DORA Readiness Assessment

1.Has your management body formally approved an ICT risk management framework that defines risk tolerance levels, assigns named individuals to ICT risk oversight roles, and mandates periodic reviews at least annually?

2.Do you maintain a complete inventory of all ICT assets (applications, databases, infrastructure, third-party services) with each asset classified by criticality, data sensitivity, and mapped to the business functions it supports?

3.Are ICT business continuity plans and disaster recovery procedures tested at least annually through structured exercises, with measured RTO and RPO results compared against defined targets for all critical or important functions?

4.Do you have documented ICT security policies covering access control (least-privilege), encryption standards, patch management timelines, and change management procedures — all reviewed and updated at least annually?