Skip to main content

Overview

The Digital Operational Resilience Act (DORA) is an EU regulation that establishes requirements for the security of network and information systems of financial entities and their critical third-party service providers. Qovery is designed to help financial services organizations meet DORA requirements.
Effective Date: January 17, 2025DORA applies to financial entities operating in the EU and their ICT (Information and Communication Technology) service providers.

DORA Requirements

DORA focuses on five key pillars:

ICT Risk Management

Comprehensive risk management framework for ICT systems

Incident Reporting

Mandatory reporting of major ICT-related incidents

Digital Resilience Testing

Regular testing including advanced scenarios (TLPT)

Third-Party Risk

Due diligence and oversight of ICT service providers

Information Sharing

Sharing of cyber threat intelligence and best practices

How Qovery Supports DORA Compliance

1. ICT Risk Management

Qovery Features:
  • Infrastructure monitoring and observability
  • Real-time health checks and alerts
  • Automated security scanning
  • Vulnerability management
  • Configuration drift detection
Documentation:
  • Complete audit trail of all changes
  • Risk assessment reports available
  • Security posture dashboards
High Availability:
  • Multi-AZ deployment by default
  • Automated failover capabilities
  • Load balancing and auto-scaling
  • Zero-downtime deployments
Disaster Recovery:
  • Automated backups with point-in-time recovery
  • Multi-region replication available
  • RTO: 15-30 minutes (configurable)
  • RPO: < 24 hours (continuous available)
Controlled Deployments:
  • GitOps workflow with version control
  • Approval workflows (enterprise)
  • Automated testing pipelines
  • Rollback capabilities
Change Tracking:
  • Complete audit log of all changes
  • Who, what, when, and why documented
  • Immutable change history

2. Incident Management and Reporting

  • Detection
  • Classification
  • Response
  • Reporting
Real-Time Monitoring:
  • Application and infrastructure monitoring
  • Log aggregation and analysis
  • Anomaly detection
  • Automated alerting
Alert Channels:
  • Email, Slack, PagerDuty
  • Webhook integrations
  • Custom notification rules

3. Digital Operational Resilience Testing

Testing Capabilities:
  • Automated health checks
  • Chaos engineering support
  • Load testing integration
  • Disaster recovery drills
Qovery Tools:
  • Preview environments for testing
  • Staging environment replication
  • Safe production testing
  • Automated rollback on failure
Threat-Led Penetration Testing:For critical service providers, DORA requires advanced testing:
  • Simulated cyber-attacks
  • Red team exercises
  • Blue team defense
  • Purple team collaboration
Qovery Support:
  • Isolated test environments
  • Production-like staging
  • Security scanning tools integration
  • Test result documentation
Required Documentation:
  • Test plans and scenarios
  • Test execution records
  • Results and findings
  • Remediation actions
Qovery Features:
  • Deployment logs and history
  • Test environment snapshots
  • Audit trail of changes
  • Compliance reports

4. Third-Party ICT Service Provider Management

  • Qovery as Service Provider
  • Sub-Processors
  • Risk Assessment
Due Diligence Information:
  • SOC 2 Type II certification
  • GDPR compliance
  • Data processing agreements (DPA)
  • Security documentation
  • SLA commitments
Contract Terms:
  • Right to audit
  • Exit strategies
  • Data portability
  • Termination procedures

5. Information Sharing

Qovery Commitment:
  • Timely notification of security incidents
  • Sharing of threat intelligence (where applicable)
  • Collaboration on security best practices
  • Participation in industry forums
Customer Responsibilities:
  • Report incidents affecting Qovery services
  • Share relevant threat information
  • Collaborate on security improvements

DORA-Specific Features

Audit Logs

Immutable audit trail of all actions with long-term retention (1+ years)

Data Residency

Deploy in EU regions to meet data localization requirements

Encryption

End-to-end encryption at rest and in transit with key management

Access Controls

Role-based access control (RBAC) with MFA and SSO support

Backup & Recovery

Automated backups with point-in-time recovery and DR capabilities

Monitoring

Real-time monitoring, alerting, and anomaly detection

Customer Responsibilities

To achieve DORA compliance, customers must:
1

Risk Assessment

Conduct regular risk assessments of applications and infrastructure
2

Testing Program

Implement regular testing including DR drills and security testing
3

Incident Response

Establish incident response procedures and reporting mechanisms
4

Documentation

Maintain documentation of security controls and testing results
5

Third-Party Management

Assess and monitor all ICT service providers including Qovery
6

Training

Provide security awareness training to team members

Documentation and Evidence

Qovery provides documentation to support DORA compliance:
  • Security Documentation: Architecture, controls, policies
  • Compliance Certificates: SOC 2, ISO certifications
  • Audit Reports: Available upon request (NDA required)
  • SLA Documentation: Service level commitments
  • DPA/GDPR: Data processing agreements
  • Incident Reports: Historical incident documentation
How to Access:
  1. Contact your account manager
  2. Request specific compliance documentation
  3. Sign NDA if required
  4. Receive documentation package

Regional Considerations

EU Data Centers

Qovery supports deployment in EU regions:
  • AWS
  • GCP
  • Azure
  • Scaleway
  • eu-west-1 (Ireland)
  • eu-west-2 (London)
  • eu-west-3 (Paris)
  • eu-central-1 (Frankfurt)
  • eu-north-1 (Stockholm)

Getting Started with DORA Compliance

1

Gap Analysis

Conduct gap analysis against DORA requirements
2

Risk Assessment

Assess ICT risks and document in risk register
3

Control Implementation

Implement required security and resilience controls using Qovery features
4

Testing Program

Establish regular testing and DR drill schedule
5

Documentation

Document policies, procedures, and testing results
6

Continuous Improvement

Regular review and enhancement of controls

Need Help?

Contact Sales

Speak with our compliance team about DORA requirements

Documentation

Request DORA compliance documentation package

Professional Services

Engage our team for compliance consulting

Security Overview

Review Qovery’s security architecture

Resources

Disclaimer: This documentation provides information about Qovery features that support DORA compliance. Customers are responsible for their own compliance and should consult with legal and compliance advisors.