How to Develop DORA-compliant Software for Your Financial Project

If you’re working on a financial solution or planning to build one, understanding what DORA requires from your software is a must.

However, it can be tricky to adapt existing development processes to meet new compliance requirements. Your team is challenged with ensuring robust mechanisms for operational resilience, responding to incidents in a timely manner, managing third-party risks, and more.

In this article, we discuss DORA compliance from the software development perspective. You’ll learn about DORA pillars and how to align your software with them.

We also share best practices for developing a DORA-compliant solution and list challenges to expect. This article will be helpful for product leaders working for financial institutions that offer software products in the EU market.

What is DORA?

The Digital Operational Resilience Act (DORA) is an EU regulation that requires financial organizations operating in European Union member states to follow strict cybersecurity measures.

The goal is to address incidents related to information and communication technology (ICT), making sure financial institutions are able to withstand and recover from ICT disruptions.

Who must comply with DORA?

Since 17 January 2025, DORA compliance has been obligatory for all financial organizations registered in the EU and for any organizations registered outside the EU that provide services within the EU financial sector:

• Financial entities such as banks, insurance companies, investment funds, payment service providers, credit rating agencies, crypto-asset service providers, and crowdfunding service providers
• Third-party providers who deliver ICT services to those financial entities and are identified as critical, also known as critical third-party providers (CTPPs)

In the graphic below, we show a full list of who needs to be DORA-compliant according to the regulation’s text.

Why consider DORA requirements when developing FinTech software?

As DORA covers various aspects of business operations, some DORA requirements apply to the software provided by financial companies.

You should make sure your product meets DORA requirements if you:

1. Intend to make your FinTech software product available in EU countries.
2. Want to avoid penalties for non-compliance.
3. Desire to strengthen the protection and resilience of your software so that it maintains stable performance even during attack attempts.
4. Maintain your business reputation, win over new customers, and retain existing customers.

So, how can you become DORA-compliant? Let’s explore the key principles and requirements of DORA and how to apply them to your software.

Where to start your compliance journey: DORA’s 5 pillars

Though DORA introduces numerous requirements, all of them are centered around five core pillars:

1. ICT risk management
2. ICT-related incident management
3. Digital operational resilience testing
4. ICT third-party risk management
5. Information sharing

The term five pillars isn’t official. However, it’s commonly used by compliance experts when talking about DORA requirements, making the five pillars a de facto industry standard for demonstrating compliance readiness and reporting. The names of each pillar correspond to chapters II through VI in the official text of the act.

Referencing the five pillars when designing your FinTech solution can help your team:

• Construct a clear, structured approach to meeting DORA requirements that are specified in somewhat complex legislative language
• Ensure comprehensive coverage of DORA requirements, as the pillars summarize DORA’s core compliance domains

Note: DORA imposes many detailed requirements within and beyond these pillars. Thus, we recommend carefully exploring the entire regulation.

1. ICT risk management

Main requirements for businesses: Define, approve, oversee, and be accountable for the implementation of all arrangements related to the ICT risk management framework.

This means that your FinTech product must support a clearly defined ICT risk management framework, including:

• Secure architecture design
• Built-in mechanisms for ICT risk identification and mitigation
• Continuous vulnerability monitoring
• Full traceability of risk-related decisions and updates
• Recovery and continuity features to minimize the impact of ICT disruptions

Identifying and assessing risks is a challenging task. It requires multiple actions such as determining security and privacy requirements, identifying sub-systems, defining components and data flows, and implementing threat modeling.

2. ICT-related incident management

Main requirements for businesses: Establish and implement ICT-related incident management processes to detect, manage, and notify about ICT-related incidents.

To make your FinTech software meet this pillar’s requirements:

• Include features for anomaly and failure detection
• Add support for automated alerts to designated response teams
• Enable rapid incident logging and tracking

From our experience, ICT-related incident management demands proper automated response capabilities. Not only should notifications be sent to users; suspicious activity must be blocked. The best way is to ensure different levels of response to the incident, just like Google does: notifying a user about a suspicious login, blocking a user if they don’t respond, suspending a user account in case of several suspicious actions in a row, etc.

