Skip to main content

DORA Compliance Checklist: A CTO Companion Guide to Digital Operational Resilience Act Assessment

May 25, 2026By The CTO15 min read
...
guides

DORA compliance checklist: a CTO companion guide to Digital Operational Resilience Act assessment

📋 AssessmentFreeCompliance
DORA Compliance Checklist: A CTO Companion Guide to Digital Operational Resilience Act Assessment

DORA compliance checklist: a CTO companion guide to Digital Operational Resilience Act assessment

DORA went live on 17 January 2025, and regulators started real oversight work in 2025. Many firms also had spring 2025 deadlines to submit a Register of Information to national authorities, like 11 April in Germany and 15 April in France. Those dates forced teams to inventory vendors fast, not perfectly.

Here’s the point CTOs should care about: DORA compliance is a production capability test, not a documentation sprint. A Digital Operational Resilience Act assessment should tell you what breaks at 2 a.m., how you’ll know, and who’s on the hook to fix it.

This guide explains how to use The Art of CTO DORA Compliance tool as a working companion. It also gives a DORA compliance checklist you can run with a 10 to 100 engineer team.

Digital Operational Resilience Act assessment: what DORA is and what it asks you to prove

DORA is an EU regulation that applies to financial entities and many of their ICT providers. It requires firms to manage ICT risk, test resilience, and report major incidents on tight timelines. It also pulls third party risk into the core of the rule set. DORA is not a “best practice” guide. It’s enforceable.

DORA groups work into five pillars. Most teams already do parts of this, just not with the same evidence and governance.

  • ICT risk management: policies, controls, monitoring, and ownership.
  • ICT incident management and reporting: detection, classification, reporting, and post incident learning.
  • Digital operational resilience testing: drills, scenario tests, and in some cases threat led testing.
  • ICT third party risk management: due diligence, contracts, exit plans, and oversight.
  • Information sharing: participation in trusted sharing arrangements and playbook updates.

DORA also uses a broad definition of ICT services. One legal analysis points to DORA Article 3(21) and Recital 35 as drivers of that broad scope, which can pull many “normal” services into your inventory and contracts work. That matters for fintechs that rely on lots of SaaS tools and cloud services. See McCann FitzGerald’s DORA Digest.

A useful working definition for CTOs:

DORA compliance means you can show regulators how you prevent ICT failures, how you detect and respond to incidents, how you test recovery, and how you control vendor risk with real evidence.

That framing keeps the work grounded in systems and people, not binders.

DORA regulation requirements: scope, vendors, and the “ICT services” trap

Most Series A and Series B fintechs ask one question first: “Does DORA apply to us?” The answer depends on your license and where you operate. But the safer stance is simple: if you serve EU financial entities, DORA will reach you through contracts even if you’re not directly regulated.

Who is in scope for DORA readiness for fintech

DORA applies to EU financial entities, and it also creates direct oversight for certain critical ICT third party providers. It also pushes requirements down the supply chain through mandatory contract clauses.

A practical rule for CTOs:

  • If you are a regulated EU financial entity, you own the full program.
  • If you sell software to regulated EU financial entities, you will get DORA clauses.
  • If you run core infrastructure for those entities, expect deeper audit and testing demands.

Non EU providers can still fall into scope through service delivery to EU financial entities. One guide calls out the cross border effect with a concrete example of a Singapore cloud provider serving European clients. See Dotfile’s DORA scope discussion.

The “ICT services” definition expands your vendor list

DORA’s definition of ICT services is broad, and it includes ongoing digital and data services delivered through ICT systems. Legal commentary notes that this breadth raised concerns about over reach, since many financial services include an ICT component. See McCann FitzGerald’s DORA Digest.

For a fintech with 40 engineers, this shows up as a nasty surprise. The vendor list isn’t just AWS and your core banking partner. It’s also:

  • Customer comms: email and SMS providers.
  • Identity: KYC, AML screening, and fraud tools.
  • Data: warehouses, BI tools, and ETL.
  • Ops: paging, logging, and status page vendors.
  • Dev: CI, artifact registries, and code scanning.

The tool’s assessment should force this inventory early, because it drives every other pillar.

DORA and the UK operational resilience trend

DORA is part of a wider regulatory push on operational resilience. The UK has its own operational resilience framework, and it also created a regime for critical third party providers under the Financial Services and Markets Act 2023, effective 1 January 2025. See Symphony’s overview.

