RegulationsOffice starter checklist

DORA makes ICT third-party evidence an ongoing monitoring task, not a one-off file request

Boundary: Does not replace regulated DORA assessment or legal review.

First safe question:
Which ICT services, owners, and evidence files would be hard to assemble this week?

Checklist prompts:
- Map critical ICT services and business owners
- Identify third-party, subcontractor, and contract owners
- Collect resilience, continuity, testing, and incident evidence
- Separate financial-entity obligations from ICT-supplier evidence pressure
- Set a recurring monitoring rhythm instead of a one-off file request

Source:
ESMA DORA information page: https://www.esma.europa.eu/esmas-activities/digital-finance-and-innovation/digital-operational-resilience-act-dora

Use: collect non-sensitive first-review context only. Do not send credentials, regulated internal documents, raw supplier exports, or confidential client evidence through a public form.