3. Digital operational resilience testing

Main requirements for businesses: Establish, maintain, and review a comprehensive digital operational resilience testing strategy as an integral part of your ICT risk management framework.

To align your software with this pillar, your team should introduce a comprehensive set of appropriate tests and measures. This includes:

• Conducting regular resilience testing such as automated stress tests, vulnerability scans, and penetration tests
• Aligning all tests with the product’s complexity and risk levels
• Making sure all testing results are traceable and used to ensure continuous product improvement and regulatory readiness

4. ICT third-party risk management

Main requirements for businesses: Manage ICT third-party risk as an integral component of your ICT risk management framework.

This pillar requires your product to enable transparency and robust security measures for all third-party components, services, and integrations. Here’s how to do it:

• Maintain an up-to-date inventory of dependencies
• Verify vendor compliance with security and resilience requirements
• Add features for dependency management and update controls
• Implement mechanisms to monitor third-party performance and data protection
• Add support for fallback and exit strategies to mitigate vendor failures

5. Information sharing

Main requirements for businesses: Financial entities may exchange cyber threat information and intelligence, including indicators of compromise, tactics, techniques, and procedures; cyber security alerts; and configuration tools.

To foster information exchange and collaborative defense mechanisms, you can make your software products:

• Automatically generate incident reports for both internal needs (investigations, forensics, etc.) and sharing with external entities (separate reports including no sensitive, client, or corporate data)
• Use standardized log formats or protected APIs for information exchange
• Integrate with threat intelligence platforms

Consider integrating the Malware Information Sharing Platform (MISP) to store, analyze, and manage information about threats. We also suggest developing internal threat intelligence for gathering information about all incidents.

Now that we have overviewed DORA’s pillars, we will explore how to align your software with them using proven development approaches and technologies.

Deliver DORA-compliant software with these 5 best practices

Much has been written on the complexity of DORA’s requirements, but it’s not always clear how exactly to comply with them in practice.

Let’s break down the five most helpful practices from Apriorit’s experience.

1. Adopt a secure SDLC

A secure software development lifecycle (SDLC) is a comprehensive approach for building a truly resilient and reliable product using the right tools and technologies. It aims to enhance every stage of the development lifecycle with cybersecurity measures.

For the architecture design stage, a secure SDLC starts with proper requirements gathering and introduces relevant practices like cryptography integration, a memory safety plan, and an architecture design security review, all of which are vital for DORA’s ICT risk management pillar.

Embracing a secure SDLC helps software developers establish practices that are essential for proper ICT third-party risk management. For example, when following a secure SDLC, your team will perform security analysis of other third-party components early in the project, prior to including them into the development plan.

Following the main principles of a secure SDLC is crucial for ensuring digital operational resilience testing. With this approach, test strategy planning and early test design are conducted during the requirements elicitation stage, aligning tests with complexity and risk levels of a product under development. Also, the QA phase includes quality gates for static analysis, test coverage tracking, and additional steps such as penetration testing.

2. Use proven security practices

Continuing with the topic of a secure SDLC, let’s dive a little deeper and take a look at cybersecurity practices that significantly enhance software protection and help your software align with several DORA pillars.

First, you should introduce suitable anomaly detection mechanisms to make sure your software can react in a timely fashion to potential accidents: depending on your project, your team might use AI-based models or statistical analysis methods. Such measures can help you create a solid ICT-related incident management system. Make sure your team plans measures to cover incidents related not only to the software itself but also to infrastructure, third-party components, administrative account compromise, etc.

Establish proper vulnerability monitoring by using threat modeling practices and adding vulnerability scanning functionality. This is essential for ICT risk management.

Finally, use dependency resolution practices and version control policies for proper dependency management. You should also consider creating a software bill of materials (SBOM) and performing regular audits to maintain an up-to-date inventory of dependencies. These are crucial parts of ICT third-party risk management.

3. Establish security and penetration testing

Professional quality assurance activities and security testing practices can help your team identify both known and zero-day vulnerabilities.

Let’s break down the most important advanced QA and testing practices and see how they align with DORA pillars.

