Ensure Digital Operational Resilience

The Data You Need for DORA Compliance

Financial services institutions today operate within some of the most complex and fragmented digital environments in the world. Years of innovation layered atop legacy infrastructure have produced sprawling IT estates that include cloud workloads, traditional data centers, and a growing array of third-party dependencies.

Much of this environment remains undocumented, difficult to monitor, and vulnerable to disruption. Visibility into the true scope of these assets—let alone how they interconnect to support business-critical functions—is often elusive. And yet, this visibility is foundational to building digital operational resilience.

At the same time, the threat landscape is growing more sophisticated. Cyberattacks are increasing, while IT outages have the potential to cascade through interconnected systems, partners, and platforms.

In response, regulators are shifting focus: from purely emphasizing risk prevention to requiring demonstrable resilience. This shift marks a major evolution in regulatory posture—moving from checking for security controls to demanding evidence of operational continuity, even in the face of disruption.

The European Union’s Digital Operational Resilience Act (DORA) formalizes this evolution. It reframes technology risk as a business continuity issue and raises the bar for what it means to be operationally resilient in a digital economy.

For financial institutions, complying with DORA isn’t just a matter of aligning with yet another regulatory standard—it’s a strategic necessity. Doing so requires accurate, real-time data about information and communication technology (ICT) assets, dependencies, and the business functions they support.

In this white paper, we compare DORA to other financial services regulatory frameworks, discuss six foundational data requirements for DORA compliance, describe the challenges firms are facing in addressing these data requirements, and explain how to address those challenges.

What “Resilience” Means to Regulators

In regulatory terms, resilience doesn’t imply preventing every incident—cyber or otherwise. Rather, it reflects a financial institution’s ability to recover quickly and effectively from disruptions to maintain continuity of operations.

The European Union’s Digital Operational Resilience Act (DORA) recognizes that digital systems are integral to business continuity. Unlike broader financial regulations that include information and communication technology (ICT) risk as one component among many, DORA focuses specifically on managing these risks.

As such, digital/ICT resilience is not merely a technical concern but a core requirement for overall operational resilience in financial services. DORA mandates that institutions manage ICT risks, maintain visibility over their digital ecosystems, and ensure that recovery strategies are grounded in up-to-date data. Another term for this is “cyber resilience” – the ability of organizations to effectively prepare for and respond to any type of IT disruption.

DORA entered into force on January 16, 2023, and financial entities subject to the regulation are expected to comply with DORA requirements as of January 17, 2025.

This paper is not a complete record of all the provisions and requirements outlined in DORA. You can find the complete text of DORA on EUR-Lex here.

How DORA compares to other Financial Services regulatory frameworks

While many regulations aim to improve operational resilience and/or cybersecurity in financial services, DORA distinguishes itself through its exclusive and integrated focus on cyber resilience. Unlike broader frameworks that treat ICT risk as one of many operational threats—or that equate resilience with cybersecurity—DORA makes digital operational resilience the central objective. It does so by tightly linking technology, data, and risk management to the continuity of critical business functions.

Common Ground with Other Frameworks

DORA shares foundational principles with regulatory frameworks and standards in the U.S. (e.g., FFIEC, NYDFS Part 500, CISA CRR) and globally (e.g., UK PRA/FCA, MAS, APRA CPS), including:

• Governance structures that hold senior leadership accountable for ICT risks

• Requirements for incident detection, escalation, and reporting

• Vendor risk management and oversight

• Business continuity and disaster recovery planning

• Use of globally recognized standards like NIST and ISO

These similarities make DORA familiar in many respects—especially for organizations already regulated under multiple jurisdictions.

The DORA Distinction

Where DORA departs from other frameworks is in its depth and specificity around how ICT is defined, managed, and governed. Key differences include:

ICT Resilience vs. General Operational Resilience

DORA places ICT at the center of operational risk, with a requirement to continuously ensure that all technology systems and dependencies are capable of withstanding, responding to, and recovering from disruptions.

Resilience vs. Cybersecurity

DORA moves beyond cybersecurity controls (e.g., firewalls, encryption, access management) to focus on continuity and recoverability. It addresses not just threats, but outages, failures, and cascading impacts across internal systems and third-party providers.

Focus on Critical Business Functions

DORA mandates that financial entities identify their critical business functions, map these to the supporting ICT assets and services, and design resilience strategies around them. This function-first approach ensures that resilience is not just a technical goal but a business imperative.

Integrated, Data-Driven Compliance

To comply with DORA, institutions must maintain real-time visibility into ICT assets, third-party relationships, and dependencies, and ensure their data is structured, reportable, and auditable. This goes beyond policy and into the realm of technical architecture, continuous discovery, and automated reporting.

Summary Table

Final Takeaway

DORA doesn’t merely consolidate or align existing ICT risk frameworks—it reframes the problem, asking financial institutions to treat ICT not just as infrastructure to protect, but as a core operational dependency to sustain. For firms already aligned to cybersecurity or general risk management standards, compliance with DORA will require a sharper focus on technology resilience, a clear mapping of ICT dependencies and how ICT supports critical business functions, and the ability to demonstrate resilience outcomes with precision and data.

