The Digital Operational Resilience Act, or DORA, focuses on limiting how disruptive cyberattacks are to financial institutions. One of its key characteristics is that it views open source analysis, also known as software composition analysis (SCA), as a basic security requirement that all institutions under its guidance must develop as a capability.
DORA is a European Union-wide requirement passed in 2024 and enforceable starting in January 2025. It covers more than 20,000 financial entities and information and communications technology (ICT) service providers, particularly with a risk management framework. It can be easy for highly specialized organizations to feel their needs in this area are unique and therefore require custom solutions. But the breadth and depth of Sonatype's malware prevention and detection expertise can't be matched, so before you consider solving DORA compliance through homegrown methods, consider how we can help in these key areas.
DORA includes language outlining how to achieve a high level of digital operational resilience and emphasizes open source analysis as a fundamental security requirement:
To reflect differences that exist across, and within, the various financial subsectors as regards financial entities' level of cybersecurity preparedness, testing should include a wide variety of tools and actions, ranging from the assessment of basic requirements (e.g. vulnerability assessments and scans, open source analyses, network security assessments, gap analyses, physical security reviews, questionnaires and scanning software solutions, source code reviews where feasible, scenario-based tests, compatibility testing, performance testing or end-to-end testing) to more advanced testing by means of TLPT.
DORA classifies open source analysis as a basic security requirement in Regulation 56. Consequently, all financial entities governed by DORA must develop capabilities in this area.
Sonatype's platform is a leading provider of comprehensive solutions for open source analysis, scanning software, and vulnerability assessments. Developing these foundational capabilities is essential before any advanced security activities are undertaken according to DORA.
Sonatype is the best fit for organizations with a diverse software supply chain, that want assurance that security, license, and operational risk aren’t being introduced, and that have the resources to integrate the suite of products.
– The Forrester Wave: Software Composition Analysis
With more than 300 million open source components cataloged, our platform offers the industry's only comprehensive, proactive solution for end-to-end software supply chain security. Continuous automated monitoring lets you stay current on any new policy violations discovered, even after the software is built. Sonatype also provides constant updates for third-party policies, and an easy-to-use administrative user interface simplifies policy management. Securing the software supply chain is a challenge that will only be solved as an industry, and if organizations can address risk management the right way, innovation will accelerate.
For more information about how Sonatype can help address DORA compliance, as well as how the platform addresses other cybersecurity legislation, read our full DORA User's Guide to Compliance.