DORA Compliance: Domain Security for Financial Services

The Digital Operational Resilience Act (DORA) is the EU regulation that establishes a comprehensive framework for managing Information and Communications Technology (ICT) risk in the financial sector. DORA has been mandatory since January 2025, applying to banks, insurance companies, investment firms, payment service providers, crypto-asset service providers, and their critical ICT third-party providers.

DORA goes beyond traditional cybersecurity compliance by addressing the full spectrum of digital operational resilience: ICT risk management, incident reporting, digital operational resilience testing, ICT third-party risk management, and information sharing. Penalties for non-compliance include fines of up to 1% of average daily worldwide turnover for each day of non-compliance, with a maximum of six months.

This guide maps DORA requirements to the external security controls that CyberShield assesses, helping financial entities identify compliance gaps through automated external scanning.

DORA Requirements Mapped to External Security

ICT Risk Management Framework (Articles 5-16)

DORA requires financial entities to establish a comprehensive ICT risk management framework that includes identification, protection, detection, response, and recovery functions.

Identification (Article 8): Entities must identify, classify, and document all ICT-supported business functions, information assets, and ICT systems. External scanning supports this by discovering internet-facing assets that may not be in the entity's CMDB.

What CyberShield identifies:

• Subdomains and hosts through DNS enumeration and certificate transparency
• Open ports and services on discovered infrastructure
• Certificate inventory across all domains
• Email infrastructure (MX records, SPF authorized senders)

Protection (Article 9): Entities must implement ICT security policies and tools that ensure the resilience, continuity, and availability of ICT systems. External security controls are a measurable component of the protection function.

What CyberShield evaluates:

• TLS configuration strength (encryption for data in transit)
• Email authentication (protection against impersonation)
• HTTP security headers (web application protection)
• Network exposure (minimized attack surface)
• DNS security (infrastructure protection)

Detection (Article 10): Entities must implement mechanisms to detect anomalous activities and ICT-related incidents. Continuous external monitoring contributes to detection capability.

What CyberShield provides:

• Scheduled scans detecting configuration changes
• Baseline comparison identifying new findings
• Score trend monitoring for posture degradation
• Certificate transparency monitoring for unauthorized certificates

ICT-Related Incident Reporting (Articles 17-23)

DORA establishes mandatory incident reporting to competent authorities with strict timelines:

• Initial notification: Within 4 hours of classifying a major ICT-related incident
• Intermediate report: Within 72 hours
• Final report: Within one month

External security assessment data supports incident reporting:

Pre-incident posture documentation: Regular scan reports demonstrate the entity's security controls at the time of the incident, showing whether the entity maintained appropriate protections.

Root cause evidence: If an incident exploited an external weakness, scan history shows when the weakness existed and what remediation was in progress.

Post-incident verification: Follow-up scans confirm that the exploited weakness has been remediated.

Digital Operational Resilience Testing (Articles 24-27)

DORA requires entities to establish a digital operational resilience testing program that includes vulnerability assessments, network security assessments, and for significant entities, threat-led penetration testing (TLPT).

External security scanning directly supports the vulnerability assessment and network security assessment components:

Vulnerability assessment: CyberShield's scanning modules identify external vulnerabilities across TLS, email, DNS, HTTP, ports, web applications, and exposure categories. Regular scanning satisfies the continuous vulnerability assessment requirement.

Network security assessment: The ports module identifies open services and unnecessary network exposure. DNS module evaluates domain infrastructure security. These assessments can be performed continuously without the coordination overhead of penetration testing.

TLPT preparation: External assessment results inform the scope and targeting of threat-led penetration tests by identifying the entity's actual external attack surface.

ICT Third-Party Risk Management (Articles 28-44)

DORA places significant emphasis on managing risks from ICT third-party service providers. Financial entities must:

• Maintain a register of all ICT third-party arrangements
• Conduct due diligence before entering arrangements
• Monitor the ICT third-party's security on an ongoing basis
• Ensure contractual provisions address security requirements

External security assessment enables objective third-party monitoring:

What CyberShield provides for vendor assessment:

• Vendor domain security posture scoring
• TLS, email, DNS, and web security evaluation of vendor infrastructure
• Score trending to monitor vendor posture changes over time
• Finding comparison between assessments to identify new vendor risks

External Security Controls Checklist for DORA

Encryption and Cryptographic Controls

Financial data in transit requires strong cryptographic protection. DORA Article 9.4 specifically addresses data encryption.

• TLS 1.2 as minimum protocol version on all internet-facing services
• TLS 1.3 supported and preferred where possible
• TLS 1.0 and 1.1 completely disabled (see our TLS hardening guide for configuration steps)
• Strong cipher suites with forward secrecy (ECDHE + AES-GCM)
• No weak ciphers (RC4, DES, 3DES, export-grade, NULL)
• HSTS enabled with minimum 1-year max-age
• HSTS includeSubDomains enabled
• All certificates valid and not within 30 days of expiration
• Certificate chains complete (no missing intermediates)
• CAA records restricting certificate issuance to authorized CAs
• Certificate transparency monitoring active

Communication Security Controls

Protecting business communications against interception and impersonation.

