Guide | Checklist

DORA Compliance Checklist

ICT Risk Management
Do we have processes to identify, monitor, and manage ICT risks? Are our ICT risk management policies and procedures up-to-date and aligned with regulatory requirements? Do we have a process for continuous monitoring of ICT systems and services?

ICT Risk Management

Do we have processes to identify, monitor, and manage ICT risks?
Are our ICT risk management policies and procedures up-to-date and aligned with regulatory requirements?
Do we have a process for continuous monitoring of ICT systems and services?

Incident Reporting
Do we have an incident reporting process in place for security-related incidents? Can we detect, manage, and report significant incidents within the required timeframe? Have we conducted training and awareness programs for incident reporting?

Incident Reporting

Do we have an incident reporting process in place for security-related incidents?
Can we detect, manage, and report significant incidents within the required timeframe?
Have we conducted training and awareness programs for incident reporting?

Information Security
Are our information security measures adequate to protect against ICT risks? Do we regularly review and update our information security policies? Are employees trained on information security protocols and practices?

Information Security

Are our information security measures adequate to protect against ICT risks?
Do we regularly review and update our information security policies?
Are employees trained on information security protocols and practices?

Business Continuity and Disaster Recovery
Do we have a robust business continuity and disaster recovery plan for ICT disruptions? Are these plans tested regularly, and are staff trained on their roles in these plans? Are backup systems and data recovery processes in place and regularly tested?

Business Continuity and Disaster Recovery

Do we have a robust business continuity and disaster recovery plan for ICT disruptions?
Are these plans tested regularly, and are staff trained on their roles in these plans?
Are backup systems and data recovery processes in place and regularly tested?

Resilience Testing
Have we implemented a testing program to assess our ICT systems' resilience? Do we conduct regular penetration testing, vulnerability assessments, and other resilience tests? Are test results reviewed, and are necessary improvements implemented promptly?

Resilience Testing

Have we implemented a testing program to assess our ICT systems' resilience?
Do we conduct regular penetration testing, vulnerability assessments, and other resilience tests?
Are test results reviewed, and are necessary improvements implemented promptly?

Business Continuity and Disaster Recovery
Do we have a robust business continuity and disaster recovery plan for ICT disruptions? Are these plans tested regularly, and are staff trained on their roles in these plans? Are backup systems and data recovery processes in place and regularly tested?

Business Continuity and Disaster Recovery

Do we have a robust business continuity and disaster recovery plan for ICT disruptions?
Are these plans tested regularly, and are staff trained on their roles in these plans?
Are backup systems and data recovery processes in place and regularly tested?

SBOM Creation and Maintenance
Do we generate SBOMs for all software, including third-party and open-source components? Are our SBOMs updated regularly to reflect any changes in the software components? Are we identifying and documenting all software components, including their versions, in our SBOMs? Do we have a process for verifying the authenticity and integrity of each component listed in the SBOM?

SBOM Creation and Maintenance

Do we generate SBOMs for all software, including third-party and open-source components?
Are our SBOMs updated regularly to reflect any changes in the software components?
Are we identifying and documenting all software components, including their versions, in our SBOMs?
Do we have a process for verifying the authenticity and integrity of each component listed in the SBOM?

How Sonatype Can Help

Monitoring the health and policy compliance of open source components is essential to meeting these DORA requirements. Sonatype is the industry’s only comprehensive, proactive solution for end-toend software supply chain security, with more than 300 million open source components catalogued. Sonatype also provides constant updates for thirdparty policies, and an easy-to-use administrative UI simplifies policy management.

DORA is just one part of the global trend of cybersecurity requirements. To learn more about how we can help you ensure compliance, check out our DORA User's Guide to Compliance.

DORA Compliance Checklist

EXPLORE MORE

EXPLORE MORE

How Sonatype helps you