TLP:GREEN DORA Implementation Checklist

1.0, 05.07.2024

Company: Date:

Topic Tasks Reference Status

1. General
☐ 1.1. Requirements Collect and study all DORA-related DORA, Technical
and Guidelines requirements, ESAs’ and local authorities’ Standards,
Technical Standards, Guidelines & Guidelines &
Recommendations. If necessary, take additional Recommendations
training courses.
☐ 1.2. DORA Scope Determine the boundaries and applicability of DORA: art.2, 16.1
the DORA to establish its scope. Check the
references in Article 16, “Simplified ICT risk
management framework”.
☐ 1.3. Proportionality Identify internal and external factors affecting DORA: art.4
principle digital operational resilience, including company
size and overall risk profile, and the nature,
scale and complexity of services, activities and
operations. [Context]
☐ 1.4. Introductory Organise an introductory meeting with the DORA: art.5.2a,
meeting Management Body. Make sure that the 5.2g, 5.4
Management Body is fully supportive and
committed, particularly in terms of allocating
the necessary resources required for the DORA
implementation.
☐ 1.5. Implementation Gather an implementation team. Create and DORA: art.5.2g
team and plan approve a DORA implementation plan and
project charter, if necessary. Conduct a kick-off
meeting.
☐ 1.6. Document Define the necessary requirements for DORA: art.6.1,
Management managing DORA-related documentation and 6.5, 8.1, 8.5
prepare appropriate templates accordingly.
Additionally, create a register for DORA-related
documents and records.
2. Internal Governance and Control Framework (IGCF)
☐ 2.1. Gap Analysis Conduct a Gap analysis to understand the Guidelines on
internal governance
(Governance) current state of the IGCF.
(GIG)

☐ 2.2. Management Describe (review) the information on the DORA: art.5.2a,c

body structure, organisation, members and GIG: 230 d), e); 21
responsibilities of the management body.
☐ 2.3. Committees Establish a Risk committee, Audit committee GIG: 230 f), 45, 60,
39
and other necessary committee (e.g.,
Cybersecurity, Business Continuity, Privacy).
Collect agendas of committee meetings and
their main results and conclusions.
☐ 2.4. Code of Document (review) Corporate values and Code GIG: 97-102
conduct of conduct.
☐ 2.5. Conflict of Implement (review) a Conflict of interest policy. GIG: 230 g), 103-106,
117-128, 107-116
interest policy

Andrey Prozorov, CISM, CIPP/E, CDPSE, LA 27001

TLP:GREEN [Link]/AndreyProzorov || [Link]/in/AndreyProzorov
TLP:GREEN DORA Implementation Checklist
1.0, 05.07.2024

☐ 2.6. Risk Desing and implement (review) a Risk DORA: art.6.4

management management function (RMF). GIG: 149-159, 175-
function (RMF) 199

☐ 2.7. Compliance Desing and implement (review) a Compliance DORA: art.6.4

function (CF) function (CF). GIG: 200-209

☐ 2.8. Internal audit Desing and implement (review) an Internal DORA: art.5.2f,
function (IAF) audit function (IAF). 6.4, 6.6, 6.7
Plan, establish, implement, and maintain an GIG: 210-220
audit programme to evaluate the effectiveness
of the ICT RMF. Conduct internal audits of the
ICT RMF to identify any potential areas of
weakness or non-compliance.
Develop a procedure for Nonconformity
Management along with a register and related
templates.
☐ 2.9. Internal alert Implement (review) an Internal alert policies GIG: 129-135, 136-
137
procedures and procedures for staff to report potential or
actual breaches of regulatory or internal
requirements.
☐ [Link] product Develop (review) a new product approval policy GIG: 160-165
approval policy (NPAP).
☐ [Link] Desing and implement a Business continuity GIG: 230 i), 221-226
continuity function (BCF).
function (BCF)
☐ [Link] Conduct regular training for the management DORA: art.5.4
training body to improve knowledge and skills in
understanding of ICT risks.
☐ [Link] Allocate and periodically review the appropriate DORA: art.5.2g,
budget to fulfil digital operational resilience. 13.1

3. ICT risk management framework (ICT RMF)

Design
☐ 3.1. Gap Analysis Conduct a Gap analysis to understand the RTS on ICT risk
management
(ICT RMF) current state of the ICT RMF. framework

☐ 3.2. Digital Plan and Design the ICT RMF. Establish a Digital DORA: art.5.2d,
operational operational resilience strategy. 6.8, 13.4, 8.1
resilience RTS on ICT risk
strategy management
framework
Guidelines on ICT Risk
Assessment under the
SREP
Guidelines on ICT and
security risk
management

☐ 3.3. ICT Risk Define ICT Risk management methodology, DORA: art.8.2,
management align it with the general risk management 8.3
methodology approach.