DORA sets a new global benchmark—and signals a shift toward technology resilience as a strategic and regulatory priority.

Foundational Data Requirements for DORA Compliance

Achieving compliance with DORA requires more than documented processes and policies; it demands a robust, data-driven understanding of the entire ICT environment and its relationship to critical business functions.

Below are six foundational categories of data essential to meeting DORA’s requirements, each accompanied by a discussion of its mapping to DORA requirements and challenges that financial services firms need to address.

1. Complete ICT Asset Visibility

Definition

Complete ICT asset visibility refers to the continuous identification and inventory of all assets that constitute an organization’s information and communication technology (ICT) estate. This includes traditional IT assets (e.g., servers, endpoints, applications), operational technology (OT), cloud infrastructure, and Internet of Things (IoT) devices.

Relevance to DORA

DORA Article 8 mandates that financial entities identify all ICT assets and interdependencies, and continuously assess ICT risks. Furthermore, Articles 9 and 10 emphasize the need for comprehensive ICT controls, and Article 28 mandates management of “ICT third-party risk as an integral component of ICT risk.” Without full asset visibility, organizations cannot ensure compliance with any of these requirements.

Challenges to Address

Traditional configuration management databases (CMDBs) and asset management platforms frequently fall short due to:

• Incomplete coverage of shadow IT, cloud-native, OT, and IoT assets

• Exclusion of third-party, external assets that support the business

• Dependence on manual updates or periodic scans, or reliance on data feeds from systems that have incomplete coverage

• Limited ability to maintain real-time accuracy and relevance

These limitations leave critical blind spots, undermining efforts to assess risk, maintain resilience, or respond effectively to disruptions.

2. Dependency Maps

Definition

Dependency maps illustrate the relationships between ICT assets, revealing how infrastructure components interact to support business applications and processes. This includes both technical interdependencies (e.g., application-to-database connections) and logical or service-level linkages.

Relevance to DORA

DORA requires financial entities to understand and manage the interconnectedness of ICT systems (Article 8), evaluate risks posed by internal and external dependencies (Articles 10 and 28), and implement appropriate policies and controls to protect ICT systems (Article 9). Accurate dependency mapping is essential for assessing systemic vulnerabilities and mitigating risk, as well as for ensuring rapid recovery after an IT outage.

Challenges to Address

Many organizations rely on static, manually constructed diagrams or partial network topology maps that fail to capture:

• Dynamic and transient relationships, particularly in cloud or containerized environments

• Cross-environmental dependencies between IT, OT, IoT, and third-party services

• The functional significance of relationships beyond raw connectivity

Without automated, context-aware mapping, institutions cannot reliably assess or test the resilience of their ICT ecosystem.

3. Business Function Maps

Definition

Business function maps connect ICT assets to the business processes they support. This mapping enables organizations to trace the operational impact of technical disruptions and to understand which systems are linked to regulated or customer-facing activities. Critical business functions—the operations most essential to the business—should be prioritized in cybersecurity, business continuity, and disaster recovery planning and resource allocation.

Relevance to DORA

DORA places explicit emphasis on the protection of critical business functions, requiring firms to demonstrate how these functions are supported by ICT infrastructure (Articles 4 and 8) and conduct regular tests on all ICT systems and applications supporting critical functions (Article 24). Mapping ICT assets to business operations is essential for effective risk management.

Challenges to Address

Current solutions often lack the capability to:

• Integrate business context into asset inventories

• Maintain up-to-date mappings as assets change

• Infer functional relationships without labor-intensive manual work

This lack of linkage between technical and business domains creates barriers to compliance and hinders effective risk management.

4. Criticality Scores

Definition

Criticality scores represent a quantifiable assessment of the importance of ICT assets, typically based on their role in supporting critical functions like revenue generation, customer-facing operations, or compliance-sensitive processes.

Relevance to DORA

Under Article 11, DORA requires financial institutions to differentiate between critical and non-critical ICT services. Criticality scoring provides the basis for prioritization of protections, testing, and incident response planning.

Challenges to Address

Many organizations struggle with:

• Inconsistent or outdated scoring methodologies

• Overreliance on threat-focused risk models that focus solely on IT risk and ignore business impact

• Fragmented views across business units, leading to conflicting assessments of importance

These challenges make it difficult to enforce proportional controls and often result in under- or over-protection of key systems.

5. Resilience Scores

Definition

Resilience scores evaluate the ability of an ICT asset to withstand, absorb, and recover from operational disruptions. These scores may take into account factors such as the presence of security controls around the asset.

Relevance to DORA

DORA Article 12 outlines requirements for resilience testing of critical ICT services. Resilience scores enable organizations to assess their current state of readiness and identify areas in need of targeted improvement.

