DORA Compliance Checklist: a Guide to Meeting the Most Important FinTech Regulation of 2025

Helping you comply with the Digital Operational Resilience Act (DORA), a mandatory cybersecurity regulation for financial organizations, now becomes a critical part of FinTech software development and maintenance.

You must be DORA-ready in January 2025 and ensure that so are your business partners and critical service suppliers. Let’s dive deep into details and analyze how the need for DORA compliance can affect your tech processes and what important aspects you should keep in mind to meet its stringent requirements. 

DORA (Digital Operational Resilience Act) is a regulatory framework established by the European Union to enhance the resilience to operational disruptions of its financial organizations, such as banks, investment and insurance companies, credit rating bureaus, and others. 

Also, the DORA framework harmonizes the rules already in place in the EU member states by eliminating gaps, overlaps, and conflicts between disparate regulations.

DORA has come a long way from a FinTech action plan first proposed in 2018 to a mandatory framework adopted in November 2022 and entered into force on January 16, 2023.

After DORA’s successful passage, a two-year transition period was started with a deadline of January 17, 2025, when financial organizations across the EU must reach compliance or face legal action if failing to comply.

The two key goals of DORA include:

DORA’s implementation aims to overcome the following challenges:

DORA is required for all financial organizations operating in the EU, both traditional and newly emerged. The key types of financial entities include:

More importantly, DORA also applies to ICT providers. Their designation will be based on several factors. In contrast, significant factors will include the systemic impact of a provider’s failure on a financial entity’s resilience and the systemic importance of such an economic entity.

The main sanctions will include:

For financial institutions: imposed fines can reach up to 2% of their annual global revenues. Individuals responsible for breaches within the financial entity can face a fine of up to 1,000,000 euros. 

For ICT providers: competent authorities can fine them 1% of their average daily worldwide revenue in the previous year, which they can fine every day for up to six months until the provider meets compliance.

For IT firms deemed “critical”: systemic IT companies could end up paying fines of up to 5,000,000 euros, while individual responsible managers could be imposed fines of up to 500,000 euros.

Moreover, each member state can decide on specific penalties for failing to meet DORA compliance. In some cases, criminal penalties can also be possible when those are subject under a member state’s national law. Competent authorities should receive the necessary powers and cooperate with other authorities on the case.

Significantly.

Financial organizations will need to reconsider all aspects of their operations: processes, people, and technologies to ensure successful DORA compliance, risk management, and effective withstanding/recovery from incidents.

The scope of required changes can be high as your organization must establish and implement comprehensive risk and incident management policies. It must also assess service providers and their DORA compliance and amend contractual closes related to security measures.

On a better note, DORA provides an opportunity to introduce long-awaited process enhancements and increase your business’s overall reliability, which can help you win customers’ trust and a different market position in a highly competitive business environment.

DORA compliance requirements help financial organizations prepare for unforeseen challenges while ensuring that their business partners and suppliers adhere to high security standards, too. It covers six essential areas, encouraging organizations to audit, manage, and increase their risk tolerance proactively:

Financial organizations must create comprehensive frameworks for risk management. Those can be different for various entities based on their size, nature, process complexity, and facing risks. 

They must develop, document, and implement ICT security procedures covering specific technical aspects across all software lifecycle stages. Organizations must also audit processes and procedures regularly.

Financial organizations’ management becomes responsible for risks associated with third-party service providers that support critical functions. They must create a policy on assessing and managing a suitable service provider and cover specific compliance requirements in a contract agreement.

Financial organizations must evaluate their security strength and identify vulnerabilities. They must conduct scenario-based security and penetration testing once a year and require ICT providers to participate in such testing.

Financial instructions critical for the EU financial system will also have to complete threat-led penetration testing every three years.

DORA provides incident reporting requirements, obliging financial organizations to notify competent authorities of major security incidents. Also, organizations may need to notify affected clients and partners, ensuring that the provided information covers all relevant details.

DORA also sets a framework for volunteering knowledge and intelligence sharing on cyber threats and incidents, which helps organizations learn from each other experiences. 

Financial organizations must assign ICT management responsibilities to senior managers and executive leaders who become accountable for risk management strategies and their execution. 

Also, organizations must establish an oversight framework for third-party ICT providers and monitor their compliance.

The following points on your DORA compliance checklist can help you increase the resilience of your digital system and meet the DORA regulation successfully:

DORA standards foresee certain flexibility, and financial organizations can use already existing policies, tools, documents, and procedures to eliminate double work.

