Digital Operational Resilience Act (DORA) — Record-Keeping & Documentation

Yes. Digital Operational Resilience Act (DORA) addresses Record-Keeping & Documentation through 1 provision.

Does Digital Operational Resilience Act (DORA) require Record-Keeping & Documentation?

European Union • enforcing

Yes — 1 provision

This regulation imposes 4 specific requirements for Record-Keeping & Documentation across 1 provision:

Resilience testing program — Conduct regular testing of ICT systems and tools
Threat-led penetration testing — Significant entities must perform TLPT aligned with TIBER-EU
Documentation and remediation — Document test results and remediate identified vulnerabilities
Register of ICT contracts — Maintain and submit register of third-party ICT contracts to authorities

Obligation:

enforcing

Effective:

Jan 17, 2025

Risk tier:

all

Scope:

providers, deployers

Requirement	Details
Resilience testing program	Conduct regular testing of ICT systems and tools
Threat-led penetration testing	Significant entities must perform TLPT aligned with TIBER-EU
Documentation and remediation	Document test results and remediate identified vulnerabilities
Register of ICT contracts	Maintain and submit register of third-party ICT contracts to authorities

Violation	Fine
Non-compliance	Determined by national competent authorities per member state law