The Digital Operational Resilience Act (DORA) is a set of regulations that the European Union (EU) adopted to help ensure the digital operational resilience of financial institutions and service providers.
DORA applies to a wide range of regulated financial services providers within the EU, such as banks, credit institutions, payment institutions, investment firms, and asset management companies. It also covers entities like crypto-asset services providers, trading venues, and credit rating agencies.
The key requirements for DORA fall under five pillars: information and communication technology (ICT) risk management, ICT-related incident reporting, digital operational resilience testing, ICT third-party risk management, and information sharing.
To learn more about how MongoDB can support you with DORA compliance, see the EU Digital Operational Resilience Act (DORA) page in the MongoDB Trust Center.
Pillar 1: ICT Risk Management
DORA requires regulated companies to establish a framework to identify, assess, and mitigate ICT risks. This framework includes conducting regular risk assessments, implementing controls to address identified risks, and having a plan for incident response.
The following MongoDB Atlas features support compliance in this area.
High availability including database replication and automatic failover.
Backups including cloud backups, continuous cloud backups, multi-region snapshot distribution, and a backup compliance policy.
Disaster recovery including recovery point objectives, and recovery time objectives.
Features to support compliance with external standards including ISO/IEC 27001, SOC2 Type II, and PCI DSS.
Network security including TLS/ SSL encryption, IP access lists, firewall configuration, and private endpoints.
Authentication including UI, database, API, federated, AWS IAM role, multi-factor, and SCRAM password authentication. This feature and guidance also includes X.509 certificates, API keys, and secrets management.
Authorization including Role Based Access Control (RBAC), pre-defined roles, federated identity providers, and just-in-time access.
Auditing including database auditing, creating and enabling audit filters, and recommended audit events.
Logging including accessing audit logs manually and programmatically.
Data encryption including encryption in transit (TLS), at rest (AES-256, BYOK, CMK, KMS, or TDE), and in use (CSFLE, random, and queryable encryption).
Pillar 2: ICT-Related Incident Management
DORA requires regulated companies to have processes in place to detect, report, and investigate ICT-related incidents. These processes include having clear reporting channels, procedures for classifying incidents based on severity, and timely notification to relevant authorities.
MongoDB Atlas supports the following aspects of this pillar:
Data localization.
Platform security.
Distributed architecture.
Your chosen cloud provider(s) supports the following aspect of this pillar:
Physical security.
Pillar 3: Digital Operational Resilience Testing
DORA requires regulated companies to conduct regular testing of their ICT systems and resilience measures.
The following MongoDB Atlas features support compliance in this area:
Pillar 4: ICT Third-Party Risk Management
DORA-regulated companies need to conduct due diligence on third parties, have contractual agreements outlining security expectations, and monitor their performance.
The following MongoDB Atlas features support compliance in this area:
Sync data across cluster environments:
Mongosync (cluster-to-cluster sync).
MongoDB Cloud Status page.
Pillar 5: Information Sharing
DORA encourages collaboration and information sharing on cyber threats among regulated companies. This can involve participating in industry forums, sharing threat intelligence, and conducting joint exercises.
The following MongoDB Atlas features support compliance in this area: