TLP:GREEN EU DORA Implementation Checklist

1.1, 21.10.2024

Company: Date:

x Topic Tasks Reference Status

1. General
1.1. Requirement Collect and study all DORA-related DORA,
s and requirements (including Commission Technical
Guidelines Delegated Regulation), ESAs’ and local Standards,
authorities’ Technical Standards, Guidelines &
Guidelines & Recommendations. Make Recommendati
and regularly review a list of them. If ons
necessary, take additional training
courses.
1.2. DORA Scope Determine the boundaries and DORA: art.2,
applicability of the DORA to establish its 16.1
scope (for financial entities and ICT third-
party service providers). Check the
references in Article 16, “Simplified ICT
risk management framework”.
1.3. Proportionalit Identify internal and external factors DORA: art.4
y principle affecting digital operational resilience,
including company size and overall risk
profile, and the nature, scale and
complexity of services, activities and
operations. [Context]
1.4. Introductory Organise an introductory meeting with DORA: art.5.2a,
meeting the Management Body. Make sure that 5.2g, 5.4
the Management Body is fully supportive
and committed, particularly in terms of
allocating the necessary resources
required for the DORA implementation.
1.5. Implementati Gather an implementation team. Create DORA: art.5.2g
on team and and approve a DORA implementation
plan plan and project charter, if necessary.
Conduct a kick-off meeting.
1.6. Document Define the necessary requirements for DORA: art.6.1,
Management managing DORA-related documentation 6.5, 8.1, 8.5
and prepare appropriate templates
accordingly. Additionally, create and
maintain a register for DORA-related
documents and records.
2. Internal Governance and Control Framework (IGCF)
2.1. Gap Analysis Conduct a Gap analysis to understand Guidelines on
internal
(Governance) the current state of the IGCF.
governance (GIG)

2.2. Management Describe (review) the information on the DORA:

body structure, organisation, members and art.5.2a,c
responsibilities of the management body. GIG: 230 d), e); 21

2.3. Committees Establish a Risk committee, Audit GIG: 230 f), 45, 60,
39
committee and other necessary
committee (e.g., Cybersecurity, Business
Continuity, Privacy). Collect agendas of
committee meetings and their main
results and conclusions.

Andrey Prozorov, CISM, CIPP/E, CDPSE, LA 27001

TLP:GREEN www.patreon.com/AndreyProzorov || www.linkedin.com/in/AndreyProzorov
TLP:GREEN EU DORA Implementation Checklist
1.1, 21.10.2024

2.4. Code of Document (review) Corporate values and GIG: 97-102

conduct Code of conduct.
2.5. Conflict of Implement (review) a Conflict of interest GIG: 230 g), 103-
106, 117-128, 107-
interest policy.
116
policy
2.6. Risk Desing and implement (review) a Risk DORA: art.6.4
management management function (RMF). GIG: 149-159, 175-
function 199
(RMF)
2.7. Compliance Desing and implement (review) a DORA: art.6.4
function (CF) Compliance function (CF). GIG: 200-209

2.8. Internal audit Desing and implement (review) an DORA: art.5.2f,

function (IAF) Internal audit function (IAF). 6.4, 6.6, 6.7
Plan, establish, implement, and maintain GIG: 210-220
an audit programme to evaluate the
effectiveness of the ICT RMF. Conduct
internal audits of the ICT RMF to identify
any potential areas of weakness or non-
compliance.
Develop a procedure for Nonconformity
Management along with a register and
related templates.
2.9. Internal alert Implement (review) an Internal alert GIG: 129-135, 136-
137
procedures policies and procedures for staff to report
potential or actual breaches of regulatory
or internal requirements.
2.10. New Develop (review) a new product approval GIG: 160-165
product policy (NPAP).
approval
policy
2.11. Business Desing and implement a Business GIG: 230 i), 221-
226
continuity continuity function (BCF).
function
(BCF)
2.12. Executive Conduct regular training for the DORA: art.5.4
training management body to improve
knowledge and skills in understanding of
ICT risks.
2.13. Support Allocate and periodically review the DORA: art.5.2g,
appropriate budget to fulfil digital 13.1
operational resilience.
3. ICT risk management framework (ICT RMF)
Design
3.1. Gap Analysis Conduct a Gap analysis to understand RTS on ICT risk
management
(ICT RMF) the current state of the ICT RMF.
framework /
Commission
Delegated
Regulation (EU)
2024/1774

