Applicability: DORA (Regulation (EU) 2022/2554) applies to EU/EEA-regulated financial entities listed under
Article 2(1) — banks, investment firms, payment and e-money institutions, insurers, crypto-asset service providers,
trading venues, and others — and to their critical ICT third-party providers (Art. 31). It has applied since
17 January 2025. If this client is not an EU/EEA financial entity and does not provide critical ICT services to one,
mark this checklist not applicable and record that in the notes field rather than deleting it, so the exclusion is
itself documented. Items that overlap with technical backup/testing controls point to the relevant checklist rather
than duplicating it — DORA layers specific regulatory obligations on top of the same underlying technical work.
Art. 28 DORA article referenceBeyond DORA minimum — stricter recommended practiceConditional applies only if entity is in scope for this specific obligation