Challenges to Address

Most tools today lack a standardized or integrated framework for resilience measurement, due to:

• Narrow focus on uptime or performance metrics rather than true resilience indicators

• Disconnected views of infrastructure health and business continuity

• Point-in-time assessments that fail to capture evolving risks

This leads to a reactive, fragmented approach that does not satisfy DORA’s expectations for continuous operational resilience.

6. Recovery Plans

Definition

Recovery plans include the documented strategies and procedures required to restore systems and services after a disruption. Effective plans detail the specific steps organizations need to take to restore business applications and critical functions, to meet the recovery time objectives (RTOs) set by business and IT leadership.

Relevance to DORA

Articles 11 and 12 of DORA stress the importance of developing, maintaining, and testing response and recovery procedures. Institutions must demonstrate their ability to resume critical operations within established tolerances.

Challenges to Address

Despite the criticality of recovery planning, current solutions often:

• Have a narrow focus on backups

• Focus on restoration by type of IT device versus by business function

• Store recovery documentation separately from real-time asset and dependency data

• Lack integration with live systems, making it difficult to validate or update plans

• Do not reflect recent changes in architecture, cloud deployments, or third-party arrangements

As a result, recovery plans may be outdated, untested, or disconnected from actual operational realities.

How Redjack Helps

Redjack’s cyber resilience platform addresses these foundational data challenges financial institutions face in complying with DORA.

By delivering continuous, passive discovery and rich contextual mapping of internal and external IT, OT, and IoT assets across on-premises, cloud, and hybrid environments, Redjack provides the visibility, traceability, and resilience insight required to meet DORA’s regulatory expectations.

Below, we map Redjack’s capabilities to each of the six foundational data requirements outlined in this paper.

1. Complete ICT Asset Visibility

Redjack passively observes network activity to autonomously identify and inventory all ICT assets—including unknown “shadow IT,” unmanaged assets, and third-party systems—across on-premises, cloud, and hybrid environments. This always-on visibility ensures organizations maintain an accurate and complete view of their technology estate without relying on scans, agents, or manual data entry.

DORA benefit: Supports Articles 8, 9, 10, and 28 by enabling financial entities to maintain a real-time inventory of all internal and third-party ICT assets and their operational state, including systems not detected by conventional tools.

2. Dependency Maps

Redjack automatically maps functional dependencies between assets, based on observed behavior, not static configurations. This includes relationships across environments, networks, applications, and services. The platform builds a live, data-driven model of how complex infrastructure interoperates.

DORA benefit: Fulfills requirements under Articles 8, 9, 10, and 28 to identify interdependencies and concentration risks by revealing hidden or undocumented relationships within and between ICT systems.

3. Business Function Maps

Redjack links assets and their dependencies to the business functions they support by integrating observed behavior, data science, and organizational knowledge. This creates a clear, validated mapping from infrastructure to operational processes, allowing institutions to understand the business impact of technical disruptions.

DORA benefit: Enables compliance with Articles 4, 8, and 24 by making the connection between ICT assets and critical business functions explicit and verifiable.

4. Criticality Scores

Redjack provides criticality scores for each ICT asset in an organization’s environment. The criticality score quantifies the impact of a network asset’s failure or absence on business operations as a whole. These scores are dynamically updated and can be used to help prioritize risk assessments and resilience investments.

DORA benefit: Supports proportionality principles under Article 11 by distinguishing critical from non-critical services and informing the prioritization of resilience testing and controls.

5. Resilience Scores

Redjack calculates resilience scores based on factors such as isolation (the difficulty of reaching an asset) and hardening (the difficulty in compromising the asset, once reached). These insights are continuously updated, giving stakeholders a dynamic view of each asset’s or service’s resilience posture across the organization.

DORA benefit: Aligns with Article 12 by enabling organizations to proactively identify vulnerabilities, measure resilience maturity, and target improvements ahead of mandated testing.

6. Recovery Plans

Redjack supports disaster recovery planning by providing AI-powered phased recovery plans that identify the assets and dependencies for each business function and detail the required order of restoration. These phased recovery plans can be generated on-demand and are based on the most current state of the firm’s infrastructure. The information in these plans enables organizations to validate RTO assumptions, efficiently conduct IT disaster recovery (DR) tests and procedures, and optimize DR infrastructure planning.

DORA benefit: Enhances compliance with Articles 11 and 12 by providing the data foundation necessary to develop, validate, and continuously improve ICT recovery strategies and procedures.

By delivering comprehensive ICT visibility, automated context mapping, and business-aligned analytics, Redjack empowers financial institutions to operationalize DORA requirements and strengthen their digital resilience — not just for compliance, but for long-term continuity and trust.

Conclusion

Achieving DORA compliance demands more than policies—it requires accurate, real-time data about your digital environment and its relationship to your business. Redjack simplifies compliance by automating the hard parts: visibility, context, mapping, and planning.

By giving you the objective evidence of how your complex infrastructure supports your business activity, Redjack enables your institution to go beyond regulatory checkboxes and build true cyber resilience.