• SPF record published with -all hard fail
• SPF record within 10 DNS lookup limit
• DKIM signing enabled on all email services
• DMARC policy at p=reject (financial services should target reject, not quarantine)
• DMARC subdomain policy (sp=reject)
• DMARC reporting configured and monitored
• MTA-STS policy deployed for inbound email TLS enforcement
• TLS-RPT configured for delivery failure monitoring

Network Security Controls

Minimizing network attack surface to reduce operational risk.

• No remote desktop services (RDP, VNC) exposed to internet
• No database services accessible from internet
• No file sharing services (SMB, FTP) exposed
• Administrative interfaces restricted to secure channels
• Only business-required services publicly accessible
• Firewall rules documented and regularly reviewed

Web Application Security Controls

Protecting customer-facing and partner-facing web applications.

• Content-Security-Policy header deployed and configured
• X-Frame-Options preventing clickjacking
• X-Content-Type-Options preventing MIME sniffing
• Strict Referrer-Policy configured
• Permissions-Policy restricting browser features
• No server version disclosure in response headers
• No technology stack disclosure (X-Powered-By removed)
• Custom error pages (no stack traces or internal paths)
• No sensitive files publicly accessible
• Secure cookie configuration (Secure, HttpOnly, SameSite)
• CSRF protection on state-changing forms
• Properly configured CORS policies

DNS Infrastructure Security

Protecting the domain infrastructure that underpins all digital services.

• DNSSEC enabled and validated
• Multiple nameservers on diverse networks
• Zone transfer restricted to authorized servers
• No dangling CNAME records
• Regular DNS record audit and cleanup

Domain Management

Maintaining domain registration health for operational continuity.

• Domain registrations not expiring within 6 months
• Auto-renewal enabled on all domains
• Registrar transfer locks enabled
• Registrar account secured with MFA
• Domain portfolio documented and regularly audited

Continuous Monitoring and Testing

Ongoing assessment to meet DORA's continuous testing requirements.

• Automated external scans scheduled weekly for production domains
• Scan results reviewed within defined SLA
• Critical findings remediated within 48 hours
• High findings remediated within 1 week
• Medium findings remediated within 1 month
• Score trends tracked and reported to management
• Baseline comparisons used to detect regression
• Post-change scans verify security impact of infrastructure changes

Third-Party ICT Provider Assessment

Managing vendor risk through objective external assessment.

• All critical ICT third-party providers' domains scanned
• Vendor security posture scores documented
• Minimum acceptable score thresholds defined by vendor tier
• Vendor scores tracked over time for trend analysis
• Vendor findings communicated with remediation expectations
• Vendor assessment integrated into contract management

DORA-Specific Considerations for Financial Entities

Proportionality

DORA applies the proportionality principle -- requirements scale with the entity's size, risk profile, and the nature of its services. Microenterprises may implement a simplified ICT risk management framework. However, external security controls like TLS, email authentication, and network exposure management are fundamental regardless of size.

Significant Entities

Financial entities classified as significant (based on assets, number of clients, market share) face additional requirements including threat-led penetration testing (TLPT) at least every three years. External assessment provides the continuous baseline between TLPT engagements.

Critical ICT Third-Party Providers

DORA establishes a direct oversight framework for critical ICT third-party providers, with European Supervisory Authorities (ESAs) conducting assessments. If your organization is designated as a critical ICT provider to financial entities, maintaining strong external security posture is essential for passing regulatory assessments.

Using CyberShield for DORA Compliance

CyberShield provides structured evidence for DORA compliance across multiple requirement areas:

ICT risk management evidence: Scan reports quantify external ICT risk through scores, category breakdowns, and severity distributions, which can be exported as compliance-ready PDF reports. Trend data demonstrates ongoing risk management.

Resilience testing evidence: Regular external scans constitute continuous vulnerability and network security assessment. Scan history provides the audit trail that DORA's testing requirements demand.

Third-party risk evidence: Vendor domain scans, score tracking, and finding documentation satisfy the ongoing monitoring component of ICT third-party risk management.

Incident support: Pre-incident baseline data, historical scan records, and post-incident verification scans support the incident reporting process.

Compliance mapping: CyberShield maps findings to NIST 800-53, ISO 27001, PCI-DSS, and CIS Controls. While DORA does not reference these frameworks directly, alignment with internationally recognized standards strengthens the entity's compliance position.

Financial entities should integrate CyberShield scanning into their ICT risk management framework as a continuous external assessment tool, complementing internal controls, penetration testing, and governance processes to build the comprehensive digital operational resilience that DORA requires.