3.2. ICT strategy Establish an ICT strategy. DORA: art.6.8d

Guidelines on ICT
and security risk

Andrey Prozorov, CISM, CIPP/E, CDPSE, LA 27001

TLP:GREEN www.patreon.com/AndreyProzorov || www.linkedin.com/in/AndreyProzorov
TLP:GREEN EU DORA Implementation Checklist
1.1, 21.10.2024

management
(3.2.2)

3.3. Digital Plan and Design the ICT RMF. Establish a DORA: art.5.2d,
operational Digital operational resilience strategy, 6.8, 13.4, 8.1
resilience align it with the ICT strategy. RTS on ICT risk
strategy management
framework /
Commission
Delegated
Regulation (EU)
2024/1774
Guidelines on ICT
Risk Assessment
under the SREP
Guidelines on ICT
and security risk
management

3.4. ICT Risk Define ICT Risk management DORA: art.8.2,

management methodology, align it with the general 8.3
methodology risk management approach.

Identification
3.5. Roles and Document roles and responsibilities. DORA: art.8.1,
responsibiliti 8.6
es
3.6. Asset Define asset management policy. DORA: art.8.1,
inventory Identify, classify and adequately 8.4, 8.6
document all ICT supported business Guidelines on
functions, the information assets and ICT necessary services
assets supporting those functions.
Annually review and update.
3.7. External Identify and document all processes that DORA: 8.5, 8.6
services are dependent on ICT third-party service RTS to specify
providers. elements when sub-
contracting critical
or important
functions

3.8. ICT Risk Conduct ICT Risk identification and DORA: art.8.2,
assessment assessment. 8.3, 18.2, 13.3
3.9. ICT risk Annually conduct a specific ICT risk DORA: art.8.7
assessment assessment on all legacy ICT systems
on legacy ICT and, in any case before and after
systems connecting technologies, applications or
systems.
Protection and prevention
3.10. ICT Design, procure and implement ICT DORA: art.7,
security security policies, procedures, protocols 9.2, 9.3, 9.4
and tools that aim to ensure the
resilience, continuity and availability of
ICT systems.
Document a Statement of Applicability
(SoA), if needed.
3.11. Monitor Organise continuously monitoring and DORA: art.9.1
and control control of the security and functioning of
ICT systems.
Detection

Andrey Prozorov, CISM, CIPP/E, CDPSE, LA 27001

TLP:GREEN www.patreon.com/AndreyProzorov || www.linkedin.com/in/AndreyProzorov
TLP:GREEN EU DORA Implementation Checklist
1.1, 21.10.2024

3.12. Monitoring Implement ad regularly test mechanisms DORA: art.10

to promptly detect anomalous activities,
including ICT network performance
issues and ICT-related incidents, and to
identify potential material single points
of failure. Integrate the triggers with the
incident management process.
Response and recovery
3.13. ICT Establish an ICT business continuity DORA: art.11.1,
business policy. Determine recovery time and 11.2, 12.6
continuity recovery point objectives and include
policy them in the SLAs/OLAs.
3.14. ICT Implement ICT response and recovery DORA: art.11.3,
response and plans. 12.7
recovery
plans
3.15. Testing Regularly review and test ICT business DORA: art.11.3,
the plans continuity policy, ICT business continuity 11.4, 11.6, 11.9
plans and crisis communication plans.
Be ready to provide the copies of results
to the competent authority.
3.16. Business Conduct a business impact analysis DORA: art.11.5
impact (BIA).
analysis (BIA)

