DORA

DORA Compliance Checklist for Fintechs

3 min readUpdated 24 June 2026

DORA — the Digital Operational Resilience Act — has applied to financial entities in the EU since 17 January 2025. For fintech companies, the obligations are substantial: a structured ICT risk framework, a third-party register, incident reporting timelines, and resilience testing requirements. The checklist below covers what fintechs need to have in place.

Who Must Comply with DORA

DORA applies to a wide range of financial entities:

  • Credit institutions (banks)
  • Payment institutions
  • E-money institutions
  • Investment firms
  • Insurance and reinsurance undertakings
  • Crypto-asset service providers
  • Fund managers (AIFMs, UCITS management companies)
  • Trading venues and clearing houses
  • Data reporting service providers

For most fintech companies: if you hold a financial services licence or authorisation in an EU member state, DORA applies to you.

Proportionality: Small financial entities (microenterprises by DORA's definition) have simplified requirements. But "simplified" still means a lighter version of the framework — not exemption.

DORA Compliance Checklist

ICT Risk Management Framework

  • ICT risk management framework documented and board-approved
  • ICT risk inventory identifying all critical systems and dependencies
  • Risk assessment methodology defined and applied
  • ICT assets classified by criticality
  • Risk treatment plan with controls for each identified risk
  • Annual review of the ICT risk framework
  • Named individual(s) responsible for ICT risk

Protection Measures

  • Information security policies covering all DORA Article 9 requirements
  • Network segmentation and access controls based on least privilege
  • Multi-factor authentication for all systems
  • Encryption at rest and in transit
  • Patch management programme with defined SLAs
  • Anti-malware and endpoint protection
  • Data loss prevention controls

Detection Capabilities

  • Security monitoring covering all critical ICT systems
  • SIEM or log management system in place
  • Alert thresholds configured and tested
  • Anomaly detection for account access and data movement

Business Continuity and Recovery

  • Business continuity plan for ICT disruptions
  • Recovery time objectives (RTOs) and recovery point objectives (RPOs) defined
  • Backup strategy covering all critical data
  • Backups tested — documented results
  • Disaster recovery plan documented and tested
  • Crisis communication procedure for extended outages

ICT-Related Incident Management

  • Incident classification criteria defined (major incident under DORA Article 18)
  • Incident management procedure documented
  • 4-hour initial notification capability to relevant authority for major incidents
  • 72-hour intermediate report capability
  • 1-month final report capability
  • Incident log maintained

ICT Third-Party Risk Management

  • ICT third-party register (Register of Information) complete and current
  • Critical ICT third-party service providers identified
  • Pre-contract due diligence for all new ICT vendors
  • Risk assessment for each critical provider
  • Exit strategies documented for critical providers
  • Annual review of critical third-party providers

Third-Party Contractual Requirements

  • Contracts with all critical ICT third-party providers include DORA Article 30 minimum provisions
  • Service level agreements aligned with DORA requirements
  • Incident notification clauses in all critical provider contracts
  • Audit rights in contracts with critical providers

Digital Operational Resilience Testing

  • Basic resilience testing programme in place (vulnerability assessments, penetration testing)
  • Annual penetration testing of critical systems
  • For significant financial entities: TLPT (Threat-Led Penetration Testing) — assess whether you qualify
  • Test results documented and remediation tracked

Governance

  • Management body (board) has approved the ICT risk framework
  • Board receives regular ICT risk reports
  • DORA compliance owner designated
  • Staff training on ICT security awareness completed in last 12 months

Key Deadlines and Ongoing Obligations

17 January 2025: DORA fully in force. All above requirements applied.

Ongoing: Annual review and testing. Register of Information kept current. Incident reports filed as required.

ICT third-party register submission: Regulators may request submission of the Register of Information as part of DORA oversight. Keep it maintained and accurate.

ComplyOne maps your DORA obligations, tracks your readiness across all five pillars, and maintains your audit evidence.

Run your DORA compliance check →

Related guides

DORA ICT Third-Party Risk Management Explained

ICT third-party risk management is one of the most operationally demanding aspects of DORA.

DORA Incident Reporting Requirements

DORA introduces the strictest incident reporting timelines of any EU regulation — stricter than NIS2 and stricter than GDPR.

Operational Resilience Testing Under DORA

DORA mandates digital operational resilience testing for all financial entities.

View all guides in this module