EU Regulatory Intelligence — by YRproject

factual analysis · traceable to primary sources

Topics Opportunities Take the check Work with us LinkedIn NL·EN
Guide

DORA readiness: a roadmap to prepare

Adopted 2026-06-28 · ≈ 1 min read · Dirk Baaijen

DORA has applied since 17 January 2025. A practical roadmap to get a grip: determine scope, map ICT dependencies and the register, set up risk management and incident reporting, plan resilience testing, and review your vendor contracts.

Short answer: DORA has applied since 17 January 2025. If you are in scope, the question is not whether but how far along you are. The roadmap below puts the five pillars in a workable order.

The roadmap

  1. Determine your scope. Are you in scope, and under the full or the simplified framework? This drives the weight of every following step.
  2. Inventory ICT dependencies + fill the register. Map systems, processes and outsourcing and build the register of information; classify per critical/important function.
  3. Set up ICT risk management. A governance framework with ultimate responsibility at board level, security and continuity policy. See ICT risk management under DORA.
  4. Set up the incident process. Classification + phased reporting of major ICT incidents. See Incident reporting under DORA.
  5. Plan resilience testing. A testing programme; for significant entities a TLPT at least every three years. See Resilience testing and TLPT.
  6. Review your vendor contracts. Mandatory contract clauses + oversight of critical ICT providers. See Third-party ICT risk and oversight.

Order + maintenance

Start with scope + register (without sight of your dependencies you cannot steer the rest), then set up risk management and the incident process, and make testing a recurring cycle that feeds your risk framework. Keep the register and contracts current on every change.

Lees ook: DORA guide and AI Act and DORA interplay.

Sources

  1. https://eur-lex.europa.eu/eli/reg/2022/2554/oj
    Regulation (EU) 2022/2554 (DORA) — five pillars; applicable since 17 January 2025.
  2. https://www.eba.europa.eu/regulation-and-policy/digital-operational-resilience-dora
    EBA/EIOPA/ESMA — technical standards (RTS/ITS) per pillar.

Share on LinkedIn

Read next

U

Resilience testing under DORA: from basic tests to TLPT

DORA requires financial entities to test their digital resilience periodically. Significant entities must also perform a threat-led penetration test (TLPT) at least every three years.

U

Incident reporting under DORA: when and how to report?

DORA requires financial entities to classify and report major ICT incidents to the competent supervisor, with an initial, intermediate and final report. Significant cyber threats may be reported voluntarily.

U

ICT risk management under DORA: what must the board arrange?

DORA requires financial entities to maintain a coherent ICT risk management framework with ultimate responsibility at the management body. Small, non-interconnected entities may use a simplified framework.

Dirk Baaijen

About this knowledge base

Compiled and maintained by YRproject — programme and project direction at the intersection of digital transformation, AI and regulation. Every factual claim is traceable to its primary source. YRproject is led by Dirk Baaijen About & method →

A project or programme? Work with YRproject →

The monthly briefing

AI regulation in five minutes: what changed, what is coming and what it means. No spam, unsubscribe anytime.

Your address is used for this only and stored on our own servers.