DORA Compliance Checklist for Small Financial Firms

The Digital Operational Resilience Act (DORA) is the EU's new regulation ensuring that financial entities can withstand, respond to, and recover from ICT-related disruptions. If you are a smaller financial firm — a payment institution, a niche investment firm, a regional insurer, or a crypto-asset service provider — DORA applies to you. And it has been in effect since January 2025.

This guide cuts through the complexity to give you a practical path to compliance, proportionate to your size.

Does DORA apply to your firm?

DORA applies to virtually all regulated financial entities in the EU, including credit institutions, payment institutions, e-money institutions, investment firms, insurance and reinsurance undertakings, crypto-asset service providers, fund managers, central counterparties, trade repositories, crowdfunding platforms, and data reporting service providers.

If you hold any financial license in an EU member state, assume DORA applies. The regulation also covers ICT third-party service providers to financial entities — meaning if you are a cloud or SaaS provider serving financial clients, you may fall under DORA's oversight framework.

There is one significant concession: microenterprises (fewer than 10 employees and under €2M turnover) may apply a simplified ICT risk management framework under Article 16. This means fewer documentation requirements, but the core obligations still apply.

Check your readiness: Use our free DORA Compliance Checker to assess your current posture across all 5 pillars.

The 5 pillars of DORA compliance

Pillar 1: ICT Risk Management

You need a documented ICT risk management framework approved by your management body. For smaller firms, this does not need to be a 100-page document. At minimum it should cover your ICT asset inventory (what systems and data you have), your risk assessment process (what threats you face and how you address them), your protection measures (encryption, access control, endpoint security), and your detection mechanisms (how you would know if something goes wrong).

The management body must approve this framework and take accountability for it. This is not something you can fully delegate — DORA places the responsibility squarely on the board or equivalent governing body.

Pillar 2: ICT Incident Management

DORA requires a formal incident management process with classification criteria. The critical compliance point is the reporting timeline for major incidents: initial notification within 4 hours of classification, an intermediate report within 72 hours, and a final report within one month.

For smaller firms, the key question is: could you classify and report an incident to your competent authority within 4 hours? If the answer is no, this is your most urgent gap. You need predefined classification criteria, clear escalation paths, and template notifications ready to go. Our DORA Compliance Checklist includes an ICT Incident Classification Matrix designed for exactly this purpose.

Pillar 3: Digital Operational Resilience Testing

You must maintain a testing programme proportionate to your size and risk profile. For smaller firms, this typically means annual vulnerability assessments and penetration testing of critical systems, plus scenario-based disaster recovery tests. Larger or more significant firms may also need to conduct Threat-Led Penetration Testing (TLPT) every three years.

The principle of proportionality is your friend here. A 20-person payment firm is not expected to run the same testing programme as a major bank. What matters is that testing is systematic, documented, and that findings are remediated.

Pillar 4: ICT Third-Party Risk

This is often the most complex pillar for smaller firms. You must maintain a register of all ICT third-party provider arrangements, reported annually to your competent authority. For each provider you need to document the services provided, their criticality, data locations, contract terms, and exit strategy.

Contracts with ICT providers must include specific provisions: service descriptions and SLAs, data processing locations, audit and access rights, incident notification obligations, termination and transition procedures, and cooperation with supervisory authorities during inspections.

Concentration risk is another key concern — DORA asks you to assess whether you are overly dependent on a single ICT provider. If your entire infrastructure runs on one cloud platform with no alternative, that is a concentration risk to document and manage.

Pillar 5: Information Sharing

DORA encourages (but does not mandate) participation in cyber threat intelligence sharing arrangements. For smaller firms, this might mean joining a sector-specific ISAC (Information Sharing and Analysis Centre) or subscribing to threat intelligence feeds from your national CSIRT. Even informal information sharing with peer firms counts.

A practical compliance roadmap

Month 1: Foundations. Create or update your ICT risk management framework. Inventory all ICT assets and third-party providers. Get management body approval. Use our DORA Compliance Checker for a baseline assessment.

Month 2: Incident readiness. Establish your incident classification scheme and reporting procedures. Create notification templates for your competent authority. Test the 4-hour notification workflow with a tabletop exercise.

Month 3: Third-party register. Build your ICT provider register with all required fields. Review existing contracts against DORA Article 30 requirements. Identify contracts that need amendments and begin negotiations.

Month 4-6: Testing and ongoing. Conduct vulnerability assessments and penetration testing. Document your testing programme. Establish quarterly review cycles for the ICT risk framework and third-party register.

DORA vs NIS2 — do I need both?

If you are a financial entity subject to DORA, you comply with DORA's requirements for ICT risk management and incident reporting — DORA takes precedence under the lex specialis principle. However, NIS2 may still apply for areas not specifically covered by DORA. In practice, a firm compliant with DORA will largely satisfy NIS2 requirements as well. Use our NIS2 Readiness Assessment to check for any additional obligations.