.jpg)
The European Union’s Digital Operational Resilience Act (DORA) is intended to harmonize information and communication technology (ICT) risk management across all 27 member states. To shore up the digital operational resilience of the European financial sector, the regulation establishes rigorous cybersecurity and digital risk management standards that all financial institutions and their service providers must meet.
Enforcement began on January 17, 2025, but even now, more than a year later, many financial institutions are struggling to achieve DORA compliance. Industry surveys show that nearly half of European financial firms were not compliant in early 2026, and Gartner predicts that 40% will not have met all of DORA’s requirements when audits and follow-up inspections begin later this year. These organizations face the risk of regulatory penalties as well as significant remediation costs.
Why Achieving DORA Compliance Is Tough
DORA compliance has proven challenging for reasons that are both technical and cultural. Meeting the requirements demands continuous, cross-functional collaboration across cybersecurity, legal, compliance, enterprise risk management, procurement and IT teams. Organizations in which cybersecurity leaders are held solely accountable for achieving DORA compliance often struggle to engage stakeholders across the business. Those where DORA initiatives have executive sponsorship and board-level oversight tend to be better positioned for success.
From a technical perspective, many financial sector organizations lack ongoing, comprehensive visibility across all assets, systems and applications. Legacy tools and manual processes simply cannot deliver the capabilities DORA demands.
DORA explicitly requires organizations to maintain an up-to-date Register of Information (RoI) that documents their assets, maps the dependencies between them and includes evidence that appropriate controls are in place. Spreadsheets, traditional Governance, Risk, and Compliance (GRC) platforms, and configuration management databases (CMDBs) can neither populate the RoI with live data nor validate the accuracy of the information they contain.
Manual Processes Don’t Cut It
The manual processes that financial firms traditionally used to prepare for audits—for example, recording controls and configurations in spreadsheets—are wholly inadequate for DORA compliance. Whether they’re performed monthly, quarterly or annually, these checks and attestations provide only static snapshots of the organization’s compliance posture, not defensible evidence that controls remain in place continuously.
In a world of ephemeral infrastructure, manual workflows cannot keep pace with constantly changing asset ecosystems and dynamic configurations.
GRC Platforms Fall Short
Traditional GRC platforms excel at housing compliance-related documentation. They serve as repositories of policies and requirements, control inventories, audit findings, self-assessments, questionnaires and remediation task trackers. GRC tools can tell you exactly what you should be doing to achieve DORA compliance.
But most GRC platforms cannot pull live, telemetry-based evidence from IT and security systems. They typically rely on data imported from other tools—usually the CMDB—or from spreadsheets, rather than deriving the current state of controls directly from the network, endpoints, cloud platforms, security tools and other operational systems. This means GRC tools can’t tell you what you are doing—right now—to meet DORA’s requirements.
CMDBs Leave Gaps
Many risk and compliance teams turn to their CMDB when populating their RoI for DORA. However, CMDBs are notoriously inaccurate. They are often incomplete, and while they may store DORA-relevant information such as asset records, relationship maps and control inventories, they can’t independently validate that information against the current state of the environment. Given how quickly today’s infrastructures change, this is a recipe for stale and unreliable data.
Most CMDBs were implemented to support IT service management (ITSM) workflows. Typically integrated with ticketing systems, they primarily hold information about the hardware, software, and services that IT operations teams are responsible for fixing. They are less likely to cover cloud-native resources, SaaS apps, code repositories or user and machine identities.
Although CMDBs do model the relationships between assets, these models are usually coarse-grained, because they were designed to support ITSM workflows, not deliver a complete picture of risk informed by business and security context.
How JupiterOne maps to DORA’s five pillars
DORA is not a single compliance challenge. It’s five distinct pillars and the technical demands of each are different. Here is where JupiterOne fits.
Data Silos Get in the Way
Even more problematic for DORA compliance is the broader operating model built around fragmented toolsets. Data silos are intrinsic to this model. While GRC tools hold policies and risk assessment results, the CMDB lists (some) assets, and the security information and event management (SIEM) platform contains logs, there’s no real-time connectivity between these systems.
DORA requires ongoing visibility into end-to-end dependencies and transitive risk across internal systems and those of multiple ICT providers.
Understanding Your Entire Environment Enables Real-World Resilience
The JupiterOne platform was built to deliver deep insights into how cyber assets relate to one another—and how those relationships create and propagate risk. Its foundation is a cyber asset graph: a live model showing how assets, identities, code, cloud resources, and controls are interconnected.
The platform ingests data from everywhere in the digital environment and maps the relationships between all entities. This relationship context makes it possible to ask extremely complex questions about your environment and get answers within seconds. One of those questions is, “Are we compliant and secure?”
DORA’s intent is to ensure that if a system fails, the financial institution that depends on it can keep operating. A list-based, check-the-box approach to compliance treats every asset as equally important, but DORA requires something far more sophisticated—a context-rich understanding of each asset’s impact on business continuity.
To achieve DORA compliance, you need something more than an accurate asset inventory (though even this is difficult to build with legacy tools): you need ongoing visibility into your risk posture, and you need evidence to prove you have it. This is exactly what the JupiterOne platform delivers.
Learn more about how JupiterOne helps leading European financial organizations achieve DORA compliance. Download our new eBook today.
