← All posts

DORA Compliance Checklist Template 2026: Free Excel & PDF Download

Every financial entity subject to DORA needs a structured way to assess its compliance posture. A checklist on a website is useful for orientation, but what compliance teams actually need is an editable, trackable workbook they can fill in, assign owners to, and present to the management body.

We have built exactly that. This post introduces our free DORA compliance checklist template — a professional Excel workbook and companion PDF guide covering 95 requirements across all five DORA pillars, mapped to specific articles and Regulatory Technical Standards.

What is in the template?

Excel Workbook (5 sheets)

Checklist sheet — 95 items organised by pillar, each with:
  • DORA article reference (Art. 5 through Art. 45)
  • RTS/ITS reference (CDR 2024/1774, CIR 2024/2956, etc.)
  • Priority level (Critical, Important, Supplementary)
  • Dropdown fields for maturity scoring (1–5), status, target maturity
  • Columns for evidence, owner, deadline, and remediation notes
Summary Dashboard — Auto-calculated compliance posture per pillar using formulas (COUNTIF/AVERAGE). Shows total items, fully compliant count, compliance percentage, and average maturity for each pillar. Also includes a priority breakdown showing how many Critical vs Important items have been addressed. Maturity Scale — Full description of each maturity level (1–5) with guidance on what evidence looks like at each level and how to self-assess honestly. RTS/ITS Reference — All 11 regulatory technical standards and implementing technical standards mapped to DORA articles, so you can trace each requirement back to the specific delegated regulation. Instructions — How to use the template, the maturity scale legend, status values, and priority definitions.

PDF Guide (13 pages)

The companion PDF is designed to be read alongside the Excel template or printed for reference during workshops and management body presentations. It includes:

  • Introduction to DORA and its five-pillar structure
  • Step-by-step instructions for conducting a self-assessment
  • The full maturity assessment framework (1–5 scale)
  • All 95 checklist items organised by pillar with article references
  • RTS/ITS quick reference table
  • Next steps and links to automated tools

How the 95 items are organised

The checklist covers every article in the DORA regulation that creates a compliance obligation:

Pillar 1: ICT Governance & Risk Management (37 items)

Articles 5–16. Covers management body accountability, the ICT risk management framework, asset identification and classification, protection controls, detection and monitoring, business continuity, backup and recovery, learning and communication. This is the largest pillar because it spans the full ICT risk lifecycle.

Pillar 2: Incident Management & Reporting (16 items)

Articles 17–23. Covers incident classification using CDR 2024/1772 criteria, the three-phase reporting timeline (4 hours, 72 hours, 1 month), ITS reporting templates, and voluntary cyber threat notification.

Pillar 3: Digital Resilience Testing (18 items)

Articles 24–27. Covers the testing programme, vulnerability assessments, scenario-based testing, penetration testing, and Threat-Led Penetration Testing (TLPT) for designated entities. TLPT items are marked as conditionally Critical.

Pillar 4: Third-Party ICT Risk Management (20 items)

Articles 28–44. Covers the Register of Information (ITS 2024/2956 format), pre-contract due diligence, mandatory contract clauses under Art. 30(2), concentration risk, sub-contracting chains, exit strategies, and CTPP oversight cooperation.

Pillar 5: Information Sharing (4 items)

Article 45. Covers voluntary cyber threat intelligence sharing arrangements.

Priority levels explained

Each item is assigned a priority based on regulatory exposure:

  • Critical — Must be addressed for compliance. Likely to be reviewed during an NCA supervisory engagement. Missing these items represents direct regulatory risk.
  • Important — Expected for proportionate compliance. Should be in place for most entities. These items may not trigger immediate enforcement but will be noted in supervisory assessments.
  • Supplementary — Best practice or conditionally applicable. Lower regulatory exposure but recommended for entities aiming for maturity level 4 or above.

Of the 95 items, 43 are Critical, 35 are Important, and 17 are Supplementary.

The maturity scale

The template uses a 1–5 maturity scale aligned with industry practice:

Level 1 — Initial/Ad Hoc. No formal processes. Reactive, undocumented. Level 2 — Developing/Basic. Basic processes exist but inconsistent or partially documented. Level 3 — Defined/Established. Documented, standardised, consistently followed. Meets minimum DORA requirement. This is the target for most items. Level 4 — Managed/Measured. Monitored with KPIs, regularly reviewed. Full compliance with comprehensive evidence. Level 5 — Optimized/Leading. Continuous improvement, automated where possible. Exceeds DORA requirements.

Most entities should target Level 3 across all Critical items as a baseline, with Level 4 for items that are particularly visible to supervisors (management body accountability, incident reporting, Register of Information).

How to use the template

  • Download the Excel template and open the Checklist sheet
  • Work through each pillar sequentially, assessing each item against your current posture
  • Set the Current Maturity (1–5) and Status using the dropdown fields
  • Record evidence — what documentation supports your assessment?
  • Assign an owner and deadline for items that are not yet Fully Compliant
  • Use Remediation Notes to document the actions needed to close each gap
  • Review the Summary Dashboard — it auto-calculates your compliance percentage and average maturity per pillar
  • Present to management body — the dashboard provides a clear overview for governance reporting under Art. 5(4)

Download

Download Excel Template — Editable workbook with 95 items, maturity scoring, auto-dashboard Download PDF Guide — 13-page companion guide with full checklist, maturity framework, and RTS/ITS reference

Both files are free to use. No account required.

Automate your DORA compliance

This template gives you a structured starting point. For ongoing compliance management — including automated asset registers, incident reporting with ITS templates, Register of Information with 85-rule validation, risk assessment workflows, and 360° intelligence across your ICT estate — explore the DORA GRC platform or take the free automated gap analysis to get your maturity score in 3 minutes.

Ready to simplify DORA compliance?

Purpose-built platform for EU financial entities. Start your free trial today.

Get Started →