Compliance Framework

DORA — digital resilience starts in the code.

The Digital Operational Resilience Act applies to financial entities operating in the EU. DORA's ICT risk management requirements have direct implications for how financial software is written, tested, and deployed. MergeGuide enforces those requirements at the development layer.

What DORA requires of software

DORA (Regulation (EU) 2022/2554) entered into application January 17, 2025. It applies to financial entities including banks, investment firms, insurance companies, payment institutions, and their critical ICT third-party providers.

The regulation's ICT risk management framework (Chapter II) and digital operational resilience testing requirements (Chapter IV) create specific obligations that touch code quality, security, change management, and audit evidence.

Third-party ICT providers: If your software is used by EU financial entities, DORA's requirements flow down to you via contractual obligations. MergeGuide helps ICT providers demonstrate compliance to their financial-entity customers.

DORA's five pillars — code level

Article 9
ICT Risk Management

MergeGuide enforces secure coding standards that demonstrate ICT risk is being actively managed at the development layer — not just documented.

Article 10
Identification & Protection

Detects access control gaps, hardcoded credentials, and missing encryption on financial data — mapped to DORA's protection requirements.

Article 11-12
Detection & Recovery

Identifies missing logging, monitoring gaps, and resilience anti-patterns in ICT system code.

Article 25
Advanced Testing

Evidence artifacts provide the test documentation required under DORA's digital operational resilience testing program.

DORA + SOC 2: the common EU financial stack

🔀

PolicyMerge handles the overlap

EU financial entities often run DORA alongside SOC 2, GDPR, and ISO 27001. PolicyMerge deconflicts all four simultaneously — strictest requirement wins — producing a single unified policy set.

📋

Evidence for supervisory authorities

DORA requires financial entities to maintain detailed records of ICT incidents and testing. MergeGuide's immutable evidence artifacts provide a continuous audit trail mapped to DORA article requirements.

🤝

ICT third-party compliance

MergeGuide enables ICT providers to demonstrate to their financial-entity customers that DORA-relevant security controls are enforced throughout their development process.

DORA-relevant detection patterns

Selected patterns from MergeGuide's DORA framework template. These map to specific DORA articles and are designed for financial ICT systems.

ICT Security (Articles 9-14)

  • Hardcoded credentials in financial system configurations
  • Unencrypted financial data in transit or at rest
  • Missing authentication on ICT system management interfaces
  • Overprivileged service accounts with broad financial data access
  • Disabled or incomplete audit logging on critical financial operations

Operational Resilience (Articles 25-27)

  • Missing circuit breakers on critical ICT service dependencies
  • No retry limits on financial transaction processing (infinite loops)
  • Insufficient timeout configuration on payment API integrations
  • Missing data validation on financial data ingestion paths
  • Synchronous blocking calls that could cascade into availability failures

EU financial entity or ICT provider?

See how MergeGuide handles DORA's ICT risk management requirements alongside your other compliance frameworks.

Book a demo Talk to sales