1. Go for top-notch security methods to align with DORA’s digital operational resilience testing pillar:

• Stress testing activities provide valuable insights into how software performs under extreme or unfavorable conditions.
• Penetration testing checks whether an intruder can gain unauthorized access and exploit software vulnerabilities.
• Incident response testing helps your team prepare software to mitigate security incidents.

2. Add API testing to your quality assurance routine. This allows your team to ensure that your software securely and efficiently exchanges information with third-party components and products, which is vital for ICT third-party risk management.

3. Consider reusing information about potential attack scenarios from penetration testing reports. This may help your organization share valuable knowledge on potential vulnerability exploitation within the community, which aligns with the information sharing pillar.

4. Implement logging and monitoring

By adding robust logging and monitoring practices in your software, you can ensure early detection of anomalies and potential security incidents.

Enabling real-time monitoring of internal systems and applications in a FinTech solution will assist with rapid response to potential incidents, supporting the ICT-related incident management pillar. Consider using automated tools for anomaly detection, alert generation, and threat intelligence integration. You might also want to create or integrate telemetry data collection for an extra security layer.

Make sure your team starts by clearly defining all elements and activities for logging. This will establish a baseline of what is normal and help your team outline unusual patterns and suspicious activities. Having a baseline is crucial for the proper functioning of a risk management framework, and it supports the ICT risk management pillar.

Ensure that your software logs cover the entire lifecycle, from security-relevant events and system anomalies to user activity and interactions with sensitive data. Logs provide actionable insights for developers and security teams to detect and respond to threats. Having logs that cover the entire lifecycle helps enhance collaborative defense, which is the core idea behind the information sharing pillar. Organizations, for example, can search for specific indicators to detect and fix vulnerabilities before they are exploited.

It is worth saying that logs should not contain any sensitive data like passwords, tokens, or card details. Otherwise, logs themselves might become an attack vector or a point of compromise.

5. Introduce DevSecOps practices

DevSecOps is a left-shift approach for traditional DevOps practices, where security becomes a shared responsibility among several departments. Following DevSecOps practices when creating a FinTech product can help your team meet DORA requirements while ensuring security and operational resilience.

DevSecOps practices rely heavily on automating numerous processes for better efficiency.

For instance, DevOps engineers can enhance your logging and monitoring efforts by automating anomaly detection and incident prevention. Also, the DevSecOps approach includes establishing a clear incident response plan, outlining procedures for containment, eradication, recovery, and post-incident analysis. These can help your team significantly enhance your ICT-related incident management.

DevSecOps practices help to streamline secure management of third-party components and dependencies, which is tricky to do in FinTech ecosystems that often rely on multiple vendors and integrations. To achieve effective ICT third-party risk management, DevSecOps engineers create and enforce standards for integrating third-party components. You should consider enabling automated tools to continuously scan third-party libraries and dependencies for vulnerabilities, license compliance, and security posture.

Last but not least, DevSecOps introduces regular security and resilience testing within CI/CD pipelines for all software systems. This may include regular penetration testing, scenario-based operational resilience testing, static and dynamic application security testing, and dependency scanning. Automating and regularly performing these types of testing enhances your quality assurance and security efforts and brings you closer to DORA’s digital operational resilience testing pillar.

5 challenges when developing DORA-compliant software

If you’re planning to build or upgrade a solution that must meet DORA requirements, knowing the five pillars and best practices above is a great foundation.

However, your team must also be ready for challenges that could appear in the development process. Let’s take a look at the five most common compliance difficulties and ways to handle them.

1. Need to adapt legacy systems. Older solutions usually don’t support modern security requirements. But completely replacing legacy systems is expensive and time-consuming, especially for institutions that have complex IT infrastructure built over decades.

Instead, you can gradually modernize your software to extend functionality without full replacement. This includes introducing:

• API layers
• Microservices or containerized components
• Data encryption
• Patch management automation
• Migration of critical workloads to cloud environments (where possible)

2. Highly interconnected cloud and hybrid IT environments. Financial software often integrates with various technologies, cloud platforms, and hybrid setups. The more technology layers your software team has to deal with, the harder it is to maintain consistent ICT risk management.

