61 sections · 468 audit questions · every article, annex and clause · v2024
This page lists every regulatory leaf of DORA RTS in the order it appears in the regulation — each article, annex and clause. The audit checklist treats every leaf as a separate audit row, including the permissive ones.
Click a row's citation to jump to it. The audit-question count shows how many auditable rows the checklist generates from that leaf (zero means the leaf is informational only).
| Citation | Kind | Title | Audit questions |
|---|---|---|---|
| RTS-1772 Article 1 | Article | Clients, financial counterparts and transactions | 5 |
| RTS-1772 Article 2 | Article | Reputational impact | 5 |
| RTS-1772 Article 3 | Article | Duration and service downtime | 2 |
| RTS-1772 Article 4 | Article | Geographical spread | 3 |
| RTS-1772 Article 5 | Article | Data losses | 4 |
| RTS-1772 Article 6 | Article | Criticality of services affected | 3 |
| RTS-1772 Article 7 | Article | Economic impact | 11 |
| RTS-1772 Article 8 | Article | Major incidents | 3 |
| RTS-1772 Article 9 | Article | Materiality thresholds for determining major incidents | 14 |
| RTS-1772 Article 10 | Article | High materiality thresholds for determining significant cyber threats | 8 |
| RTS-1773 Article 1 | Article | Overall risk profile and complexity | 10 |
| RTS-1773 Article 2 | Article | Group application | 1 |
| RTS-1773 Article 3 | Article | Governance arrangements | 14 |
| RTS-1773 Article 4 | Article | Main phases of the life cycle for the adoption and use of contractual arrangements | 6 |
| RTS-1773 Article 5 | Article | Ex-ante risk assessment | 12 |
| RTS-1773 Article 6 | Article | Due diligence | 13 |
| RTS-1773 Article 7 | Article | Conflicts of interest | 2 |
| RTS-1773 Article 8 | Article | Contractual clauses | 15 |
| RTS-1773 Article 9 | Article | Monitoring of the contractual arrangements | 8 |
| RTS-1773 Article 10 | Article | Exit from and termination of the contractual arrangements | 5 |
| RTS-1774 Article 1 | Article | Overall risk profile and complexity | 1 |
| RTS-1774 Article 2 | Article | General elements of ICT security policies, procedures, protocols, and tools | 12 |
| RTS-1774 Article 3 | Article | ICT risk management | 7 |
| RTS-1774 Article 4 | Article | ICT asset management policy | 4 |
| RTS-1774 Article 5 | Article | ICT asset management procedure | 3 |
| RTS-1774 Article 6 | Article | Encryption and cryptographic controls | 8 |
| RTS-1774 Article 7 | Article | Cryptographic key management | 5 |
| RTS-1774 Article 8 | Article | Policies and procedures for ICT operations | 14 |
| RTS-1774 Article 9 | Article | Capacity and performance management | 4 |
| RTS-1774 Article 10 | Article | Vulnerability and patch management | 14 |
| RTS-1774 Article 11 | Article | Data and system security | 12 |
| RTS-1774 Article 12 | Article | Logging | 11 |
| RTS-1774 Article 13 | Article | Network security management | 13 |
| RTS-1774 Article 14 | Article | Securing information in transit | 4 |
| RTS-1774 Article 15 | Article | ICT project management | 11 |
| RTS-1774 Article 16 | Article | ICT systems acquisition, development, and maintenance | 15 |
| RTS-1774 Article 17 | Article | ICT change management | 9 |
| RTS-1774 Article 18 | Article | Physical and environmental security | 6 |
| RTS-1774 Article 19 | Article | Human resources policy | 4 |
| RTS-1774 Article 20 | Article | Identity management | 3 |
| RTS-1774 Article 21 | Article | Access control | 14 |
| RTS-1774 Article 22 | Article | ICT-related incident management policy | 5 |
| RTS-1774 Article 23 | Article | Anomalous activities detection and criteria for ICT-related incidents detection and response | 14 |
| RTS-1774 Article 24 | Article | Components of the ICT business continuity policy | 13 |
| RTS-1774 Article 25 | Article | Testing of the ICT business continuity plans | 7 |
| RTS-1774 Article 26 | Article | ICT response and recovery plans | 17 |
| RTS-1774 Article 27 | Article | Format and content of the report on the review of the ICT risk management framework | 13 |
| RTS-1774 Article 28 | Article | Governance and organisation (simplified) | 14 |
| RTS-1774 Article 29 | Article | Information security policy and measures (simplified) | 2 |
| RTS-1774 Article 30 | Article | Classification of information assets and ICT assets (simplified) | 2 |
| RTS-1774 Article 31 | Article | ICT risk management (simplified) | 8 |
| RTS-1774 Article 32 | Article | Physical and environmental security (simplified) | 3 |
| RTS-1774 Article 33 | Article | Access Control (simplified) | 5 |
| RTS-1774 Article 34 | Article | ICT operations security (simplified) | 9 |
| RTS-1774 Article 35 | Article | Data, system and network security (simplified) | 7 |
| RTS-1774 Article 36 | Article | ICT security testing (simplified) | 3 |
| RTS-1774 Article 37 | Article | ICT systems acquisition, development, and maintenance (simplified) | 3 |
| RTS-1774 Article 38 | Article | ICT project and change management (simplified) | 2 |
| RTS-1774 Article 39 | Article | Components of the ICT business continuity plan (simplified) | 11 |
| RTS-1774 Article 40 | Article | Testing of business continuity plans (simplified) | 3 |
| RTS-1774 Article 41 | Article | Format and content of the report on the review of the simplified ICT RMF | 9 |
The Compliance Matrix is the verification document — every paragraph in scope on one PDF. The audit checklist bundle is the per-question working document (468 questions, 5 artefact formats).