Moreover, ICT security procedures are required only for essential elements. This is why the scope of work financial organizations must complete may vary based on their impact on the financial system, software size and complexity, user data, available contractual agreements with third-party IT service providers, and security practices already in place.

Gaps can be assessed and documented as part of the system audit alongside scope and requirements estimate. 

An organization must examine different aspects of software and infrastructure implementation and focus on the risk-based approach to such elements as:

Also, organizations must include encryption and cryptographic controls in policy while regularly auditing and enhancing cryptographic technology to ensure system resilience against cyberattacks.

Similar to other security regulations and frameworks, DORA requires the top management to assign responsibilities for all ICT-related functions to an accountable person at the executive level, preferably a C-level individual. 

Although specific skills and expertise are required from responsible authorities rather than the staff working at a financial organization, financial organizations need to initiate security training for their personnel to ensure employees know how to ensure operational resilience.

The responsible team needs to develop a remediation plan, including:

The team can also incorporate the remediation plan into the existing digital transformation roadmap to eliminate unnecessary planning complexity.

Financial organizations must assess third-party providers based on their impact on:

The critical service providers become subject to overseeing and must adopt DORA. 

Moreover, financial organizations must review software packages they integrate and third-party source code on vulnerabilities and security threats when those are critical for secure, uninterrupted operations.

Threat-led penetration testing (TLPT) can be large in scope and requires checking the entire organization against contemporary cyber threats, taking technical aspects, procedures, and people into account.

On the bright side, testing should be proportionate to the size, business, and risks; an internal testing team can complete it. Only certain institutions will be required to contract third-party testers for TLPT once every three years.

Organizations must establish processes for detecting, recording, and managing incidents and cyber threats in an incident response plan, including: 

Ongoing ICT monitoring is required to timely detect security risks, such as:

Financial organizations must classify and document all security-related aspects, such as:

Organizations must regularly update documents as part of compliance requirements.

Financial organizations can participate in information-sharing initiatives to prepare for emerging threats and access the industry’s best practices. At the same time, organizations need to meet existing frameworks and regulations while participating, e.g., depersonalize any data before sharing to ensure GDPR compliance.

Now, let’s divide the DORA compliance checklist into implementation steps:

You need to review DORA compliance requirements and accompanying guidelines to determine which articles and standards apply to your system and to what extent. At this step, you should assign roles and responsibilities and ensure transparent communication between participants.

The compliance team needs to understand what security measures and policies are already implemented on the project, dividing the available scope into three categories:

You must document all details of your implementation plan, including:

Ensure that plan is available to all members of the compliance team, and you can update it flexibly if something changes.

The next step is focusing on practical activities:

Because completing the entire scope in one take is impossible, you should prioritize tasks based on their criticality for meeting compliance.

When the system is up and running, constant monitoring of potential threats and vulnerabilities based on uniform processes and procedures is necessary. The monitoring team should also assess third-party risks and record all ICT incidents.

Your organization needs to perform comprehensive security testing and audits regularly to ensure your software system remains secure and resilient against known and unknown threats.

Enhancing knowledge acquisition and sharing for employees responsible for DORA compliance monitoring is crucial. Provide access to necessary security training and discussions on security challenges to ensure that single team members understand security risks and how to minimize them.

IT Craft prioritizes software security on its FinTech projects and is here to help you prepare for the technical side of DORA compliance. We can provide different services to help you identify gaps, map out and implement improvements, or monitor your DORA-compliant software.

Our services aimed at meeting your unique business challenges and project requirements include:

Our company can help you determine a specific combination of the required actions based on the details of your request and deliver any tech help across the entire software development lifecycle.

Limpid Markets is a web solution that helps leading banking institutions, such as Morgan Stanley, Deutsche Bank, and BNP Paribas, decrease the communication time needed to exchange pricing information on precious metals.

The client had an up-and-running system and required a team capable of its maintenance and expansion while adhering to high coding standards.

IT Craft developers took over the client’s software after successfully completing the initial pilot task. They helped the client with seamless 24/7 operations across all time zones and added features that end users required.

Meeting DORA standards will help you enhance software security and resilience, and can be an effective response to growing cyber threats and challenges.

It helps you create a holistic approach to software development, maintenance, and management of third-party service providers/components and lets you minimize security incidents and related penalties.

Ultimately, an increased security level will help you win business partners’ and customers’ trust in your financial services and a better market position.