26 sections · 233 audit questions · every article, annex and clause · v2022-12-14
This page lists every regulatory leaf of DORA in the order it appears in the regulation — each article, annex and clause. The audit checklist treats every leaf as a separate audit row, including the permissive ones.
Click a row's citation to jump to it. The audit-question count shows how many auditable rows the checklist generates from that leaf (zero means the leaf is informational only).
| Citation | Kind | Title | Audit questions |
|---|---|---|---|
| Article 2 | Article | Scope | 2 |
| Article 4 | Article | Proportionality principle | 2 |
| Article 5 | Article | Governance and organisation | 13 |
| Article 6 | Article | ICT risk management framework | 18 |
| Article 7 | Article | ICT systems, protocols and tools | 4 |
| Article 8 | Article | Identification | 10 |
| Article 9 | Article | Protection and prevention | 14 |
| Article 10 | Article | Detection | 5 |
| Article 11 | Article | Response and recovery | 17 |
| Article 12 | Article | Backup policies and procedures, restoration and recovery procedures and methods | 11 |
| Article 13 | Article | Learning and evolving | 12 |
| Article 14 | Article | Communication | 3 |
| Article 16 | Article | Simplified ICT risk management framework | 11 |
| Article 17 | Article | ICT-related incident management process | 8 |
| Article 18 | Article | Classification of ICT-related incidents and cyber threats | 7 |
| Article 19 | Article | Reporting of major ICT-related incidents and voluntary notification of significant cyber threats | 9 |
| Article 23 | Article | Operational or security payment-related incidents concerning credit institutions, payment institutions, AISPs and EMIs | 1 |
| Article 24 | Article | General requirements for the performance of digital operational resilience testing | 6 |
| Article 25 | Article | Testing of ICT tools and systems | 3 |
| Article 26 | Article | Advanced testing of ICT tools, systems and processes based on TLPT | 12 |
| Article 27 | Article | Requirements for testers for the carrying out of TLPT | 9 |
| Article 28 | Article | General principles | 25 |
| Article 29 | Article | Preliminary assessment of ICT concentration risk at entity level | 8 |
| Article 30 | Article | Key contractual provisions | 19 |
| Article 31 | Article | Designation of critical ICT third-party service providers | 1 |
| Article 45 | Article | Information-sharing arrangements on cyber threat information and intelligence | 3 |
The Compliance Matrix is the verification document — every paragraph in scope on one PDF. The audit checklist bundle is the per-question working document (233 questions, 5 artefact formats).