DORA
What it is — The Digital Operational Resilience Act (DORA) is an EU regulation (Regulation (EU) 2022/2554 ) that requires financial entities to withstand, respond to, and recover from ICT-related disruptions. It applies to banks, insurance companies, investment firms, payment institutions, and their critical ICT third-party service providers. DORA entered into application on 17 January 2025.
Appsec relevance — Chapter II of DORA mandates ICT risk management including vulnerability assessment (Article 8) and ICT asset identification (Article 8(4)). Chapter IV (Articles 24–27) requires digital operational resilience testing. Web applications and APIs used in financial services fall under these requirements.
How Detectify Supports DORA
| Requirement | What it requires | Detectify Capability | Coverage |
|---|---|---|---|
| Article 8(2) | Assess cyber threats and ICT vulnerabilities relevant to ICT-supported business functions, information assets, and ICT assets | Application Scanning + API Scanning + Internal Scanning: multiple CWEs, with scheduled scans and historical tracking | Full |
| Article 25 | Perform digital operational resilience testing including vulnerability assessments and scans, network security assessments, and scenario-based tests | DAST scanning with payload validation provides evidence of regular ICT system testing. Application, API, and Internal Scanning cover external and internal systems | Full |
| Article 8(4) | Identify all information assets and ICT assets, including those on remote sites, network resources, and hardware equipment, and map those considered critical | Surface Monitoring continuously discovers domains, subdomains, IP addresses, ports, and technologies across the external attack surface | Partial |
| Article 26 | Carry out threat-led penetration testing (TLPT) at least every three years, covering critical or important functions | Crowdsource Network supplements TLPT programs but does not replace formal threat-led penetration testing as defined by TIBER-EU | Partial |
What Detectify Covers
Detectify directly addresses DORA’s vulnerability management and ICT testing requirements. Continuous scanning provides evidence that financial entities regularly test their ICT systems for vulnerabilities (Article 25), and the vulnerability identification and tracking capabilities support Article 8(2). Surface Monitoring’s asset discovery partially addresses the ICT asset identification requirement (Article 8(4)).
DORA’s requirements for third-party risk management (Chapter V, Articles 28–44), incident management and reporting (Chapter III, Articles 17–23), business continuity, and threat-led penetration testing (Article 26) require specialized tools and processes beyond DAST.
Complementary Tools You May Need
- TLPT / red team services — For Article 26 threat-led penetration testing (TIBER-EU aligned)
- Third-party risk management platforms — For Chapter V (Articles 28–44) ICT third-party risk
- Incident management platforms — For Chapter III (Articles 17–23) incident management and reporting
- Business continuity / DR tools — For Article 12 backup policies and recovery procedures
- ICT asset management — For comprehensive asset inventory beyond external attack surface
- SAST — For code-level vulnerability analysis in custom financial applications