Explainers & Guides
Safe Travels: Navigating Supply Chain Cyber Security in the UK’s Critical Transport Infrastructure
The DORA (Digital Operational Resilience Act) compliance deadline has passed, meaning that as of January 17, 2025, financial institutions operating in the European Union must meet new resilience standards in full.
While many organisations began their preparations early, others are still working through the requirements. DORA introduces a new approach to risk oversight, one that focuses on stability, supplier accountability, and systemic protection across the entire financial sector.
The following DORA Compliance Checklist has been designed to simplify compliance with these new regulations and standards. The checklist offers a structured roadmap, one that reflects the regulation’s five core pillars. Whether you are revisiting your incident response plan or reviewing contracts with critical vendors, the steps outlined here will help your team move forward with confidence.
For a comprehensive discussion of, and guide to compliance with, the new DORA regulations, consult our full DORA Guide.
The European financial sector is facing a worrying surge in cyber incidents, with Europe's leading financial institutions having experienced a 25% increase in third-party cyber breaches over the past year alone.
DORA was created in direct response to these growing threats. Its goal is to build resilience across all parts of the financial system. From asset managers to crowdfunding platforms, every organisation now shares responsibility for maintaining operational continuity. By introducing consistent expectations across the sector, DORA removes guesswork and promotes stronger alignment between all players involved in the industry.
DORA, or the Digital Operational Resilience Act, is a landmark EU regulation designed to fortify the European financial sector against cyber threats and IT disruptions.
Essentially, DORA acts as a unified rulebook, compelling financial entities (including banks all through to insurers) to implement and follow standardised IT systems, effectively manage digital risks, and swiftly respond to security incidents.
A critical aspect of DORA is its profound emphasis on supply chain cybersecurity and the meticulous management of third-party risks. Appreciating that vulnerabilities often stem from external service providers, the Act extends its regulatory reach to encompass critical ICT third-party providers, obligating financial firms to rigorously assess and manage these relationships.
DORA doesn’t replace existing laws, but rather works alongside other key EU regulations. For instance, whereas GDPR protects personal data and the NIS2 Directive secures essential digital infrastructure, DORA introduces rules that ensure financial institutions comply with regulations and are as well-equipped as possible to handle the increasingly dangerous cybersecurity landscape.
Together, these three regulations support a more secure and consistent digital environment. By aligning with all of them, financial institutions can protect their systems, strengthen trust, and meet expectations across data privacy, system integrity, and service continuity.
DORA is built on five essential areas. Each one is designed to help financial institutions manage risk, stay operational during digital threats, and recover quickly when problems arise.
Institutions must put strong controls in place to protect their systems. This includes having a clear structure for oversight, staying alert to new threats, and regularly reviewing risk exposure.
When disruptions occur, organisations must report them quickly and clearly. This helps regulators respond early and allows the broader system to prepare for related risks.
Firms must test their ability to recover from digital incidents. These tests need to be realistic and challenging. They should reflect the types of attacks and failures that institutions are most likely to face.
DORA places significant responsibility on firms to manage their suppliers. This includes understanding what services vendors provide, monitoring how they perform, and taking action when risks appear.
DORA encourages institutions to share information about cyber threats. Sharing helps others spot similar risks early and allows the financial sector to respond more effectively as a whole.
Effective crisis response planning is an indispensable component of operational readiness for financial institutions. Firms must prepare to react swiftly and decisively when disruptions occur. This requires well-defined protocols and a trained, confident leadership team.
Financial entities should employ scenario-based training platforms to help executives and key personnel prepare for real-world incidents. These simulations provide invaluable hands-on experience, allowing teams to practice decision-making under pressure, refine communication strategies, and identify gaps in their response plans before a genuine crisis hits.
Achieving DORA compliance begins with focus. This checklist outlines the essential steps to help your organisation stay aligned, build resilience, and demonstrate readiness with confidence.
Check whether DORA applies to your organisation. This includes banks, insurers, investment firms, and ICT providers that support regulated financial services. Review the regulation and any national guidance to understand your obligations clearly.
List the services essential to your business. Identify the systems, software, and infrastructure that keep those services running. Use this list to prioritise where to focus your resilience efforts.
Review how well your current setup matches DORA’s core requirements. Look at how you manage risk, handle incidents, test your systems, oversee suppliers, and share cyber intelligence. Note where improvements are needed.
Sort your gaps by urgency and importance. Create a plan that explains what needs fixing, who is responsible, and when it will be done. Assign the resources needed to carry it through.
Make sure your internal policies support DORA’s expectations. This includes clearly defined risk limits, response procedures, and regular reviews. Keep things simple and easy to follow for your teams.
Put a clear plan in place for dealing with digital disruptions. Outline how your team will respond, who they should inform, and how incidents will be reported to regulators.
Test how your organisation would perform in the event of a disruption. Schedule regular checks and simulations. Use what you learn to strengthen your defences and improve response plans.
Keep a live list of your key technology providers. Understand what services they deliver, how important they are, and how they manage their own risks. Update contracts and agreements to reflect DORA’s expectations.
Decide how your team will stay informed about cyber threats. Set up a process to gather relevant information and share it with trusted partners when appropriate. Make sure people know where to look and who to inform.
Help leadership understand their responsibilities under DORA. Provide simple, practical training that builds awareness and supports informed decision-making.
Run scenarios that test how your team would respond to real incidents. Use the results to improve your strategy, speed up communication, and build confidence across the organisation.
Keep records of everything related to DORA compliance. This includes reports, tests, policies, and training logs. Store them securely and make sure they are easy to access during an audit.
Track your progress using clear metrics. Use dashboards to review how well your resilience efforts are working and where extra attention may be needed.
Find the common ground between DORA and other frameworks you already follow. Align your efforts to reduce complexity and build a more efficient and consistent approach.
Non-compliance with DORA brings severe consequences, primarily:
Organisations must appreciate that early actions serve as a critical strategic advantage, protecting their financial stability and market standing.
DORA readiness is a step towards building a secure and trustworthy digital finance environment. It is best for all involved - from organisational stakeholders to customers - that organisations across the board embrace DORA's principles to ensure business continuity and strengthen trust in the financial ecosystem. We urge you to assess your progress and take proactive steps today to build a resilient future.
For further insights into managing third-party risk and enhancing your organisation's resilience, visit Risk Ledger.
Who needs to comply with DORA?
Any financial institution or ICT provider that supports critical functions for an EU-regulated firm must comply with DORA.
When did DORA become enforceable?
The enforcement deadline passed on January 17, 2025. Supervisory authorities now expect full alignment.
Does DORA apply to firms outside the EU?
Yes. If your services support EU clients or infrastructure, you are expected to comply with DORA’s requirements.
How can Risk Ledger support DORA readiness?
Risk Ledger simplifies third-party risk management, enables continuous monitoring, and provides the collaboration tools needed to meet DORA’s expectations.
Sign up to our monthly newsletter to receive exclusive research and analyses by our experts, the latest case studies from our clients as well as guides, explainers and more to turn your supply chain risk management programme into a resounding success story.
