DORA Compliance Checklist for Software (2025)

by Dr. Sriram Rajagopalan on Wednesday, March 26, 2025

DORA (Digital Operational Resilience Act) Compliance Checklist for Software Development

Our world has become increasingly dependent on digital infrastructure and third-party service providers in recent years. While this streamlines many aspects, it also makes us more vulnerable to cyberattacks, IT outages, and operational failures. High-profile incidents like the CrowdStrike fiasco have underscored the need for stronger operational resilience. By setting clear expectations for how financial institutions and their Information and Communication Technology (ICT) providers manage disruptions, DORA aims to prevent systemic failures and protect market stability.

However, this doesn’t only apply to the financial institutions themselves. While financial institutions have direct compliance obligations, software providers are a critical part of the financial services supply chain and must also ensure that their systems, processes, and infrastructure meet DORA’s standards.

What is DORA Compliance?

The Digital Operational Resilience Act (DORA) is a European Union regulation that establishes a unified framework for managing ICT risk in the financial sector. Its goal is to make sure that financial institutions can withstand, respond to, and recover from disruptions caused by cyberattacks, internal system failures, or third-party service outages — without compromising business continuity or customer data security.

For software vendors, DORA compliance means:

Building security and resilience into software development and deployment lifecycles from the start

Validating that software products support financial institutions' ability to monitor, manage, and recover from ICT-related disruptions

Providing the necessary data, logs, and reporting capabilities to facilitate traceability, and support client compliance

Mitigating third-party risk through secure coding, threat modeling, and vendor oversight

Summary: The Digital Operational Resilience Act (DORA) is a regulatory framework to help financial institutions and their tech providers in the EU prevent and recover from IT disruptions and cyberattacks.

Timeline: DORA was adopted on January 16, 2023, and went into effect for financial institutions and their ICT providers on January 17, 2025. On April 30, 2025, European Supervisory Authorities will collect registers of information on third-party ICT arrangements from financial institutions.

Who Does it Apply To?

DORA applies to a wide range of organizations and entities, as well as their third-party ICT service providers, including:

Banks and credit institutions

Investment firms

Insurance and reinsurance companies

Payment and electronic money institutions

Cryptocurrency service providers

Third-party ICT providers (cloud service providers, data centers, software platforms, etc.)

This wide scope is reflective of how interconnected modern financial services are, where the failure of a single provider (like a software vendor) could have a domino effect across multiple institutions and markets.

Penalties of Non-Compliance

While DORA’s direct penalties primarily apply to financial institutions, software vendors face indirect consequences if their products or services contribute to non-compliance.

For Financial Institutions:

Fines of up to 2% of total annual turnover

Fines of up to €1,000,000 for individuals

Regulatory sanctions, including business restrictions and public censure

Damage to market reputation and potential loss of client trust

For Software Vendors:

Fines of up to €5,000,000 for critical third-party ICT service providers

Fines of up to €500,000 for individuals

ICT providers may be fined every day for up to six months until they comply with regulations

Contract termination or loss of business from financial clients

Increased liability in the event of security breaches or operational failures

Reputational damage if products are linked to client non-compliance or operational disruptions

Greater scrutiny from regulators and financial institutions when securing new contracts

DORA Compliance Requirements

DORA outlines five key areas where financial institutions must have controls and governance structures in place to establish operational resilience.

1. ICT Risk Management: As mentioned earlier, a cyberattack or system failure often disrupts more than just one organization — it affects the entire market. Because of this, DORA elevates ICT risk to a distinct category separate from general operational risk, indicating its growing importance in financial stability.

Financial institutions must establish and maintain a comprehensive ICT risk management framework to identify, assess, and mitigate operational risks

This includes regular risk identification and assessment, establishing internal controls to mitigate risks, and monitoring the effectiveness of these controls

2. Incident Reporting: Fast and accurate reporting enables regulators to evaluate the systemic impact of ICT incidents and helps institutions identify recurring vulnerabilities and improve their response strategies.

Institutions are required to monitor, log, and report ICT-related incidents to regulatory authorities within strict timelines

This includes developing formal procedures for incident classification and maintaining detailed records of each incident’s impact, as well as corrective actions taken

3. Third-Party Oversight: Financial institutions increasingly rely on third-party providers for core operations, creating systemic risk. A failure at a major cloud provider or payment processor could ripple across the entire financial sector. DORA ensures that institutions have visibility and control over these external dependencies.

Institutions must manage risks posed by third-party ICT service providers, including cloud services and software platforms

This includes conducting due diligence when selecting third-party providers, such as clear risk management and security requirements, monitoring vendor performance, and establishing contingency plans in case a third-party service fails

4. Operational Resilience & Recovery: Testing verifies that institutions aren’t just preparing for routine technical failures — they’re also actually equipped to handle cyberattacks, service outages, and other high-impact disruptions.

Regular testing of ICT systems is required to verify resilience under different operational scenarios

This includes performing vulnerability scans and penetration tests, simulating real-world attacks and evaluating the response, and identifying and addressing weaknesses uncovered during testing

5. Data Protection & Security: Information sharing helps organizations stay ahead of emerging threats and develop more effective defense strategies. Cybercriminals often use similar attack methods, so shared intelligence helps identify and respond to patterns more quickly.

