DORA is no longer a future plan: it applies today across the EU financial sector. The regulation sets uniform expectations for incident reporting, ICT risk management, testing, and third-party oversight, and it does so with legal force. If a team wants the primary source, point them to the official text where DORA now applies on EUR-Lex Regulation (EU) 2022/2554. Sector supervisors have aligned around that baseline: the European authorities maintain hubs such as EIOPA’s DORA portal that collect the current standards and guidance.
For diligence, this changes the posture from “tell me your policy” to “show me proof.” Buyers, investors, and internal second-line reviewers will want exportable logs, versioned procedures, evidence of drills, and contracts that contain the right clauses.
DORA covers banks, insurers, payment and e-money institutions, investment firms, market infrastructures, fund managers, and a long list of related entities. It also pulls in ICT third-party providers through oversight and contractual requirements. Proportionality still applies; responsibilities do not disappear. The scope and responsibilities are laid out in the sector-wide rules within Regulation (EU) 2022/2554 and summarized across supervisor portals such as EIOPA’s DORA page.
What “good” looks like in 2025 maps to five pillars:
- ICT risk management with governance, inventories, and monitoring
- Incident reporting using a shared taxonomy and thresholds
- Testing programs; for some firms: threat-led penetration testing
- ICT third-party risk and contract controls
- Sector information sharing where appropriate
Anchoring each pillar to primary sources during diligence helps reviewers move quickly and reduces back-and-forth.
Due Diligence Redefined: From Paper to Proof
DORA turns due diligence into an evidence exercise. Policies matter, but outcomes matter more: can the firm show a working incident classification, a recent drill with timestamps, and remediation SLAs that were actually met; can it export who accessed a sensitive playbook and when; can it prove that provider contracts grant audit and exit rights.
Build the room to answer those questions without a call:
- Store each claim next to its artifact: policy, log extract, report, or contract clause
- Keep sensitive files revocable after download
- Make reviewer trails exportable
- Resolve questions beside the file using EZ Q&A so decisions are auditable
When the room is structured this way, reviewers can verify controls in minutes instead of days.
What Requirements Are Live Now
DORA’s clock is already running. The sections below translate the immediate expectations into due-diligence asks and link to the rules that set them.
Incident Reporting: Classifications and Timelines
Firms need a consistent method to decide what is reportable and how fast to notify. The European Banking Authority has adopted RTS on criteria for classifying ICT incidents and cyber threats that define materiality thresholds and data points; those criteria live on the EBA’s page for Regulatory Technical Standards on the classification of ICT-related incidents.
A diligence room should include the incident taxonomy, playbooks that embed those thresholds, timer evidence from the last drill, and templates for regulator notifications.
Testing and TLPT: Who Must Red-team and When
Every firm must test. Some firms must go further: supervisors may designate entities for Threat-Led Penetration Testing with an intelligence-led scope. DORA Article 26 establishes TLPT, and the European Supervisory Authorities have published the TLPT RTS that explain scoping, independence, and cadence. Link reviewers to Article 26 via a consolidated reference such as Article 26: Threat-led penetration testing and to the ESAs’ TLPT RTS final text collected under supervisory portals like EIOPA’s DORA hub.
In the room: include the annual testing calendar, recent results with closures, and, where applicable, last TLPT scope, scenarios, and closure evidence.
ICT Third-party Contracts: The Clauses That Must Exist
DORA standardizes what needs to be in ICT contracts: access and audit rights, sub-outsourcing controls, data location and portability, incident cooperation, termination and exit support. The contractual requirements and the principle that the financial entity retains responsibility are in the third-party risk sections of Regulation (EU) 2022/2554. A diligence room should show the ICT provider register, criticality tags, the clause checklist, and sample executed contracts that meet those terms.
Oversight of Critical ICT Providers: What Buyers Should See
The ESAs have stood up an oversight model for providers designated as “critical,” coordinated by a Joint Oversight Forum. Firms should track whether their core vendors fall into scope and what supervisory expectations follow. Reviewers appreciate a short memo that explains concentration assumptions and references the ESAs’ oversight framework via supervisor resources such as EIOPA’s DORA portal. In the room: include concentration analyses, any supervisory correspondence, and contingency or exit plans for critical services.
To make those sections stick, keep the mechanics simple.
The DORA Diligence Checklist for 2025
Build a room that answers questions without a meeting. Keep structure tight: a few folders, clear labels, and each claim next to its proof.
Governance and ICT Risk Management Pack
Post the board-approved ICT risk policy suite, named roles, and your risk register with current KRIs. Link the obligations back to governance and risk in Regulation (EU) 2022/2554 so reviewers can align language and expectations. Keep these files where provenance is obvious using document management with tracking.
Incident Program and Reporting Readiness
Include the incident taxonomy, the materiality checklist, and playbooks that embed the classification criteria and thresholds set out in the EBA’s Regulatory Technical Standards on incident classification. Add evidence from a recent drill: timestamps, who was notified, and how the clock was tracked.
Testing Library and TLPT Evidence
Show the annual test calendar, the last three remediation cycles, and closure rates. If you are in the bucket for Threat-Led Penetration Testing, include scope, scenarios, providers, and closure evidence tied to Article 26 via Threat-Led Penetration Testing in DORA and the ESAs’ TLPT RTS referenced on EIOPA’s DORA hub.
ICT Third-party Register and Contracts
Publish the mandatory register: providers, services, data classes, and criticality tags. Attach sample agreements that contain the contractual requirements DORA expects: access and audit rights; sub-outsourcing controls; data location and portability; incident cooperation; termination and exit support. The rule text in the third-party risk sections of Regulation (EU) 2022/2554 is your anchor for clause wording.
Concentration and Critical Provider Notes
Summarize concentration risk across cloud, payments, and core platforms. If any vendor may fall under the ESAs’ oversight model for critical ICT providers, include a short memo and any correspondence, and point reviewers to the oversight framework materials on EIOPA’s DORA portal.
Procurement and M&A Under DORA
Procurement first. Update pre-award questionnaires so they map directly to DORA contract obligations in Regulation (EU) 2022/2554: right to audit; data location commitments; sub-outsourcing approvals; incident cooperation timelines; exit and portability. Ask suppliers to place proofs in the room: certifications, pen-test summaries, and sample notification templates.
For M&A, triage value drivers quickly:
- TLPT significance and calendar alignment to Article 26 expectations through Threat-Led Penetration Testing in DORA
- Incident program maturity against the EBA’s incident classification RTS
- Quality of the ICT provider register and contract clauses tied to third-party risk in Regulation (EU) 2022/2554
- Concentration exposure and any critical-provider touchpoints supported by EIOPA’s DORA materials
Gaps convert to terms: price, escrow, or post-close plans with dated milestones. Keep the plan visible in the room and track access to it.
Turn DORA Into a Diligence Advantage
DORA is live and the bar is clear: supervisors and buyers want proof, not posture. Keep the rule text close through Regulation (EU) 2022/2554, then make the deal room do the heavy lifting: track provenance with Caplinked’s audit trail feature, keep sensitive files under control with FileProtect, and organize evidence so every claim sits beside its artifact using document management with tracking.
When a reviewer can see the requirement, the control, and the log in one place, diligence stops being a debate and becomes a confirmation.
