DORA File Transfer Compliance Checklist.

DORA Article 28 expects every EU financial entity to map, monitor, and audit file transfer as a critical ICT third-party dependency. The checklist below is what compliance officers and IT leads walk through before each annual review.

The checklist

Fourteen controls, grouped by DORA theme.

Each item states what to verify and how xEvolve satisfies it. Bring it to your next ICT risk committee.

  1. ICT risk management

    • Documented ICT risk framework covering file transfer

      Verify: Policies identify file transfer as a critical ICT dependency, with risk owners and review cadence.

      xEvolve: Per-Environment risk register with DORA control mapping exported for auditors.

    • Annual review of third-party transfer providers

      Verify: Concentration risk, substitutability, and exit strategy are reassessed at least yearly.

      xEvolve: Exit clause + portability of D1 + R2 documented in every customer agreement.

  2. ICT third-party register

    • Every transfer provider recorded in the ICT register

      Verify: Provider name, service, data flows, sub-processors, and 4-eyes sign-off are captured.

      xEvolve: One-page provider record per Environment, exportable as JSON or PDF.

  3. Incident detection & reporting

    • Initial incident classification within agreed thresholds

      Verify: Major ICT-incident criteria are pre-mapped; reporting timeline rehearsed with the lead overseer.

      xEvolve: Severity router + 24/7 alerting on failed transfers, anomalies, and credential misuse.

    • Voluntary early warning channel to management

      Verify: A documented escalation path lets the CISO notify the competent authority before deadlines hit.

      xEvolve: Webhook + email escalation to your IR team with templated DORA-grade messages.

  4. Encryption in transit + at rest

    • TLS 1.2+ on every control and data channel

      Verify: No legacy ciphers, no plain FTP, no self-signed certs in production paths.

      xEvolve: TLS 1.3 enforced, modern cipher suites, HSTS on every customer domain.

    • At-rest encryption with managed keys

      Verify: Storage layer is encrypted; key rotation cadence and KMS ownership are documented.

      xEvolve: Per-Environment R2 bucket, SSE-KMS with provider-managed rotation.

  5. Identity (Entra / OIDC SSO + MFA)

    • SSO via Entra ID or OIDC; phishing-resistant MFA

      Verify: Local accounts disabled for staff; admins require FIDO2 / platform passkey.

      xEvolve: OIDC + Entra ID built in; TOTP MFA for break-glass admins; SCIM provisioning.

  6. Tamper-evident audit trail & access logging

    • Append-only audit log of every transfer and admin action

      Verify: Logs cover who/what/when, source and destination, hashes, and are tamper-evident.

      xEvolve: Hash-chained audit log on D1; export to SIEM as JSON or syslog.

    • Privileged access to audit data is logged and reviewed

      Verify: Read access to audit exports triggers an alert and is reviewed quarterly.

      xEvolve: Audit-read events are themselves logged; quarterly review reminders fire automatically.

  7. Retention & legal hold

    • Configurable retention with legal-hold override

      Verify: Retention windows match regulator expectations; legal hold freezes deletion per matter.

      xEvolve: Per-Environment retention 30 days to 7 years; one-click legal hold per matter.

  8. EU data residency

    • Files + metadata stay inside the EU jurisdiction

      Verify: Region of storage is contractually committed and verifiable in the console.

      xEvolve: EU region (D1 + R2) selected at onboarding; cross-region replication is opt-in only.

  9. Resilience / DR testing

    • Documented RTO / RPO with periodic DR test

      Verify: Recovery objectives are tested at least annually; results are filed with risk committee.

      xEvolve: Multi-region failover exercised in staging; RPO ≤ 1 minute for audit data.

  10. Signed delivery receipts

    • Sender and recipient both receive a signed, time-stamped receipt

      Verify: Receipts are non-repudiable and stored alongside the file for the retention period.

      xEvolve: Per-transfer signed receipt with SHA-256 hash, stored in the audit log.

Move from checklist to production.

One Environment, 14 protocol adapters, EU residency, Entra SSO, TOTP MFA, hash-chained audit logs, and signed delivery receipts — all in the 30-day trial.