Andrey Prozorov, CISM, CIPP/E, CDPSE, LA 27001

TLP:GREEN [Link]/AndreyProzorov || [Link]/in/AndreyProzorov
TLP:GREEN DORA Implementation Checklist
1.0, 05.07.2024

Identification
☐ 3.4. Roles and Document roles and responsibilities. DORA: art.8.1,
responsibilities 8.6
3.5. Asset inventory Define asset management policy. Identify, DORA: art.8.1,
classify and adequately document all ICT 8.4, 8.6
supported business functions, the information Guidelines on
assets and ICT assets supporting those necessary services
functions. Annually review and update.
☐ 3.6. External Identify and document all processes that are DORA: 8.5, 8.6
services dependent on ICT third-party service providers. RTS to specify
elements when sub-
contracting critical or
important functions

☐ 3.7. ICT Risk Conduct ICT Risk identification and assessment. DORA: art.8.2,
assessment 8.3, 18.2, 13.3
☐ 3.8. ICT risk Annually conduct a specific ICT risk assessment DORA: art.8.7
assessment on on all legacy ICT systems and, in any case
legacy ICT before and after connecting technologies,
systems applications or systems.
Protection and prevention
☐ 3.9. ICT security Design, procure and implement ICT security DORA: art.7, 9.2,
policies, procedures, protocols and tools that 9.3, 9.4
aim to ensure the resilience, continuity and
availability of ICT systems.
Document a Statement of Applicability (SoA), if
needed.
☐ [Link] and Organise continuously monitor and control of DORA: art.9.1
control the security and functioning of ICT systems.
Detection
☐ [Link] Implement ad regularly test mechanisms to DORA: art.10
promptly detect anomalous activities, including
ICT network performance issues and ICT-
related incidents, and to identify potential
material single points of failure. Integrate the
triggers with the incident management process.
Response and recovery
☐ [Link] business Establish an ICT business continuity policy. DORA: art.11.1,
continuity Determine recovery time and recovery point 11.2, 12.6
policy objectives and include them in the SLAs/OLAs.

☐ [Link] response Implement ICT response and recovery plans. DORA: art.11.3,
and recovery 12.7
plans
[Link] the Regularly review and test ICT business DORA: art.11.3,
plans continuity policy, ICT business continuity plans 11.4, 11.6, 11.9
and crisis communication plans.
Be ready to provide the copies of results to the
competent authority.

Andrey Prozorov, CISM, CIPP/E, CDPSE, LA 27001

TLP:GREEN [Link]/AndreyProzorov || [Link]/in/AndreyProzorov
TLP:GREEN DORA Implementation Checklist
1.0, 05.07.2024

[Link] Conduct a business impact analysis (BIA). DORA: art.11.5

impact analysis
(BIA)
[Link] Design and implement a crisis management DORA: art.11.7,
management function, including crisis communications 11.8
[Link] and Develop and document backup and recovery DORA: art.12.1-
recovery policies and procedures. Regularly review and 12.3
test them.
[Link] Design and implement redundant ICT DORA: art.12.4-
capacities. 12.5
Learning and Communication
☐ [Link] Have in place capabilities and staff to gather DORA: art.13.1,
intelligence information on vulnerabilities and cyber threats, 13.7
ICT- related incidents, in particular cyber-
attacks, and analyse the impact they are likely
to have on their digital operational resilience.
[Link] and Determine the essential metrics and key DORA: art.13.4,
measurement performance indicators (KPIs) related to the 13.5, 13.7
digital operational resilience, then collect,
analyze, and evaluate them regularly.
[Link] Develop ICT security awareness programmes DORA: art.13.6
and conduct digital operational resilience
training.
[Link] Prepare crisis communication plans to notify to DORA: art.14.1
communication clients and counterparts in case of major ICT-
plans related incidents or vulnerabilities.

[Link] Implement communication policies for internal DORA: art.14.2,

policy staff and for external stakeholders. 5.2i
Communication policies for staff shall take into
account the need to differentiate between staff
involved in ICT risk management, in particular
the staff responsible for response and recovery,
and staff that needs to be informed.
[Link] Implement a communication strategy for ICT- DORA: art.14.3
strategy for related incidents, including the co-operation
ICT- related with public and media.
incidents
4. ICT-related incident management, classification and reporting
☐ 4.1. Incident Define, establish and implement an ICT-related DORA: art.17.1-
management incident management process, including root 17.3, 18.1, 23,
process causes analysis and post incident review. 13.2
RTS on criteria for the
classification of major
ICT- related incidents

☐ 4.2. Incident Define, establish and implement a process to DORA: 19.1, 19.2,
notification report major ICT-related incidents to the 19.4, 19.5, 13.2
relevant competent authority and affected ITS to establish the
client. forms, templates and
procedures for major

Andrey Prozorov, CISM, CIPP/E, CDPSE, LA 27001

TLP:GREEN [Link]/AndreyProzorov || [Link]/in/AndreyProzorov
TLP:GREEN DORA Implementation Checklist
1.0, 05.07.2024
Be ready to communicate to the competent ICT-related incident
reporting
authorities upon request, the changes that were
RTS on specifying the
implemented following post ICT-related incident
content and reporting
reviews. timelines for major
ICT- related incidents