3.17. Crisis Design and implement a crisis DORA: art.11.7,

management management function, including crisis 11.8
communications.
3.18. Backup Develop and document backup and DORA: art.12.1-
and recovery recovery policies and procedures. 12.3
Regularly review and test them.
3.19. Redundan Design and implement redundant ICT DORA: art.12.4-
cy capacities. 12.5
Learning and Communication
3.20. Threat Have in place capabilities and staff to DORA: art.13.1,
intelligence gather information on vulnerabilities and 13.7
cyber threats, ICT- related incidents, in
particular cyber-attacks, and analyse the
impact they are likely to have on their
digital operational resilience.
3.21. Monitoring Determine the essential metrics and key DORA: art.13.4,
and performance indicators (KPIs) related to 13.5, 13.7
measuremen the digital operational resilience, then
t collect, analyze, and evaluate them
regularly.
3.22. Awarenes Develop ICT security awareness DORA: art.13.6
s programmes and conduct digital
operational resilience training.
3.23. Crisis Prepare crisis communication plans to DORA: art.14.1
communicati notify to clients and counterparts in case
on plans of major ICT-related incidents or
vulnerabilities.

Andrey Prozorov, CISM, CIPP/E, CDPSE, LA 27001

TLP:GREEN www.patreon.com/AndreyProzorov || www.linkedin.com/in/AndreyProzorov
TLP:GREEN EU DORA Implementation Checklist
1.1, 21.10.2024

3.24. Communic Implement communication policies for DORA: art.14.2,

ation policy internal staff and for external 5.2i
stakeholders. Communication policies for
staff shall take into account the need to
differentiate between staff involved in
ICT risk management, in particular the
staff responsible for response and
recovery, and staff that needs to be
informed.
3.25. Communic Implement a communication strategy for DORA: art.14.3
ation ICT- related incidents, including the co-
strategy for operation with public and media.
ICT- related
incidents

Andrey Prozorov, CISM, CIPP/E, CDPSE, LA 27001

TLP:GREEN www.patreon.com/AndreyProzorov || www.linkedin.com/in/AndreyProzorov
TLP:GREEN EU DORA Implementation Checklist
1.1, 21.10.2024

4. ICT-related incident management, classification and reporting

4.1. Incident Define, establish and implement an ICT- DORA: art.17.1-
management related incident management process, 17.3, 18.1, 23,
process including root causes analysis and post 13.2
incident review. RTS on criteria for
the classification of
major ICT- related
incidents

4.2. Incident Define, establish and implement a DORA: 19.1,

notification process to report major ICT-related 19.2, 19.4,
incidents to the relevant competent 19.5, 13.2
authority and affected client. ITS to establish the
forms, templates
Be ready to communicate to the
and procedures for
competent authorities upon request, the major ICT-related
changes that were implemented incident reporting
following post ICT-related incident RTS on specifying
reviews. the content and
reporting timelines
for major ICT-
related incidents

4.3. Annual costs Be ready to report to the competent DORA:

and losses authorities, upon their request, an art.11.10
estimation of aggregated annual costs Guidelines on the
and losses caused by major ICT-related estimation of
incidents. aggregated annual
costs and losses
caused by major
ICT-related
incidents

5. Digital operational resilience testing (DORT)

5.1. DORT Establish and maintain a digital DORA: art.24.1-
programme operational resilience testing 24.5, 25.1,
programme. 25.3, 26, 27
5.2. Annual tests Annually conduct appropriate tests of all DORA: art.24.6
ICT systems and applications supporting
critical or important functions.
5.3. Vulnerability Conduct vulnerability assessments DORA: art.25.2
assessments before any deployment or redeployment
of new or existing applications and
infrastructure components, and ICT
services supporting critical or important
functions of the financial entity.
5.4. Threat-led Conduct regular (at least every 3 years) DORA: art.26-
penetration threat-led penetration tests. Be ready to 27
test (TLPT) provide to the authority a summary of RTS to specify
the relevant findings, the remediation threat led
plans and the documentation penetration testing
demonstrating that the TLPT has been
conducted in accordance with the
requirements. Get an attestation
confirming that the test was performed.

