Login Contact Us Book a Demo
Resources Whitepapers
DORA Compliance Checklist | Sonatype Guide

DORA Compliance Checklist

DORA, an EU-wide requirement passed in 2024 and to be enforced starting in January 2025, requires financial entities to put measures in place to protect against cybersecurity threats and disruptions to ICT services. Two elements of DORA stand out: the ICT Risk Management Framework and Regulation 56, which emphasises the importance of open source analysis.

This guide can help you determine how prepared your organisation is to comply with DORA’s key components.

DORA Compliance Checklist: Navigate New Cybersecurity Measures

ICT Risk Management

  • Do we have processes to identify, monitor, and manage ICT risks?
  • Are our ICT risk management policies and procedures up-to-date and aligned with regulatory requirements?
  • Do we have a process for continuous monitoring of ICT systems and services?

Incident Reporting

  • Do we have an incident reporting process in place for security-related incidents?
  • Can we detect, manage, and report significant incidents within the required timeframe?
  • Have we conducted training and awareness programs for incident reporting?

Information Security

  • Are our information security measures adequate to protect against ICT risks?
  • Do we regularly review and update our information security policies?
  • Are employees trained on information security protocols and practices?

Business Continuity and Disaster Recovery

  • Do we have a robust business continuity and disaster recovery plan for ICT disruptions?
  • Are these plans tested regularly, and are staff trained on their roles in these plans?
  • Are backup systems and data recovery processes in place and regularly tested?

Resilience Testing

  • Have we implemented a testing program to assess our ICT systems' resilience?
  • Do we conduct regular penetration testing, vulnerability assessments, and other resilience tests?
  • Are test results reviewed, and are necessary improvements implemented promptly?

SBOM Creation and Maintenance

  • Do we generate SBOMs for all software, including third-party and open-source components?
  • Are our SBOMs updated regularly to reflect any changes in the software components?
  • Are we identifying and documenting all software components, including their versions, in our SBOMs?
  • Do we have a process for verifying the authenticity and integrity of each component listed in the SBOM?

How Sonatype Can Help

Monitoring the health and policy compliance of open source components is essential to meeting these DORA requirements. Sonatype is the industry’s only comprehensive, proactive solution for end-toend software supply chain security, with more than 300 million open source components catalogued. Sonatype also provides constant updates for thirdparty policies, and an easy-to-use administrative UI simplifies policy management.

DORA is just one part of the global trend of cybersecurity requirements. To learn more about how we can help you ensure compliance, check out our DORA User's Guide to Compliance.

img-EU_deep_dive_graphic

Simplify SBOM Compliance With Sonatype

Talk to an Expert