To overcome this challenge, consider:

• Implementing a centralized observability system into your solution for easier management, a view across all environments, and improved reliability
• Adopting infrastructure as code (IaC) practices along with standardized configurations and zero-trust principles, especially if your FinTech software is built with a multi-cloud approach

3. Complexity of setting up continuous monitoring. Setting up continuous monitoring for proper threat detection can be costly, as it may require substantial technical infrastructure: servers, agents on numerous endpoints, long-term storage, cloud services, etc. It’s also quite hard to implement and configure tools that gather relevant telemetry, accurately analyze anomalies, and provide automated alerts.

To overcome this complexity, your team can:

• Integrate custom or off-the-shelf security tools like SIEM or SOAR to streamline current threat management capabilities
• Leverage machine learning algorithms for monitoring, aiming to enhance detection accuracy and reduce false positives

4. Complexity of third-party oversight. Ensuring your third-party providers meet rigorous standards for risk management and incident reporting is a complicated task. The challenge here is maintaining control and accountability while using outsourced services.

A few ways to help your team with this include:

• Creating a framework for vendor risk management with contractual risk assessments and vendor requirements
• Signing detailed service-level agreements with vendors to clearly divide security responsibilities between parties
• Using tools like third-party risk management (TPRM) technology solutions to automate oversight

5. Lack of skilled engineers. Many specialists have heard of DORA, but few have actually delivered DORA-compliant products. Experienced professionals with expertise in cybersecurity and security testing are in high demand, and a shortage of expertise can delay the implementation of critical compliance measures in FinTech software under development.

Upskilling your in-house team requires significant expenses and time. Instead, consider outsourcing development activities to experienced software development vendors like Apriorit who specialize in cybersecurity and compliance.

Build DORA-compliant products with Apriorit

With 20+ years of experience developing software for FinTech and other strictly regulated industries, we deliver secure, resilient, and DORA-compliant solutions.

By partnering with Apriorit, an ISO 27001-certified vendor with a security-first mindset, you unlock access to highly skilled engineers with deep expertise in cybersecurity and FinTech.

Here’s how we can help:

1. Develop the exact FinTech product you envision. When crafting software products for finance, banking, crypto, and insurance, we always align our processes with your business goals and needs. Apriorit engineers pick the most fitting technologies to ensure a flawless user experience, smooth digital payments, and protection of sensitive data.
2. Implement comprehensive cybersecurity measures. A secure SDLC and security by design are default approaches at Apriorit. We use proven measures to ensure product resilience and early vulnerability detection: data encryption, secrets management, data loss prevention, cloud protection, data backup and recovery, alerting, and more.
3. Establish mature security and penetration testing processes. Apriorit’s engineers conduct a wide range of security tests to make sure your system remains resilient against cyber threats. And Apriorit’s penetration testing gurus will help you find and fix weak spots in your software.

Whatever tasks you have in mind, Apriorit has you covered. We can:

• Audit your software code to detect and fix vulnerabilities and verify compliance with industry standards
• Assist with DevOps and DevSecOps processes to deliver resilient solutions with continuous and automated pipelines
• Manage third-party components by carefully evaluating the most reliable and creating and maintaining a detailed SBOM for your product
• Ensure secure API integrations to help you expand software capabilities while keeping everything compliant
• Create protected cloud solutions and manage cloud infrastructure to effectively balance flexibility of cloud services with compliance requirements
• Maintain and modernize legacy software to help your business grow and meet upcoming regulatory requirements

Conclusion

Developing financial software for the EU market is now a little trickier. Because of DORA, your software team has to balance your business plans and desired innovations with security, compliance, and performance requirements. Otherwise, your business may face costly penalties and reputational damage from non-compliance.

To deliver a DORA-compliant solution while still fulfilling your business goals, you should introduce robust security measures throughout the entire development lifecycle. Consider using the five pillar approach to achieve digital operational resilience act compliance. This approach is a solid guideline for creating a carefully planned risk management framework and digital resilience plan.

Last but not least, involve experts with strong cybersecurity skills and experience delivering solutions for strictly regulated industries.

FAQ