Mapping Controls to DORA Articles
The table below serves as a comprehensive guide that aligns specific operational controls with the corresponding articles of the Digital Operational Resilience Act (DORA). The table is organized by the categories of controls listed in the Control table section. Each control is mapped to the DORA article(s) that it addresses.
Reference document is available on eur-lex.europa.eu.
| Category | Control name | DORA Article |
|---|---|---|
| Data Backup and Recovery | Establish a regular backup schedule for critical data | Article 12 - Backup policies and procedures, restoration and recovery procedures and methods |
| Data Backup and Recovery | Store backups in multiple locations (offsite and/or cloud-based storage) | Article 12 - Backup policies and procedures, restoration and recovery procedures and methods |
| Data Backup and Recovery | Implement a versioning system to track and restore previous versions of data | Article 12 - Backup policies and procedures, restoration and recovery procedures and methods |
| Data Backup and Recovery | Encrypt backups to protect sensitive data | Article 9 - Protection and prevention |
| Data Backup and Recovery | Test backup and recovery processes periodically to ensure data integrity | Article 25 - Testing of ICT tools and systems |
| Network redundancy and failover | Implement redundant network connections to prevent single points of failure | Article 7 - ICT systems, protocols and tools |
| Network redundancy and failover | Use load balancers to distribute traffic evenly across resources | Article 7 - ICT systems, protocols and tools |
| Network redundancy and failover | Employ network failover solutions (e.g., redundant routers, switches) | Article 7 - ICT systems, protocols and tools |
| Network redundancy and failover | Monitor network performance and latency to detect potential issues | Article 10 - Detection |
| Network redundancy and failover | Test network redundancy and failover processes to ensure proper functioning | Article 25 - Testing of ICT tools and systems |
| Infrastructure monitoring and alerting | Implement a Monitoring System to Track the Health and Performance of Cloud Infrastructure | Article 10 - Detection |
| Infrastructure monitoring and alerting | Set Up Alerts for Critical Events and Performance Thresholds | Article 10 - Detection |
| Infrastructure monitoring and alerting | Monitor Resource Usage to Identify Potential Bottlenecks and Capacity Issues | Article 10 - Detection |
| Infrastructure monitoring and alerting | Establish a Centralized Logging System to Collect and Analyze Logs from Various Components | Article 13 - Learning and evolving |
| Infrastructure monitoring and alerting | Regularly Review Monitoring Data to Identify Trends and Improve Infrastructure Resilience | Article 13 - Learning and evolving |
| Incident response planning | Develop a formal incident response plan, including roles and responsibilities | Article 11 - Response and recovery |
| Incident response planning | Establish a communication plan for internal and external stakeholders during incidents | Article 14 - Communication |
| Incident response planning | Perform regular incident response drills to test and refine the plan | Article 11 - Response and recovery |
| Incident response planning | Document lessons learned from incidents and update the incident response plan accordingly | Article 13 - Learning and evolving |
| Incident response planning | Provide training for staff on incident response processes and best practices | Article 13 - Learning and evolving |
| Capacity planning and scaling | Regularly assess infrastructure capacity and plan for growth | Article 9 - Protection and prevention |
| Capacity planning and scaling | Implement auto-scaling strategies to handle fluctuating workloads | Article 9 - Protection and prevention |
| Capacity planning and scaling | Use load testing to identify capacity limits and potential bottlenecks | Article 9 - Protection and prevention |
| Capacity planning and scaling | Monitor resource usage to anticipate and address potential capacity issues | Article 9 - Protection and prevention |
| Capacity planning and scaling | Review and update capacity plans based on changing business requirements and growth | Article 9 - Protection and prevention |
| Security and access controls | Implement strong authentication and authorization mechanisms | Article 9 - Protection and prevention |
| Security and access controls | Regularly review and update user access permissions | Article 9 - Protection and prevention |
| Enable encryption for data at rest and in transit | Apply security patches and updates promptly | Article 7 - ICT systems, protocols and tools |
| Enable encryption for data at rest and in transit | Conduct regular vulnerability assessments and penetration testing | Article 25 - Testing of ICT tools and systems |
| Application resiliency and fault tolerance | Design applications to be stateless and horizontally scalable | Article 7 - ICT systems, protocols and tools |
| Application resiliency and fault tolerance | Implement circuit breakers and retries to handle transient faults | Article 7 - ICT systems, protocols and tools |
| Application resiliency and fault tolerance | Use health checks and load balancing to distribute traffic among instances | Article 7 - ICT systems, protocols and tools |
| Application resiliency and fault tolerance | Isolate application components to limit the impact of failures | Article 7 - ICT systems, protocols and tools |
| Application resiliency and fault tolerance | Monitor application performance and error rates to identify potential issues | Article 10 - Detection |
| Data center and geographic redundancy | Deploy infrastructure across multiple data centers or availability zones | Article 12 - Backup policies and procedures, restoration and recovery procedures and methods |
| Data center and geographic redundancy | Use geo-replication to store data redundantly across different regions | Article 12 - Backup policies and procedures, restoration and recovery procedures and methods |
| Data center and geographic redundancy | Implement global load balancing to distribute traffic across data centers | Article 7 - ICT systems, protocols and tools |
| Data center and geographic redundancy | Test failover processes between data centers to ensure smooth recovery | Article 25 - Testing of ICT tools and systems |
| Data center and geographic redundancy | Regularly review and update data center redundancy strategies based on evolving needs | Article 13 - Learning and evolving |
| Regular resilience testing and validation | Conduct regular disaster recovery and failover tests | Article 25 - Testing of ICT tools and systems |
| Regular resilience testing and validation | Use chaos engineering techniques to simulate failures and test system resilience | Article 25 - Testing of ICT tools and systems |
| Regular resilience testing and validation | Test backup and recovery processes to validate data integrity | Article 12 - Backup policies and procedures, restoration and recovery procedures and methods |
| Regular resilience testing and validation | Perform load and stress tests to identify capacity limits and potential bottlenecks | Article 25 - Testing of ICT tools and systems |
| Regular resilience testing and validation | Use the results of testing to inform updates and improvements to infrastructure resilience | Article 13 - Learning and evolving |
| Documentation and Knowledge Sharing | Document architecture, processes, and best practices for cloud resilience | Article 13 - Learning and evolving |
| Documentation and Knowledge Sharing | Maintain a centralized knowledge base for easy access to documentation | Article 13 - Learning and evolving |
| Documentation and Knowledge Sharing | Regularly review and update documentation to reflect changes and improvements | Article 13 - Learning and evolving |
| Documentation and Knowledge Sharing | Encourage knowledge sharing and collaboration among team members | Article 13 - Learning and evolving |
| Documentation and Knowledge Sharing | Provide training and resources to help staff stay informed about resilience | Article 13 - Learning and evolving |