Why DORA Matters for Tech Companies Outside Finance
The Digital Operational Resilience Act has been in effect since January 17, 2025. First association: banks, insurers, financial institutions. True — but incomplete.
Articles 28-44 of DORA impose obligations on financial entities to manage risks from ICT third-party providers. If your organization delivers software or technical services to a bank, fintech, payment institution or insurer — you’re in the regulated supply chain. The financial institution has a statutory obligation to assess your security controls and document the results.
In practice: more security questionnaires from financial clients, more detailed questions, requests for technical documentation nobody previously required. Not because clients suddenly became more thorough — because the regulation mandates it.
What DORA Requires — And What Auditors Actually Look For
Article 9 requires ICT security controls: least-privilege access control, digital identity management, change integrity protection. Article 10 requires anomaly detection mechanisms: unauthorized executions, configuration modifications, data exfiltration through malicious workflow code.
What the regulation text says and what auditors look for are not the same. The regulation doesn’t specify tools. The auditor doesn’t ask “do you have a policy.” They ask: show me the logs, show me the configuration, show me it actually works. Missing technical documentation is treated as a missing control — even if the control exists and functions.
What Pipeline Systems Should Produce
At the pipeline level, DORA translates to specific evidence categories that auditors expect:
Artifact integrity: Proof that what landed in production is exactly what the pipeline built — unmodified between build and deployment. Cryptographic artifact signing and signature verification before deployment.
Access and change trail: Who ran which workflow, when, with what trigger, what changes went in. Traceability from commit to deployment with logs retained for the required period.
Credential management: No static secrets in CI/CD configuration — OIDC instead of AWS/Azure keys stored as environment variables.
Scan results: Documented dependency analysis, image scanning, security test results — not as one-time reports, but as artifacts generated with every deploy.
The Business Risk
For a tech company selling to finance, the risk isn’t direct sanctions — it’s losing the contract. A financial institution that can’t document that it verified its ICT supplier violates DORA requirements itself. No compliance officer at a major bank will accept a vendor that can’t answer audit questions.
Companies with an Evidence Pack — logs, SBOM, provenance, regulatory mapping — answer these questions in days. Companies without one scramble for weeks.