed byHubSecure Security & Compliance Review

Reviewed for security positioning, workflow accuracy and implementation clarity.

Last updatedMay 7, 2026

Checked against the current HubSecure marketing site and product positioning.

Related HubSecure buying path

Compliance CRM guidecompliance CRM for growing companiesCRM moduleHubSpot comparisoncompliance CRM guideGuide Librarybook a workflow demo

Related security, privacy and governance resources

Continue with HubSecure security and trust center, data processing agreement, subprocessors, compliance workflows, governed AI operator.

Related use case

This guide belongs to the Workspace Alternatives and Tool Consolidation Guides cluster. Continue with the product hub for workspace alternatives and tool consolidation.

Introduction: What is the EU Digital Operational Resilience Act (DORA)?

The Digital Operational Resilience Act (DORA) represents a landmark regulatory framework introduced by the European Union to standardize and elevate the digital operational resilience of the financial sector. As financial services become increasingly reliant on digital infrastructure, cloud computing, and complex software ecosystems, the attack surface for cyber threats has expanded exponentially. DORA is designed to address this by ensuring that financial entities and their critical Information and Communications Technology (ICT) third-party service providers can withstand, respond to, and recover from all types of ICT-related disruptions and threats. For Chief Technology Officers, Chief Information Security Officers, and compliance officers, DORA is not just another compliance checkbox; it is a fundamental shift in how financial institutions must govern, manage, and test their technology stacks. Taking effect in January 2025, DORA replaces a fragmented landscape of national guidelines with a unified, prescriptive set of rules, demanding immediate strategic attention and operational execution.

Who Must Comply with DORA?

DORA applies broadly across the financial value chain. Unlike previous directives that left gaps regarding third-party vendors, DORA explicitly casts a wide net to ensure the entire ecosystem is secure. If your organization falls into any of the following categories, you are required to achieve and maintain DORA compliance:

• Credit Institutions: Traditional banks, credit unions, and lending institutions operating within the EU.
• Investment Firms: Brokerages, portfolio managers, and entities executing financial transactions.
• Insurance and Reinsurance Undertakings: Providers of insurance products, including insurance intermediaries.
• Crypto-Asset Service Providers (CASPs): Exchanges, wallet providers, and custodians operating within the cryptocurrency space under MiCA regulations.
• Payment Institutions: Payment gateways, money transfer services, and e-money issuers.
• Fintech Platforms: Innovative financial technology firms providing outsourced technology services to regulated entities.
• ICT Third-Party Providers: Managed service providers, data analytics firms, and core banking software providers serving the financial sector.
• Cloud Providers Serving the Financial Sector: Major hyperscalers and specialized cloud service providers hosting sensitive financial data or critical infrastructure.

The 5 Core Pillars of DORA Compliance

To achieve full DORA compliance, organizations must structure their cybersecurity and operational resilience strategies around five distinct pillars. Each pillar addresses a specific vulnerability in the digital operational lifecycle.

1. ICT Risk Management

DORA requires financial entities to implement a comprehensive, enterprise-wide ICT risk management framework. This is the foundation of operational resilience, demanding that security is baked into the organizational structure rather than siloed within IT departments. Governance and accountability must be established at the board level.

• Establish a dedicated internal ICT risk management function with sufficient authority, resources, and independence to enforce policies.
• Define clear roles, responsibilities, and accountability structures for the board of directors and senior management regarding ICT risk.
• Implement comprehensive business continuity and disaster recovery policies that guarantee critical functions remain operational during a major cyber event.
• Maintain an up-to-date mapping of all critical business functions, underlying data flows, and supporting ICT assets.
• Conduct regular internal audits specifically focused on the effectiveness of the ICT risk management framework.

2. ICT Incident Reporting

Under DORA, the rules for reporting cyber incidents are strictly standardized. Financial entities must establish rigorous detection, classification, and reporting mechanisms to ensure competent authorities are kept informed of major disruptions in a timely manner.

• Develop and document a strict incident classification system based on the severity criteria and templates outlined in the Regulatory Technical Standards (RTS).
• Establish secure communication channels to submit initial incident reports to the relevant competent authority within four hours of classification.
• Utilize mandatory, standardized incident reporting templates for submitting intermediate updates and final comprehensive reports.
• Implement an automated threat detection system to identify anomalous behaviors that could indicate an unclassified or ongoing ICT-related incident.
• Establish clear communication protocols to inform clients, counterparts, and the public when a severe incident affects their data or service availability.

3. Digital Operational Resilience Testing

DORA mandates that theoretical security frameworks be continuously validated through rigorous, real-world testing. Financial entities must regularly assess their defenses, with the most stringent requirements placed on systemically important institutions.

• Conduct continuous vulnerability assessments and automated open-source analyses to identify weaknesses in code and infrastructure.
• Perform scenario-based testing for network security, physical security, end-to-end encryption, and social engineering attacks.
• Execute advanced Threat-Led Penetration Testing (TLPT) at least every three years, mandated primarily for major, systemic firms.
• Ensure that the board of directors actively reviews the results of resilience testing and signs off on subsequent remediation strategies.
• Engage independent, qualified external parties to conduct or audit TLPT exercises to ensure objectivity and regulatory compliance.

4. ICT Third-Party Risk Management

Supply chain attacks are a primary vector for cyber threats. DORA tackles this head-on by enforcing strict oversight over all third-party technology providers. Financial entities must maintain visibility and control over their extended digital supply chain.

• Maintain a comprehensive, up-to-date Register of Information detailing all ICT third-party service providers, their specific functions, and associated risks.
• Negotiate and embed specific contractual requirements that grant audit rights, data access guarantees, and assurance of regulatory compliance from vendors.
• Develop concrete, documented, and tested exit strategies for all critical ICT third-party providers to prevent vendor lock-in and ensure business continuity.
• Assess, monitor, and mitigate concentration risk, particularly when relying heavily on a single cloud provider serving the financial sector.
• Conduct strict pre-contractual due diligence to assess the cybersecurity posture and operational resilience capabilities of all prospective ICT vendors.

5. Information Sharing

DORA encourages a collaborative approach to cybersecurity. By

Get compliance insights in your inbox

Join 300+ compliance officers and legal teams getting weekly updates on AML, GDPR, and security regulation — no noise, unsubscribe anytime.

Book a demo → See pricing

← Back to Blog