Free interactive checklist

DORA & NIS2 architecture documentation checklist

A practical, self-assessment checklist of the architecture-documentation artefacts that are commonly expected when preparing for operational-resilience (DORA) and cyber-security governance (NIS2) reviews. Tick what you already have to see your live coverage. This is a planning aid, not legal or compliance advice.

Your documentation coverage

Updates live as you tick items. A higher score is not a compliance verdict — it only reflects how much of this common documentation you have at hand.

Application & system registerA maintained inventory of applications and systems, with owners and business criticality.
ICT third-party / supplier dependency mapWhich external providers and services your critical functions rely on, including sub-contracting chains where known.
Critical-function-to-asset mappingLinks between important/critical business functions and the applications, infrastructure and data that support them.
Data flow & integration diagramsHow data moves between systems and across boundaries, including external interfaces.
RTO / RPO per critical systemDocumented recovery time and recovery point objectives for systems supporting critical functions.
Incident-impact & propagation pathsHow a failure or incident in one component could propagate to dependent services and functions.
Governance & approval trailWho owns, reviews and approves architecture decisions and changes, with a traceable record.
Documentation currency & ownershipEach artefact has a named owner and a last-reviewed date so it can be trusted as current.

Readiness hint

0 / 8

covered

Early stage. Several core artefacts appear to be missing — a structured architecture inventory is usually the first thing reviewers ask for.

Important

This checklist is a planning aid to help you organise architecture documentation. It is not legal, regulatory or compliance advice, and it does not represent the full text of DORA or NIS2. The items are framed as documentation that is commonly expected in resilience and security reviews — they are not a substitute for assessing the obligations that apply to your specific entity, sector and scope. Confirm your actual requirements with qualified legal and compliance advice.

Want help turning this into review-ready architecture documentation?

We help teams build and maintain the application register, dependency maps and recovery documentation that resilience and security reviews lean on.

Discuss your DORA/NIS2 readiness See pricing