Institutions must participate in information-sharing frameworks to improve threat detection, incident response, and collective resilience

This includes industry-wide threat-sharing initiatives, establishing secure channels for sharing sensitive information, and maintaining confidentiality and data protection while sharing this data

DORA Compliance Checklist for Software

The checklist below is designed for software vendors and providers to align their products and services with DORA’s five key compliance areas:

✅ ICT Risk Management

Software developers need to integrate risk management into the development lifecycle from the start and confirm that their products help financial clients meet DORA’s risk identification, assessment, and mitigation requirements.

Governance & Oversight

Establish a formal ICT risk management policy aligned with DORA standards

Assign a senior risk officer responsible for ICT risk governance

Define roles and responsibilities for identifying and managing software-related risks

Conduct regular internal audits of risk management processes

Risk Identification & Assessment

Identify potential threats to software infrastructure (e.g. cyberattacks, software vulnerabilities, data breaches, and dependency failures)

Assess risks based on probability and impact

Maintain an up-to-date risk register for all identified threats

Secure Software Development

Implement secure coding practices (e.g. OWASP)

Use threat modeling during development to anticipate vulnerabilities

Perform static and dynamic code analysis for vulnerabilities

Introduce automated security testing in the CI/CD pipeline

Risk Monitoring & Reporting

Develop real-time dashboards for monitoring software health and security

Provide APIs for financial clients to access risk data

Establish automated alerts for critical events (e.g. system outages, security breaches)

Include logging mechanisms to capture and analyze security-related events

✅ Incident Reporting

Software vendors also should provide clients with the tools and processes to identify, escalate, and resolve ICT incidents while complying with DORA's strict reporting timelines.

Incident Detection & Logging

Embed real-time logging and anomaly detection in software products

Ensure logs capture key details (e.g. timestamps, user activity, system status, error details)

Encrypt logs to prevent unauthorized access

Incident Classification & Response

Implement a standardized incident classification framework (e.g. severity levels)

Provide automated triage to assess incident severity and scope

Create automated playbooks for common incident types

Regulatory Reporting Support

Provide incident data in a format suitable for regulatory reporting

Ensure logs and audit trails meet regulatory retention periods

Build in automated alerts when incidents require regulatory reporting

Ensure all incident data is accessible for audits

✅ Third-Party Oversight

Software providers’ supply chain and subcontractors are also required to meet DORA standards to prevent downstream compliance failures.

Vendor Selection & Due Diligence

Perform security and resilience audits of third-party code and services

Require subcontractors to meet DORA compliance standards

Verify compliance with GDPR and other data protection laws

Third-Party Risk Monitoring

Continuously monitor third-party performance and security posture

Include dependency vulnerability checks in CI/CD pipelines

Build real-time alerts for third-party failures and performance degradation

Exit and Contingency Planning

Develop plans for replacing third-party providers if they fail to meet compliance standards

Ensure business continuity during supplier transitions

Maintain backups of third-party data and configurations

✅ Operational Resilience & Recovery

Software vendors have to facilitate regular resilience testing from financial institutions and validate that systems can withstand disruptions.

Testing Scope & Frequency

Include resilience testing as part of the SDLC

Support penetration testing, red team exercises, and vulnerability scanning

Simulate load spikes, network failures, and data corruption scenarios

Automate test cases to ensure repeatability and consistency

Test Reporting & Analysis

Provide detailed test reports to financial clients

Identify weaknesses and provide recommended remediation steps

Build resilience metrics (e.g. mean time to recovery, failure rate) into dashboards

Ensure test results are accessible to auditors

Disaster Recovery Testing

Ensure software supports client disaster recovery protocols

Test data recovery processes under simulated failure conditions

Verify backup integrity and recovery time objectives (RTO)

✅ Data Protection & Security

Software providers should conduct threat intelligence sharing and provide data in a format suitable for client regulatory reporting.

Internal Threat Intelligence

Establish a structured process for identifying and sharing internal threats

Provide clients with automated threat intelligence reports

Ensure threat intelligence is anonymized to protect client confidentiality

External Collaboration

Integrate with financial sector threat-sharing platforms (e.g. FS-ISAC)

Provide clients with APIs to share threat data with regulators

Enable peer-to-peer information sharing through secure channels

Compliance & Data Protection

Confirm that threat intelligence sharing complies with GDPR and other data protection laws

Encrypt shared threat intelligence data

Provide role-based access to threat data

Ensure Compliance With Inflectra’s Suite of Tools

As a leading ICT service provider, Inflectra is committed to helping organizations exceed DORA requirements, all while enhancing security and operational efficiency. Unlike generic development tools that treat operational resilience as an add-on, our products’ core designs reflect a deep understanding of compliance-driven development and governance (adhering to GDPR, ISO 27001, ISO 20022, and more).

For example, Spira’s integrated risk heatmaps, notifications, and compliance-driven dashboards facilitate real-time resilience tracking so you can stay ahead of ICT disruptions. From integrated incident reporting to consolidated testing types that follow a unified framework built for compliance, Inflectra delivers the tools financial software needs to meet DORA’s stringent standards, all while reducing complexity and cost. Hear from our partners what makes Spira so valuable, or try for yourself with a free 30-day trial.