The Digital Operational Resilience Act (DORA) is now in full effect, and financial institutions across the EU face mounting pressure to demonstrate robust ICT risk management and cyber resilience. With regulatory scrutiny intensifying and cyber threats evolving daily, organizations need a clear, actionable path to compliance.

This checklist breaks down DORA’s cybersecurity requirements into six manageable focus areas. Whether you’re assessing compliance gaps or strengthening existing controls, you’ll walk away with practical steps to align your network security posture with DORA’s mandates.

1. Define the Scope and Map Systems to DORA Requirements

Before addressing specific controls, you need complete visibility into what falls under DORA’s umbrella. This foundational step prevents costly oversights and ensures your compliance efforts target the right assets.

Identify ICT Systems and Network Assets in Scope

Start by cataloging every ICT system, network asset, and digital service that supports your financial operations. DORA applies broadly, covering everything from core banking platforms to the firewalls protecting them.

Key actions:

• Map all assets, firewalls, cloud environments, and critical services to relevant DORA Articles
• Document network dependencies, data flows, and third-party touchpoints
• Identify which systems qualify as “critical” under DORA’s operational resilience framework
• Create a living inventory that accounts for hybrid and multi-cloud architectures

Many organizations underestimate the complexity here. Shadow IT, legacy systems, and sprawling cloud environments make comprehensive discovery difficult. Automated asset visibility tools can surface hidden dependencies that manual audits miss.

Assess Alignment Between Current Controls and DORA’s ICT Risk Requirements

With your scope defined, evaluate how existing security controls measure up against DORA’s expectations.

Focus areas include:

• Reviewing firewall rules, network segmentation standards, and policy exceptions
• Identifying configurations that create unnecessary risk exposure
• Evaluating least-privilege enforcement across network access policies
• Assessing whether current controls adequately protect ICT systems from unauthorized access and cyber threats

FireMon’s security policy management capabilities can accelerate this assessment through centralized visibility and automated policy analysis across complex, multi-vendor environments, with support for over 120 firewall and cloud platforms.

2. Build a DORA-Aligned ICT Risk Management Framework

DORA mandates that financial entities establish comprehensive ICT risk management frameworks. This isn’t a one-time exercise, it requires ongoing governance, clear accountability, and continuous refinement.

What Are the 5 Pillars of DORA?

Understanding DORA’s structure helps you organize your compliance program effectively. The regulation is built around five interconnected pillars:

1. ICT Risk Management – Comprehensive frameworks to identify, protect against, detect, respond to, and recover from ICT risks
2. ICT Incident Management – Processes for detecting, classifying, and reporting ICT-related incidents
3. Digital Operational Resilience Testing – Regular testing including vulnerability assessments and threat-led penetration testing
4. ICT Third-Party Risk Management – Oversight of external ICT service providers and critical vendors
5. Information Sharing – Voluntary arrangements for exchanging cyber threat intelligence

Develop Risk Classification and Scoring Methodologies

Effective risk management starts with consistent classification. DORA requires organizations to identify, classify, and document ICT risks systematically.

Implementation steps:

• Define risk thresholds, categories, and impact criteria aligned with DORA provisions (particularly Articles 5.1, 8.2, 9.1, 9.4b/9.4c/9.4e, and 12.1)
• Establish scoring methodologies that prioritize risks based on potential business impact and likelihood
• Consider automated risk scoring as a best practice to continuously assess policy weaknesses, segmentation violations, and emerging threats

Static, point-in-time risk assessments won’t satisfy DORA’s expectations. The regulation emphasizes continuous risk identification, meaning your framework must evolve as your environment changes. Risk Analyzer supports this through attack path simulation and risk prioritization, helping teams identify and rank network security risks based on exploitability and business impact.

Implement Governance Across Network Security Policies

Fragmented policies across different environments create compliance gaps and increase operational risk. DORA expects consistent governance regardless of where your systems reside.

Governance priorities:

• Standardize policy structures across hybrid, cloud, and multi-vendor environments
• Establish clear ownership and accountability for network security decisions
• Document policy rationale and maintain version history for audit purposes

Centralized policy management eliminates the inconsistencies that plague organizations managing security across multiple platforms. When every firewall and security group follows the same governance model, demonstrating regulatory compliance becomes straightforward.

3. Implement Continuous Monitoring and Incident Management Controls

DORA places significant emphasis on detecting anomalies, managing incidents effectively, and maintaining operational resilience during disruptions. Reactive security postures won’t meet these requirements.