This matters for CTOs building a product across the EU and UK. You can reuse a lot of work, but you still need a gap analysis. A vendor blog notes that alignment with UK standards does not mean full DORA compliance. See N2WS on DORA requirements and alignment.

DORA compliance checklist: the CTO proof pack (what auditors and regulators will ask for)

Most teams treat DORA as a policy writing project. That falls apart the first time a real incident hits and the board asks for a timeline, impact, and proof of control.

Build a DORA Proof Pack instead. It’s a set of artifacts you can hand to a regulator, a customer auditor, or your own board risk committee without scrambling.

The DORA Proof Pack framework

Build these 10 items and keep them current. Treat them like production code.

  1. Critical services map: top customer journeys and internal services, with owners.
  2. Dependency map: systems, data stores, and vendors per critical service.
  3. RTO and RPO targets: per critical service, approved by leadership.
  4. Monitoring coverage: SLOs, alerts, and on call ownership.
  5. Incident classification rules: what counts as “major” and who decides.
  6. Reporting runbook: templates, timelines, and pre approvals.
  7. Resilience test plan: tabletop schedule, failover drills, and evidence.
  8. Third party register: contracts, sub outsourcing, and exit plans.
  9. Change control evidence: release process, approvals, and rollback.
  10. Board reporting: quarterly view of risk, incidents, and test results.

Want a fast way to start? A fintech focused roadmap suggests a two week dependency map with daily 60 minute workshops, then a one page heat map for the board. See FromCISO’s DORA roadmap.

A DORA compliance checklist you can run in 30 days

This is a practical checklist for a 10 to 100 engineer org. It assumes you have one CTO, one security lead, and a small SRE or platform function.

  • Week 1, scope and services

    • Critical services list: pick 5 to 15 services that drive customer harm.
    • Service owners: assign one accountable owner per service.
    • RTO and RPO draft: set targets and get exec sign off.

  • Week 2, dependencies and vendors

    • Dependency map: infra, data, and vendors per service.
    • Register of Information draft: vendor name, service, location, terms.
    • Sub outsourcing visibility: ask top vendors for their sub processors.

  • Week 3, incident reporting muscle

    • Major incident definition: align security, ops, and legal.
    • Reporting timeline drill: run a tabletop with a 24 hour clock.
    • Template pack: initial, interim, and final report templates.

  • Week 4, testing and governance

    • Failover drill: one real failover for one critical service.
    • Post incident review format: root cause, actions, owners, dates.
    • Board pack: one page risk view and last 90 days incidents.

This checklist lines up with industry checklists that stress cross functional ownership and the Register of Information. See Fusion’s six point DORA checkpoint and Cryptix’s structured DORA checklist.

ICT risk management EU: turning DORA into engineering work, not paperwork

DORA forces a tighter link between governance and engineering. That’s good news for CTOs, because it gives you air cover to fund reliability work that’s been sitting in the backlog for a year.

ICT risk management that works under load

A policy that says “we patch critical vulnerabilities” isn’t enough. You need proof patching happens, and you need a clear owner for every exception.

For early stage teams, the minimum viable ICT risk management system looks like this:

  • Asset inventory: cloud accounts, clusters, data stores, and endpoints.
  • Control ownership: named owners for logging, backups, IAM, and secrets.
  • Change control: release approvals for high risk systems.
  • Risk register: 20 to 50 items, each with a due date.

This is where internal tooling pays off. Many teams already track incidents and tech debt, but they don’t connect it to regulatory risk. Use Command Center to track risks, incidents, migrations, and capacity in one place, so DORA work doesn’t turn into a side spreadsheet. Link: Command Center for tech risk and incidents.

Incident reporting timelines are the real stress test

DORA incident reporting isn’t “send an email when ready.” It’s a timed workflow with handoffs, approvals, and incomplete information. That’s the hard part.

One incident reporting guide breaks it down into an initial report within 24 hours of identifying a major incident, plus interim updates, then a final report with root cause and mitigation. See Copla’s DORA incident reporting guide.

Another fintech roadmap calls out DORA Article 9 notification by the end of the next business day, with a detailed report within one month and a summary within three months. See FromCISO’s incident reporting section.

For CTOs, the key isn’t the exact hour count. The key is that your org must:

  • Detect and classify fast.
  • Gather facts without blocking engineers.
  • Get legal and comms approval without a bottleneck.

