DORA Compliance Checklist

In navigating the dynamic landscape of the financial sector, the Digital Operational Resilience Act
(DORA) stands as a critical guidepost, shaping the operational resilience journey for organizations. To
empower your organization in achieving and sustaining DORA compliance, this comprehensive
checklist has been crafted and serves as a strategic roadmap.

Each element is meticulously designed to guide your organization through the nuanced landscape of
DORA, fostering not only compliance but also the establishment of a robust and adaptive operational
resilience framework.

Understanding and Compliance with DORA Regulations

Determine DORA jurisdiction: Identify if your organization falls within the scope of the DORA
jurisdiction and discern specific requirements.
Develop Resilience Strategy: Formulate a digital operational resilience strategy aligned with
DORA regulations.
Regularly Review Requirements: Stay updated on DORA requirements, ensuring continuous
understanding and compliance.

Risk Assessment and Management

Strengthen Information Security: Reinforce information security measures, encompassing
access controls, encryption, secure coding, and data protection.
Conduct Risk Assessment: Evaluate potential risks and vulnerabilities in your ICT systems,
addressing internal and external threats.
Manage Third-Party Risk: Assess third-party suppliers for resilience and security in alignment
with DORA requirements.
Identify and Secure ICT Assets: Implement measures to identify and secure ICT assets according
to DORA regulations.
Utilize Automated Solutions: Deploy automated solutions and threat detection for efficient risk
identification.
Prioritize Remediation Actions: Focus on remediation actions and prepare evidence of
compliance.
Monitor External Risks: Monitor external sources for potential risks and share intelligence to
bolster resilience.
Create ICT Risk Management Framework: Establish an ICT Risk Management Framework and
conduct digital operational resilience testing.

DORA Compliance Checklist 01 / 03

Culture and Leadership
Foster Positive Organizational Culture: Ensure a positive organizational culture that encourages
collaboration and resilience.
Prioritize Security Culture: Cultivate a security-focused company culture through employee
training and engagement.
Empower Leadership: Empower organizational leadership with appropriate training for effective
compliance.
Holistic Approach to Compliance: Engage multiple teams collaboratively for a holistic approach
to compliance.
Employee Training and Awareness: Provide comprehensive training programs to educate
employees on cybersecurity best practices and incident reporting.

Process and Automation

Implement CI/CD and Automated Testing: Apply Continuous Integration (CI), Continuous
Deployment (CD), and automated testing for streamlined processes.
Incident Response Plan: Develop a detailed incident response plan for detecting, responding to,
and recovering from security incidents.
Documentation and Records: Maintain detailed records of risk assessments, incident response
plans, and compliance measures.
Penetration Testing: Conduct regular penetration testing, utilizing frameworks like TIBER-EU.
Automate Threat Detection: Automate threat detection using tools such as EDRs, XDRs, scanners,
and SIEMs.

Architecture, Design, and Third-Party Management

Design for Scalability and Resilience: Design systems for scalability, resilience, and
maintainability.
Microservices Architecture: Implement microservices architecture and containerization for
efficient operations.
Considerations for Third-Party Providers: Review policies on ICT Third Parties (CTPS) and
consider regulations when engaging third-party service providers.
Utilize Training Programs: Use tools like CybeReady s training program to enable developers to
’

develop secure applications.

Monitoring, Measurement, and Continuous mpro ementI v

Establish PIs and Real-Time Monitoring: Establish ey Performance Indicators ( PIs) and
K K K

implement real-time monitoring.

Regularly Review Resilience Strategies: Periodically review and update resilience strategies and
policies.

D RA Compliance Checklist
O 02 / 03
 Analyze Past Incidents: Analyze past incidents, incorporate lessons learned, and apply

improvements.

Continuous Monitoring and Assessment: Implement ongoing monitoring processes to detect

and respond promptly to emerging risks and vulnerabilities.

Internal Audits and Assessments: Conduct internal audits and assessments regularly to identify

areas for improvement and address compliance gaps.

Security and Legal Compliance

Integrate Security Practices: Integrate security practices into the development lifecycle with a

DevSecOps approach.

Conduct Security Audits: Regularly conduct security audits and vulnerability assessments,

ensuring data privacy.

Implement ISMS: Establish an Information Security Management System (ISMS) aligned with

international standards like ISO 27001.

Comply with Legal Standards: Ensure compliance with legal, regulatory, and industry standards,

including GDPR.
Engage with Regulators: Stay informed about regulatory updates and engage in open dialogue
with relevant authorities for compliance understanding.

How Hadrian can help

Continuou s Autonomous Compre hensive

Hadrian’s Continuous Automated Hadrian's security platform, fueled Traditional compliance reporting
Red Teaming (CART) provides by advanced intelligence, assesses lacks real-time updates, leaving

ongoing and automated simulated your entire attack surface, businesses unaware of issues until

attacks on your system to identify uncovering vulnerabilities from '

it s too late. Hadrian offers
vulnerabilities and weaknesses.
third parties. It gauges the x
accurate, clear reports for e ternal

likelihood and impact of stakeholders, meeting DORA

Because it is continuous, we can x

e ploitation across your requirements. Shareable with
executives and board members,
identify new threats and
organization, offering remediation

vulnerabilities as they emerge.

recommendations and ensuring they keep everyone informed on

ongoing security post -remediation. DORA compliance.

Read The Quick Guide to Preparing for the

Digital Operational Resilience Act

Download Checklist Or scan the QR Code

DORA Compliance Checklist 0 3 / 03