DORA
The EU Digital Operational Resilience Act (DORA) applies to financial entities operating in the EU and their ICT third-party service providers. It mandates robust ICT risk management, incident management, and resilience testing. vybdocs contributes to the ICT risk management and testing pillars.
Who needs DORA compliance
DORA applies to:
- Credit institutions (banks)
- Payment institutions
- Investment firms
- Insurance and reinsurance undertakings
- Crypto-asset service providers
- ICT third-party service providers to the above
If you build SaaS for EU financial services, you may be in scope as an ICT third-party service provider.
Key DORA articles
| Article | Name | How vybdocs helps |
|---|---|---|
| Art. 9.2 | ICT risk management framework | Rules enforce technical risk controls in code |
| Art. 9.4 | ICT systems protection | Rules ban injection vectors, insecure crypto |
| Art. 10 | ICT-related incident detection | Rules require monitoring and logging instrumentation |
| Art. 11 | ICT business continuity | Rules enforce resilience patterns (circuit breakers, timeouts) |
| Art. 25 | Testing of ICT tools | Evidence Packs document automated testing compliance |
| Art. 28 | Third-party risk | Rules govern dependency management and third-party code |
Applying the EU Fintech pack
DORA-regulated entities should start with the EU Fintech pack, which includes DORA mappings:
vyb init --pack eu-fintech
Then add DORA-specific resilience rules:
categories:
scaling:
rules:
- id: scl-dora-001
name: require-circuit-breaker
description: >
External service calls must be wrapped in a circuit
breaker pattern to ensure business continuity (Art.11).
severity: warn
pattern: "fetch\\(|axios\\.get\\(|http\\.request\\("
exclude:
- "**/circuitBreaker/**"
- "**/*.test.ts"
remediation: >
Wrap external service calls with opossum or a similar
circuit breaker library. Configure a timeout and fallback.
maps-to:
- framework: dora
control: Art.11
- id: scl-dora-002
name: require-timeout-on-external-calls
description: All external HTTP calls must have explicit timeouts.
severity: block
pattern: "fetch\\([^,)]+\\)"
remediation: >
Pass an AbortSignal with a timeout:
fetch(url, { signal: AbortSignal.timeout(5000) })
DORA requires ICT systems to degrade gracefully under load.
maps-to:
- framework: dora
control: Art.9.4
ICT third-party risk (Art. 28)
Article 28 requires financial entities to manage third-party ICT risk. Dependency rules contribute to this:
categories:
dependencies:
rules:
- id: pkg-dora-001
name: no-unpinned-dependencies
description: All production dependencies must be pinned to exact versions.
severity: warn
pattern: '"[^"]+": "\\^|"[^"]+": "~'
exclude: ["devDependencies"]
remediation: >
Pin production dependencies to exact versions in package.json.
Use npm ci (not npm install) in CI for deterministic builds.
Unpinned dependencies introduce third-party ICT risk (DORA Art.28).
maps-to:
- framework: dora
control: Art.28
Evidence Pack for DORA
DORA Art. 25 requires that "financial entities maintain adequate records on digital operational resilience testing." The vybdocs Evidence Pack provides:
- A timestamped record of every code change check
- Documentation of which ICT controls were tested
- Cryptographic non-repudiation
- Chain integrity for tamper detection
DORA requires 5-year retention for ICT-related documentation. Configure Evidence Pack archival with a 5-year retention policy.
Return to Introduction