Teams that do this well run incident drills like product launches. They pre write templates, pre approve language, and pre assign roles.

If your incident process is still ad hoc, use our incident postmortem tool for blameless reviews. It gives you a repeatable format that maps cleanly to DORA’s “learn and improve” expectation.

Digital operational resilience testing that fits a 50 engineer org

DORA testing scares smaller teams because they picture expensive red team programs. In practice, you can get a long way with boring, repeatable tests and a paper trail you can show.

Start with three test types:

  • Tabletop exercises: 60 to 90 minutes, one scenario, one service.
  • Failover drills: one real failover per quarter for top services.
  • Restore tests: monthly restore of one backup set, with evidence.

Threat led penetration testing can apply to systemic entities and designated critical providers. A roadmap notes a delegated regulation that mandates annual TLPT only for those categories. See FromCISO on TLPT scope.

The leadership move here is to treat tests as sprint work with tickets, owners, and dates. Skip the slide decks. Keep the logs, screenshots, and change records.

DORA readiness for fintech: third party risk and the Register of Information

For most fintechs, third party risk is the hardest pillar. You don’t control your vendors, but you still own the outcome. That’s the deal.

Build the Register of Information like a product

DORA requires a detailed inventory of contractual arrangements with ICT providers, with special focus on critical or important functions. Fusion lists the core fields: provider name and role, service and criticality, location of processing, sub outsourcing, and contract dates and termination clauses. See Fusion on the Register of Information.

A practical build plan:

  • Data model: one row per contract, not per vendor.
  • Criticality tag: critical, important, non critical.
  • Service mapping: link each contract to critical services.
  • Evidence links: store the contract, SOC reports, and pen test letters.

Some national authorities set early deadlines for collecting this register before sending it to the European Supervisory Authorities. One analysis lists examples like 11 April in Germany and 15 April in France, with ESAs expecting national authority reporting by 30 April 2025. See QuoIntelligence on RoI deadlines.

Even if those dates have passed for your firm, the operating model stays the same. Keep the register current, or it becomes fiction.

Contract clauses that matter in real outages

DORA pushes specific clauses into vendor contracts. CTOs should care about three, because they decide whether you can recover:

  • Audit and access rights: you can inspect controls and get evidence.
  • Incident notification: vendor must notify you fast, with facts.
  • Exit and portability: you can leave without a multi month freeze.

This is where our Build vs Buy Matrix for vendor decisions helps. It forces you to score vendors on exit cost and control, not just features.

A decision matrix for “critical ICT provider” posture

Use this simple matrix to decide how hard to push on a vendor.

Vendor supports a critical serviceVendor has no viable substitute in 90 daysYour stanceWhat you ask for
YesYesTreat as criticalAudit rights, tested DR, sub outsourcing list, exit plan
YesNoTreat as importantIncident SLA, evidence pack, annual failover evidence
NoYesReduce dependencyMigration plan, contract term limits
NoNoStandard controlsBasic security review, incident notice clause

This matrix is link worthy because it turns “TPRM” into a concrete procurement posture.

Enterprise implications for early stage CTOs

DORA sounds like a big bank problem. It isn’t. It changes sales cycles, architecture, and hiring plans for startups selling into finance.

  1. Sales friction becomes technical debt. Enterprise buyers will ask for your RoI fields, incident timelines, and test evidence. If you can’t answer in one week, deals stall.

  2. Shadow dependencies become board risk. A single “small” SaaS tool can sit on a critical path, like KYC screening or customer comms. DORA’s broad ICT services scope makes that visible, and regulators can treat it as a control gap.

  3. Incident response becomes a cross functional sport. DORA reporting timelines force legal, comms, security, and engineering to run one playbook. If those teams don’t practice together, the first major incident turns into chaos.

  4. Vendor management becomes an engineering concern. CTOs will spend time on contracts, exit plans, and audit evidence. That’s not fun, but it prevents outages and lock in.

Regulators also have real enforcement powers. One legal update notes that the Central Bank of Ireland can impose sanctions, including orders to cease conduct that breaches DORA and to stop repeating it. See McCann FitzGerald on CBI powers and sanctions.

CTO recommendations: how to use the DORA Compliance tool to drive real readiness

The tool shouldn’t be a one time quiz. Treat it like a quarterly operating review.

