DORA Regulation & Application Security at ARCAD Software

The Digital Operational Resilience Act(DORA) is a set of regulations that aims to strengthen the digital resilience of the financial sector against IT risks.

Adopted in December 2022, it entered into force in January 2023 and has been applicable since January 17, 2025, across the European Union.

In this context, several requirements directly impact application development, management, and security. The solutions offered by ARCAD Software help address these requirements through several key areas.

The DORA regulation requires financial institutions to implement a robust framework for ICT risk management to secure their applications and IT infrastructure.

“Financial entities shall have a sound, comprehensive and well-documented ICT risk management framework as part of their overall risk management system […]”

— Article 6, Regulation (EU) 2022/2554

The requirements imposed by these regulations will lead organizations to secure the entire software development lifecycle, which will limit risks related to application changes and deployments.

➡️ ARCAD Contribution:

Our DevOps solutions automate and secure application development, testing, and deployment processes, while ensuring rigorous version and change management.

In order to ensure transparency, IT governance, and regulatory compliance, DORA requires organizations to precisely track changes made to their IT systems.

DORA also mandates strict control over system changes:

“Financial entities shall […] implement documented policies, procedures and controls for ICT change management […] in order to ensure that all changes are recorded, tested, assessed, approved, implemented and verified in a controlled manner.”

— Article 9, Regulation (EU) 2022/2554

Organizations must notably:

• maintain a history of changes
• identify users who performed those changes
• document operations carried out on applications and IT environments
• ensure control and traceability of changes

➡️ ARCAD Contribution:

Our DevOps solutions provide a complete audit trail, enabling full tracking of all operations performed on applications, from development to production deployment.

The European DORA framework requires financial institutions to regularly test the robustness of their systems to ensure digital operational resilience against IT incidents.

“Financial entities […] shall establish procedures and policies to prioritise, classify and remedy all issues revealed throughout the performance of the tests [which are part of the ICT Risk Managmeent framework] and shall establish internal validation methodologies to ascertain that all identified weaknesses, deficiencies or gaps are fully addressed.”

— Article 24, Regulation (EU) 2022/2554

➡️ ARCAD Contribution:

Our DevOps solutions facilitate test automation within the development lifecycle, enabling:

• secure production releases
• reduced risks related to application changes
• improved application quality and stability

DORA requires organizations to identify their critical systems and understand dependencies between applications and IT infrastructure.

“Financial entities shall […] map the configuration of the information assets and ICT assets and the links and interdependencies between the different information assets and ICT assets.”

— Article 8 Regulation (EU) 2022/2554

This capability is essential to assess the potential impact of an incident or a change across the entire information system.

➡️ ARCAD Contribution:

Our DISCOVER solution enables:

• analysis of programs and databases
• mapping of application dependencies
• identification of potential impacts of changes across the entire information system

The European DORA regulations also require financial institutions to ensure the continuity and resilience of their IT systems, particularly in the event of incidents or errors during application changes.

“Financial entities shall set up backup systems that can be activated in accordance with the backup policies and procedures, as well as restoration and recovery procedures and methods.”

— Article 12, Regulation (EU) 2022/2554

In this context, organizations should be able to control software deployments, secure production releases, and quickly restore a stable version in case of issues to ensure service continuity.

➡️ ARCAD Contribution:

The DROPS solution, which is a platform engineering tool, automates and secures application deployments while ensuring service continuity. DROPS enables version management and rapid rollback to a stable version in case of error, minimizing the impact of incidents.

The DORA framework requires financial institutions to identify weaknesses in their systems to strengthen digital resilience.

“Financial entities […] shall establish procedures and policies to prioritise, classify and remedy all issues revealed throughout the performance of the tests [which are part of the ICT Risk Management framework] and shall establish internal validation methodologies to ascertain that all identified weaknesses, deficiencies or gaps are fully addressed.”

— Article 24, Regulation (EU) 2022/2554

Code quality and early vulnerability detection help reduce costs and risks, improve application maintainability, and secure development processes, particularly when onboarding new developers.

➡️ ARCAD Contribution:

The ARCAD CodeChecker solution automatically analyzes code to detect vulnerabilities, errors, and poor practices. It improves code quality and contributes to strengthening IT system resilience in line with DORA requirements.

DORA strengthens requirements related to IT system security, change traceability, and digital resilience in the financial sector.

With its solutions, ARCAD Software supports organizations in:

• securing the software development lifecycle
• ensuring application change traceability
• automating testing and deployments
• mapping systems and understanding application dependencies

These solutions contribute to improving digital operational resilience and compliance with DORA requirements.

Furthermore, test environment management and data protection remain key challenges in achieving DORA compliance. Data anonymization, notably with DOT Anonymizer, helps reduce risks while facilitating testing and development.

👉 To learn more, check out our dedicated article.