Every financial entity subject to DORA needs a structured way to assess its compliance posture. A checklist on a website is useful for orientation, but what compliance teams actually need is an editable, trackable workbook they can fill in, assign owners to, and present to the management body.
We have built exactly that. This post introduces our free DORA compliance checklist template — a professional Excel workbook and companion PDF guide covering 95 requirements across all five DORA pillars, mapped to specific articles and Regulatory Technical Standards.
What is in the template?
Excel Workbook (5 sheets)
Checklist sheet — 95 items organised by pillar, each with:- DORA article reference (Art. 5 through Art. 45)
- RTS/ITS reference (CDR 2024/1774, CIR 2024/2956, etc.)
- Priority level (Critical, Important, Supplementary)
- Dropdown fields for maturity scoring (1–5), status, target maturity
- Columns for evidence, owner, deadline, and remediation notes
PDF Guide (13 pages)
The companion PDF is designed to be read alongside the Excel template or printed for reference during workshops and management body presentations. It includes:
- Introduction to DORA and its five-pillar structure
- Step-by-step instructions for conducting a self-assessment
- The full maturity assessment framework (1–5 scale)
- All 95 checklist items organised by pillar with article references
- RTS/ITS quick reference table
- Next steps and links to automated tools
How the 95 items are organised
The checklist covers every article in the DORA regulation that creates a compliance obligation:
Pillar 1: ICT Governance & Risk Management (37 items)Articles 5–16. Covers management body accountability, the ICT risk management framework, asset identification and classification, protection controls, detection and monitoring, business continuity, backup and recovery, learning and communication. This is the largest pillar because it spans the full ICT risk lifecycle.
Pillar 2: Incident Management & Reporting (16 items)Articles 17–23. Covers incident classification using CDR 2024/1772 criteria, the three-phase reporting timeline (4 hours, 72 hours, 1 month), ITS reporting templates, and voluntary cyber threat notification.
Pillar 3: Digital Resilience Testing (18 items)Articles 24–27. Covers the testing programme, vulnerability assessments, scenario-based testing, penetration testing, and Threat-Led Penetration Testing (TLPT) for designated entities. TLPT items are marked as conditionally Critical.
Pillar 4: Third-Party ICT Risk Management (20 items)Articles 28–44. Covers the Register of Information (ITS 2024/2956 format), pre-contract due diligence, mandatory contract clauses under Art. 30(2), concentration risk, sub-contracting chains, exit strategies, and CTPP oversight cooperation.
Pillar 5: Information Sharing (4 items)Article 45. Covers voluntary cyber threat intelligence sharing arrangements.
Priority levels explained
Each item is assigned a priority based on regulatory exposure:
- Critical — Must be addressed for compliance. Likely to be reviewed during an NCA supervisory engagement. Missing these items represents direct regulatory risk.
- Important — Expected for proportionate compliance. Should be in place for most entities. These items may not trigger immediate enforcement but will be noted in supervisory assessments.
- Supplementary — Best practice or conditionally applicable. Lower regulatory exposure but recommended for entities aiming for maturity level 4 or above.
Of the 95 items, 43 are Critical, 35 are Important, and 17 are Supplementary.
The maturity scale
The template uses a 1–5 maturity scale aligned with industry practice:
Level 1 — Initial/Ad Hoc. No formal processes. Reactive, undocumented. Level 2 — Developing/Basic. Basic processes exist but inconsistent or partially documented. Level 3 — Defined/Established. Documented, standardised, consistently followed. Meets minimum DORA requirement. This is the target for most items. Level 4 — Managed/Measured. Monitored with KPIs, regularly reviewed. Full compliance with comprehensive evidence. Level 5 — Optimized/Leading. Continuous improvement, automated where possible. Exceeds DORA requirements.Most entities should target Level 3 across all Critical items as a baseline, with Level 4 for items that are particularly visible to supervisors (management body accountability, incident reporting, Register of Information).
How to use the template
- Download the Excel template and open the Checklist sheet
- Work through each pillar sequentially, assessing each item against your current posture
- Set the Current Maturity (1–5) and Status using the dropdown fields
- Record evidence — what documentation supports your assessment?
- Assign an owner and deadline for items that are not yet Fully Compliant
- Use Remediation Notes to document the actions needed to close each gap
- Review the Summary Dashboard — it auto-calculates your compliance percentage and average maturity per pillar
- Present to management body — the dashboard provides a clear overview for governance reporting under Art. 5(4)
Download
Download Excel Template — Editable workbook with 95 items, maturity scoring, auto-dashboard Download PDF Guide — 13-page companion guide with full checklist, maturity framework, and RTS/ITS referenceBoth files are free to use. No account required.
Automate your DORA compliance
This template gives you a structured starting point. For ongoing compliance management — including automated asset registers, incident reporting with ITS templates, Register of Information with 85-rule validation, risk assessment workflows, and 360° intelligence across your ICT estate — explore the DORA GRC platform or take the free automated gap analysis to get your maturity score in 3 minutes.