Andrey Prozorov, CISM, CIPP/E, CDPSE, LA 27001

TLP:GREEN www.patreon.com/AndreyProzorov || www.linkedin.com/in/AndreyProzorov
TLP:GREEN EU DORA Implementation Checklist
1.1, 21.10.2024

6. Managing of ICT third-party risk (ICT TPRM)

6.1. TPRM Establish a Strategy on ICT third-party DORA: art.28.1,
Strategy and risk, including a Policy on the use of ICT 28.2, 28.6
Policy services supporting critical or important RTS to specify the
functions. policy on ICT
services
Define the classification of third parties.
Guidelines on
Define the approach to audits and outsourcing
inspections. arrangements

6.2. Register of Fill in and maintain a register of DORA: art.28.3

contractual contractual arrangements on the use of TS to establish the
arrangement ICT services provided by ICT third-party templates for the
s service providers. Register of
information
Communicate with the local authority to Guidelines on
take part in the Dry Run, if needed. outsourcing
arrangements

6.3. Notifying the Be ready to report at least yearly to the DORA: art.28.3
authority competent authorities on the number of
about service new arrangements on the use of ICT
providers services, the categories of ICT third-party
service providers, the type of contractual
arrangements and the ICT services and
functions which are being provided. Be
ready to provide the full register.
Inform the competent authority in a
timely manner about any planned
contractual arrangement on the use of
ICT services supporting critical or
important functions as well as when a
function has become critical or
important.
6.4. Contractual Ensure that the contractual agreements DORA: art.28.3-
agreements contain the necessary provisions. Create 28.8, 29, 30
templates and checklists. Integrate RTS to specify
checks into the purchasing process. elements when sub-
Review the current contracts. contracting critical
or important
functions

6.5. Exit Prepare exit strategies for ICT services DORA: art.28.8
strategies supporting critical or important function.
6.6. Due Integrate an extended Due Diligence DORA: art.28.4,
Diligence procedure into the purchasing process. 28.5, 29.1
Identify and assess risks.
6.7. Third-party Regularly review the risks identified in DORA: art.28.2
risk review respect to contractual arrangements on
by the the use of ICT services supporting critical
management or important functions.
body
6.8. Monitoring of Monitor, on an ongoing basis, the ICT RTS to specify the
policy on ICT
the third- party service provider’s
services
contractual performance.
arrangement
s

Andrey Prozorov, CISM, CIPP/E, CDPSE, LA 27001

TLP:GREEN www.patreon.com/AndreyProzorov || www.linkedin.com/in/AndreyProzorov
TLP:GREEN EU DORA Implementation Checklist
1.1, 21.10.2024

7. Information-sharing arrangements
7.1. Threat Exchange cyber threat information and DORA: art.45,
information intelligence with other financial entities, 19.2
exchange authorities and CSIRTs, on a voluntary
basis.
Document information-sharing
arrangements if needed.
Notify the competent authorities of the
participation in the information-sharing
arrangements (e.g., membership).
8. Final tasks
8.1. ICT RMF Annually review the ICT RMF. Be ready to DORA: art.6.5,
review submit a report to the competent 13.4, 13.5
authority upon its request.

8.2. Final gap- Conduct a final compliance check. DORA: art.25.1

analysis
8.3. Continual Continually improve the suitability, DORA: art.6.5,
improvement adequacy and effectiveness of the ICT 13.3, 13.4, 24.5
RMF. React to the nonconformity,
implement any action needed, review
the effectiveness of any corrective action
taken and make changes to the ICT RMF,
if necessary.
Collect evidence of the results of any
corrective action.

Statuses:
In progress (MI) In progress (PI)
Not Applicable To Do [Minimally implemented, [Partially Implemented, Done
30%] 70%]

More DORA-related documents and recommendations -

https://www.patreon.com/collection/470971

Andrey Prozorov, CISM, CIPP/E, CDPSE, LA 27001

TLP:GREEN www.patreon.com/AndreyProzorov || www.linkedin.com/in/AndreyProzorov