DORA 2025 Compliance Readiness Checklist
Testing/resilience must be operationalised: It’s not enough to have policies; you’ll need to design and oversee real-world testing scenarios (e.g., cyber-attack simulation, system failure).

Who and What is in Scope
- Applies to a broad range of financial entities: banks, insurers, payment institutions, investment firms, crypto-asset service providers, etc. (PwC)
- Also covers ICT third-party service providers (including those outside the EU) when they supply critical or important functions to covered financial entities. (Digital Operational Resilience Act)
- Applies to more than 22,000 entities in the EU, according to one estimate. (PwC)
- Proportionality principle: requirements may be simplified for smaller entities depending on size, nature and risk profile. (Wikipedia)
Key Obligations / Pillars
Here are the core pillars of DORA with the implications you’ll want to watch from a change delivery / product / operational risk perspective:
- ICT Risk Management
- Entities must implement an ICT risk-management framework covering identification, protection, detection, response and recovery from ICT risks. (Baker McKenzie)
- Risk management must be documented and embedded in governance structures. (DLA Piper)
- Simplified frameworks may apply for smaller entities under proportionality. (Wikipedia)
- Incident Management, Classification & Reporting
- Major ICT-related incidents must be classified and reported within defined timeframes. (Mayer Brown)
- Firms must have processes to detect, manage and recover from incidents. (Central Bank of Ireland)
- Digital Operational Resilience Testing
- Regular resilience testing is required, including threat-led penetration testing where applicable. (Baker McKenzie)
- Testing must be integrated into the risk management framework. (DLA Piper)
- ICT Third-Party Risk Management
- Outsourcing requires due diligence, monitoring, and contractual safeguards. (PwC)
- Critical ICT providers may be directly supervised at EU level. (Digital Operational Resilience Act)
- Information-Sharing Arrangements
- Entities are encouraged to share cyber threat intelligence and vulnerability information. (EIOPA)
Why This Matters for You (Financial / Product / Change Roles)
Given your background in financial services, change programmes and product oversight, DORA has direct operational implications:
- Organisations will need gap analyses of ICT resilience, third-party dependencies, and incident reporting frameworks.
- DORA requirements must be embedded into product lifecycles, vendor management, and change governance.
- Third-party risk becomes a formalised, continuously monitored control area across all ICT suppliers.
- Resilience testing must move from policy to real operational simulation (cyber attacks, system failures, etc.).
- Incident detection and reporting processes must be structured, auditable, and aligned to regulatory timelines.
- UK-based firms with EU exposure or EU-based vendors will still be impacted due to cross-border operational dependencies.
Key Timelines
- Application date: 17 January 2025 — firms must be compliant from this point. (Central Bank of Ireland)
- Supporting technical standards (RTS/ITS) continue to shape implementation requirements.
- UK regulatory frameworks are aligning in parallel, especially around third-party risk and operational incident reporting.
Risks, Challenges & Strategic Opportunities
- Risk: Regulatory penalties, supervisory scrutiny, and operational disruption from non-compliance.
- Challenge: Legacy systems, fragmented data, and complex vendor ecosystems make implementation difficult.
- Challenge: Ensuring consistent incident classification and reporting across large organisations.
- Opportunity: Building mature operational resilience capabilities strengthens regulatory posture and business continuity.
- Opportunity: Strong DORA implementation can become a competitive differentiator in regulated markets.