What Monitoring Controls Are Required for DORA Compliance?

Continuous monitoring isn’t optional under DORA, it’s foundational. Financial entities must detect threats, unauthorized changes, and vulnerabilities before they escalate into operational disruptions.

Monitoring best practices aligned with DORA’s expectations:

• Deploy change detection capabilities to identify risky or unauthorized modifications to firewall rules and security policies, real-time detection represents a strong alignment with DORA’s emphasis on timely threat identification
• Configure alerts for violations that threaten operational resilience or regulatory compliance, particularly those affecting network segmentation or least-privilege controls
• Monitor for configuration drift that could introduce security gaps or weaken network isolation
• Track access patterns and policy changes across all network segments

The challenge isn’t just collecting data, it’s making sense of it. Organizations managing hundreds of firewalls and thousands of rules need automated analysis to separate signal from noise. Continuous compliance monitoring, with particular value in identifying segmentation erosion and overly permissive access rules.

What Are DORA Incident Reporting Requirements?

DORA introduces specific incident reporting timelines that require well-prepared processes. Organizations must notify authorities about major ICT-related incidents within tight windows.

Process requirements:

• Align detection and escalation workflows with DORA’s major incident reporting Articles
• Define clear criteria for classifying incidents as “major” based on DORA’s technical standards
• Establish communication channels with relevant European Supervisory Authorities
• Automate evidence collection through comprehensive audit logs and rule history

When cyber incidents occur, you’ll need to demonstrate exactly what happened, when it happened, and how you responded. Automated audit trails and compliance reporting provide the documentation regulators expect.

4. Standardize Change Management and Policy Lifecycle Processes

Unauthorized or poorly managed changes represent one of the biggest threats to both security and compliance. DORA requires documented, controlled processes for modifying ICT systems and security policies.

What Change Management Processes Does DORA Expect?

Ad-hoc changes introduce risk. DORA expects financial entities to implement formal change management with appropriate oversight and approval.

Workflow components:

• Establish approval paths aligned with DORA-required governance oversight
• Require risk assessment before implementing changes to critical systems
• Implement automated review cycles as a best practice to prevent policy sprawl, rule bloat, and least-privilege drift
• Implement separation of duties between those requesting, approving, and implementing changes

Manual change management doesn’t scale. As organizations process hundreds of change requests monthly, automated workflows help ensure consistency while maintaining the governance DORA demands. FireMon’s Policy Planner controls the entire change management process, automatically analyzing, recommending, and checking proposed policy changes against compliance and security best practices before implementation, preventing new risks or compliance violations.

Maintain Complete Auditability of Network Security Activity

Regulators will want to see exactly who changed what, when, and why. Incomplete audit trails create compliance risk and hamper incident investigations.

Auditability requirements:

• Track every configuration change across multi-vendor environments
• Maintain historical records of rule states for forensic analysis
• Document the business justification for each policy modification
• Generate DORA-ready audit reports on demand

Policy Optimizer helps maintain clean, efficient rule sets by identifying and remediating redundant, shadowed, or overly permissive rules, while preserving the audit history compliance teams need. Organizations have reduced audit preparation from weeks to minutes using FireMon’s reporting capabilities.

5. Strengthen Third-Party Risk and ICT Provider Oversight

DORA dedicates significant attention to third-party risk management, recognizing that financial institutions increasingly depend on external ICT providers. Your compliance program must extend beyond your own infrastructure.

How Does DORA Affect Third-Party ICT Providers?

DORA establishes comprehensive requirements for managing ICT third-party relationships. Financial entities remain fully responsible for their vendors’ security postures and must implement robust oversight programs spanning:

• Contractual requirements: DORA mandates specific contractual provisions with ICT providers, including security obligations, audit rights, incident notification requirements, and data location specifications
• Exit strategies: Organizations must maintain documented exit plans ensuring orderly transitions away from critical providers without service disruption
• Concentration risk assessment: DORA requires evaluation of over-reliance on individual providers or providers with interconnected relationships that could create systemic risk

From a network security perspective, organizations should:

• Inspect vendor connectivity rules and remote access pathways
• Identify overly permissive access that violates least-privilege principles
• Review network segmentation between third-party access points and critical systems
• Document all network paths that third-party ICT providers use
• Monitor for misconfigurations that could expand vendor access beyond the contractual scope.

Network security analytics can reveal access patterns and connectivity risks that contract reviews alone won’t uncover. Understanding the actual network exposure, not just the contractual terms, provides essential evidence for comprehensive third-party oversight.