☐ 4.3. Annual costs Be ready to report to the competent authorities, DORA: art.11.10
and losses upon their request, an estimation of aggregated Guidelines on the
annual costs and losses caused by major ICT- estimation of
aggregated annual
related incidents.
costs and losses
caused by major ICT-
related incidents

5. Digital operational resilience testing (DORT)

☐ 5.1. DORT Establish and maintain a digital operational DORA: art.24.1-
programme resilience testing programme. 24.5, 25.1, 25.3,
26, 27
☐ 5.2. Annual tests Annually conduct appropriate tests of all ICT DORA: art.24.6
systems and applications supporting critical or
important functions.
☐ 5.3. Vulnerability Conduct vulnerability assessments before any DORA: art.25.2
assessments deployment or redeployment of new or existing
applications and infrastructure components,
and ICT services supporting critical or important
functions of the financial entity.
☐ 5.4. Threat-led Conduct regular (at least every 3 years) threat- DORA: art.26-27
penetration led penetration tests. Be ready to provide to the RTS to specify threat
test (TLPT) authority a summary of the relevant findings, led penetration testing
the remediation plans and the documentation
demonstrating that the TLPT has been
conducted in accordance with the requirements.
Get an attestation confirming that the test was
performed.
6. Managing of ICT third-party risk (ICT TPRM)
☐ 6.1. TPRM Strategy Establish a Strategy on ICT third-party risk, DORA: art.28.1,
and Policy including a Policy on the use of ICT services 28.2, 28.6
supporting critical or important functions. RTS to specify the
policy on ICT services
Define the classification of third parties.
Guidelines on
Define the approach to audits and inspections. outsourcing
arrangements

☐ 6.2. Register of Fill in and maintain a register of contractual DORA: art.28.3

contractual arrangements on the use of ICT services TS to establish the
arrangements provided by ICT third-party service providers. templates for the
Register of information
Communicate with the local authority to take
Guidelines on
part in the Dry Run, if needed. outsourcing
arrangements

☐ 6.3. Notifying the Be ready to report at least yearly to the DORA: art.28.3
authority about competent authorities on the number of new
service arrangements on the use of ICT services, the
providers categories of ICT third-party service providers,
the type of contractual arrangements and the
ICT services and functions which are being
provided. Be ready to provide the full register.

Andrey Prozorov, CISM, CIPP/E, CDPSE, LA 27001

TLP:GREEN [Link]/AndreyProzorov || [Link]/in/AndreyProzorov
TLP:GREEN DORA Implementation Checklist
1.0, 05.07.2024
Inform the competent authority in a timely
manner about any planned contractual
arrangement on the use of ICT services
supporting critical or important functions as well
as when a function has become critical or
important.
☐ 6.4. Contractual Ensure that the contractual agreements contain DORA: art.28.3-
agreements the necessary provisions. Create templates and 28.8, 29, 30
checklists. Integrate checks into the purchasing RTS to specify
process. Review the current contracts. elements when sub-
contracting critical or
important functions

☐ 6.5. Exit strategies Prepare exit strategies for ICT services DORA: art.28.8
supporting critical or important function.
☐ 6.6. Due Diligence Integrate an extended Due Diligence procedure DORA: art.28.4,
into the purchasing process. Identify and assess 28.5, 29.1
risks.
☐ 6.7. Third-party risk Regularly review the risks identified in respect DORA: art.28.2
review by the to contractual arrangements on the use of ICT
management services supporting critical or important
body functions.
☐ 6.8. Monitoring of Monitor, on an ongoing basis, the ICT third- RTS to specify the
policy on ICT services
the contractual party service provider’s performance.
arrangements
7. Information-sharing arrangements
☐ 7.1. Threat Exchange cyber threat information and DORA: art.45,
information intelligence with other financial entities, 19.2
exchange authorities and CSIRTs, on a voluntary basis.
Document information-sharing arrangements if
needed.
Notify the competent authorities of the
participation in the information-sharing
arrangements (e.g., membership).
8. Final tasks
☐ 8.1. ICT RMF Annually review the ICT RMF. Be ready to DORA: art.6.5,
review submit a report the competent authority upon 13.4, 13.5
its request.

☐ 8.2. Final gap- Conduct a final compliance check. DORA: art.25.1

analysis
☐ 8.3. Continual Continually improve the suitability, adequacy DORA: art.6.5 ,
improvement and effectiveness of the ICT RMF. React to the 13.3, 13.4, 24.5
nonconformity, implement any action needed,
review the effectiveness of any corrective action
taken and make changes to the ICT RMF, if
necessary.
Collect evidence of the results of any corrective
action.

Statuses:
Not Applicable To Do In progress (MI) In progress (PI) Done
[Minimally implemented, 30%] [Partially Implemented, 70%]

Andrey Prozorov, CISM, CIPP/E, CDPSE, LA 27001

TLP:GREEN [Link]/AndreyProzorov || [Link]/in/AndreyProzorov