Immediate actions

  1. Run the assessment with a cross functional group. Include engineering, security, ops, legal, and a business owner. Fusion stresses that DORA spans multiple domains, so siloed work fails. See Fusion on cross functional DORA work.

  2. Pick 5 to 15 critical services. Tie each to a customer harm story, like “payments delayed for 2 hours.” Put an owner next to each.

  3. Create a two week dependency map sprint. Use workshops and a one page heat map for leadership review, as described in FromCISO’s quick win plan.

  4. Run one incident reporting drill with a 24 hour clock. Use the reporting steps from Copla’s guide. Time the handoffs and capture blockers.

Policy framework

  1. Board accountability model. DORA pushes accountability up. Create a quarterly risk review with metrics: incidents, test results, vendor changes.

  2. Evidence over statements. Every policy line needs a linked artifact. Example: “Backups are tested monthly” links to restore logs and tickets.

  3. Vendor contract baseline. Maintain a standard DORA addendum for incident notice, audit rights, and exit terms.

Architecture principles

  1. Service ownership. One team owns one service end to end, including on call. This is the only way to hit reporting timelines.

  2. Dependency transparency. Every critical service has a living map. Store it in your architecture docs. Use our ArchiMate modeling guide and tool to keep maps consistent across teams.

  3. Measurable resilience targets. Define RTO and RPO per service, then test them. Track the results like DORA metrics.

  4. Operational metrics that match resilience. Use DORA and SRE metrics together. Our Engineering Metrics Dashboard for DORA and delivery metrics helps teams track lead time, change failure rate, and recovery time alongside resilience work.

Bigger picture: DORA is a forcing function for better engineering leadership

DORA sits inside a global trend. The EU set a binding rule set for digital resilience, and the UK set direct oversight for critical third parties. That trend will spread to other regions and sectors. CTOs who build the muscle now will ship faster later, because they’ll trust their systems under stress.

The trap is “paper compliance.” It looks good in a folder, and it collapses during a real outage. The fix is to treat DORA as a product: clear owners, tested workflows, and evidence you can produce in hours.

What happens if your largest bank customer asks for your incident reporting evidence tomorrow, and you can’t produce it by end of day?

You lose the deal, and you learn the hard way that resilience is part of the product.

Use the tool: DORA Compliance assessment

Sources

  1. McCann FitzGerald, DORA Digest: Key developments during January to March 2025
  2. N2WS, DORA Regulation: Requirements, Penalties & Compliance (2025)
  3. Dotfile, DORA Compliance Requirements for Financial Institutions (2025 guide)
  4. Symphony, DORA: What the EU regulation means for the financial sector
  5. Fusion, DORA Mid-Year Checkpoint: Your Six-Point Checklist
  6. Cryptix, Full DORA Compliance Checklist (Updated for 2026)
  7. FromCISO, DORA Compliance Roadmap: 5-Step Plan for Fintech CTOs
  8. Copla, DORA incident reporting and management guide
  9. QuoIntelligence, DORA Explained: Scope, Requirements, Enforcement, and Next Deadlines

Related Content

The Monolith Decision

You're the incoming CTO of FinScale, a Series B fintech processing $2M in daily transactions. The monolith is cracking under 10x growth pressure. You have a weekend to choose a strategy.

Read more →

AI Is Entering Its “Production Optimization” Phase: Faster Inference, Clearer Patterns, Stronger Governance

AI is moving from experimentation to production optimization: teams are simultaneously optimizing inference throughput, standardizing AI-enabled engineering workflows, and choosing between RAG and...

Read more →

From AI Demos to Real-Time Agentic Platforms: Streaming + Vector Search + Governance Become One Stack

AI delivery is shifting from isolated copilots to always-on, real-time, governed “agentic + RAG” systems—forcing CTOs to treat data streaming, vector search, schema governance, and automated security...

Read more →

AI Productivity Is Outrunning Governance: Why CTOs Need Faster Decision Loops (and Stronger Guardrails)

AI adoption is outpacing organizational control systems: productivity is rising quickly, but management processes, architecture governance, and security practices are struggling to keep up—forcing...

Read more →

From LLM Demos to Governed Agents: Why Data Portability and Tool Access Just Became Platform Work

AI systems are shifting from “LLM demos” to governed, tool-using agents and real-time ML operating on interoperable data layers.

Read more →