How DORA-ready are you?

1. Do you have a documented ICT risk-management framework owned and approved by your management body?

2. Do you maintain a complete inventory of ICT assets and their dependencies, including third-party services?

3. Is there a defined ICT-related incident management process with consistent classification of incidents?

4. Can you produce major-incident reports to regulatory deadlines (initial, intermediate, final)?

5. Do you have a business continuity policy with recovery objectives (RTO/RPO) derived from a business impact analysis?

6. Are backup and restoration procedures in place and tested?

7. Do you run a digital operational resilience testing programme (e.g. vulnerability assessments, scenario tests)?

8. Do you maintain a Register of Information on contractual arrangements with ICT third-party providers?

9. Do your ICT third-party contracts contain the required provisions, including the enhanced set for critical/important functions?

10. Have you identified your critical or important functions and assessed ICT concentration risk?