Does DORA Apply to Non-EU Companies?

Yes. DORA extends beyond EU borders in two important ways. First, non-EU financial entities providing services within the EU must comply. Second, ICT third-party service providers supporting EU financial institutions fall within scope, regardless of where they’re headquartered. Critical third-party providers from outside the EU must establish an EU subsidiary within 12 months of designation to remain eligible to serve EU financial entities.

Monitor ICT Provider Activity and Contractual Adherence

DORA requires ongoing oversight of third-party ICT providers, not just initial due diligence. Organizations must monitor provider performance and maintain visibility into how vendors interact with their systems.

Monitoring considerations:

• Track vendor connectivity and access patterns against contractual requirements
• Monitor for unauthorized changes to third-party access rules or segmentation boundaries
• Maintain evidence of oversight activities for regulatory examination
• Assess whether network access aligns with least-privilege expectations

It’s important to note that network security visibility supports, but doesn’t replace, comprehensive third-party risk management. DORA’s third-party requirements extend to contractual provisions, concentration risk assessment, exit strategies, and ongoing due diligence that require broader governance programs. 

FireMon provides the network-level evidence and access visibility, including segmentation validation and least-privilege enforcement monitoring, that complements these end-to-end efforts. For deeper context on managing network security for EU regulations, see our guide on firewall policy management for NIS2 and DORA compliance.

6. Establish Testing, Audit, and Reporting Procedures

DORA mandates regular testing of ICT systems and digital operational resilience capabilities. Testing validates that your controls work as intended and identifies weaknesses before attackers, or auditors, find them.

What Is Threat-Led Penetration Testing Under DORA?

DORA introduces tiered testing requirements, with the most rigorous being threat-led penetration testing (TLPT). This advanced form of resilience testing simulates real-world attack scenarios based on current threat intelligence.

Testing program elements:

• Schedule regular penetration testing and vulnerability assessments
• Conduct compliance audits against DORA requirements
• Test incident response and business continuity procedures
• For designated entities, implement TLPT at least every three years using qualified external testers

While FireMon supports testing efforts by identifying misconfigurations, segmentation weaknesses, and policy vulnerabilities, comprehensive resilience testing requires additional capabilities, including red team exercises and scenario-based testing that go beyond network security policy management.

Produce Standardized Compliance and Audit Documentation

Demonstrating compliance requires comprehensive documentation. DORA expects financial entities to maintain records that prove their ICT risk management capabilities.

Documentation requirements:

• Generate reports aligned with DORA’s ICT risk, incident, and change management requirements
• Maintain evidence packages for internal auditors and EU supervisory examinations
• Document testing results, remediation actions, and control effectiveness
• Create dashboards that provide real-time compliance visibility

Automated reporting significantly reduces the burden of compliance documentation. Rather than scrambling before audits, organizations can maintain continuous compliance evidence that’s always examination-ready. Learn more about continuous compliance monitoring best practices.

Moving Forward with DORA Compliance

How Do I Become DORA Compliant?

Achieving DORA compliance requires a structured approach across multiple workstreams. Start with a gap analysis to identify where current practices fall short, then prioritize remediation based on risk. Key steps include establishing governance structures with clear accountability, strengthening ICT risk management frameworks, implementing continuous monitoring capabilities, and documenting everything for audit readiness.

DORA compliance isn’t a destination, it’s an ongoing commitment to digital operational resilience. The requirements span ICT risk management, incident handling, third-party oversight, and resilience testing, demanding coordinated effort across security, risk, and compliance functions.

A structured checklist approach helps break this complexity into manageable components. By systematically addressing each area, from initial scoping through testing and reporting, organizations can build compliance programs that satisfy regulators while genuinely strengthening their information security posture.

FireMon simplifies key aspects of DORA compliance through its integrated Security Manager suite. Policy Manager delivers centralized visibility and continuous compliance monitoring; Policy Planner automates change workflows with pre-implementation validation; Policy Optimizer maintains clean rule sets through identification of redundant and overly permissive rules; and Risk Analyzer prioritizes threats through attack path simulation. Together, these capabilities help financial services organizations maintain the visibility and control DORA demands,while complementing broader governance, risk, and resilience initiatives.

Ready to streamline your DORA compliance program? Request a demo to see how FireMon can help you achieve and maintain compliance across complex, multi-vendor environments.

*** This is a Security Bloggers Network syndicated blog from www.firemon.com authored by FireMon. Read the original post at: https://www.firemon.com/blog/dora-compliance-checklist-cybersecurity/