At Anchore, we frequently discuss the steady drum beat of regulatory bodies mandating SBOMs (Software Bills of Materials) as the central element of modern software supply chain security. The Digital Operational Resilience Act (DORA) is the most recent framework responding to the accelerating growth of software supply chain attacks—by requiring, in all but name, the kind of structured software inventory that SBOMs provide.
In this post, we provide an educational overview of DORA, explain its software supply chain implications, and outline how SBOMs factor into DORA compliance. We’ll also share how to achieve compliance—and how Anchore Enterprise can serve as your DORA compliance “easy button.”
The Digital Operational Resilience Act (DORA)—formally Regulation (EU) 2022/2554—is an EU regulatory framework designed to ensure the digital operational resilience of financial entities. Key points include:
Effective Date: January 17, 2025
Scope: Applies to a wide range of EU financial entities, including:
DORA is organized into a high-level cybersecurity and risk management framework document and a separate technical control document—referred to as the “Regulatory Standards Technical Document”—that outlines in detail how to achieve compliance. If you’re familiar with NIST’s RMF (NIST 800-37) and its “Control Catalog” (NIST 800-53) DORA follows this pattern.
In part driven by a 2020 study that highlighted “systemic cyber risk” due to the “high level of interconnectedness” among the technologies used by financial organizations, DORA aims to mitigate the risk that a vulnerability in one component could lead to widespread sector disruption. Two critical factors underline this need:
DORA is designed to fortify the financial sector’s digital resilience by addressing vulnerabilities in modern software development and countering the rapid rise of software supply chain attacks.
Compliance is not optional. The European Supervisory Authorities (ESAs) have been given broad powers to:
For financial entities—and their technology suppliers—the cost of non-compliance is too high to ignore.
DORA does not explicitly mention “SBOMs” by name. Instead, it mandates organizations track “third-party libraries, including open-source libraries”. SBOMs are the industry standard method for achieving this result in an automated and scalable manner.
Specifically, financial entities are required to track:
These “general” requirements without specifically naming a specific technology (like an SBOM) is a common pattern for other global regulatory compliance frameworks (e.g., SSDF).
Another reason to adopt SBOMs for DORA compliance is that the EU Cyber Resilience Act (CRA) compliance specifically names SBOMs as a required compliance artifact. SBOMs knock out two birds with one stone.
DORA Regulation 56 underscores the necessity of open source analysis (or Software Composition Analysis, SCA) as a fundamental component for achieving operational resilience. SCA’s are software supply chain security tools that are typically tightly coupled with SBOM generators.
Standalone SCA’s and SBOM generation are fantastic tools to create simple point-in-time inventories for generating the necessary compliance artifacts to pass an initial audit. Unfortunately, DORA demands that financial entities continuously monitor their software supply chain:
This level of supply chain security requires organizations to directly integrate SBOM generation into their DevSecOps pipeline and utilize an SBOM management platform.
Anchore Enterprise is engineered to satisfy all of DORA’s software supply chain requirements, acting as your DORA compliance easy button. Here’s how Anchore Enterprise can help:
Google resolved the XZ Utils zero-day incident in less than 10 minutes by utilizing SBOMs and an SBOM management platform. Anchore Enterprise can help your organization achieve similar results >> SBOM management solutions.
If you’re interested in trying any of these features for yourself, Anchore Enterprise offers a 15-day free trial or reach out to our team for a demo of the platform.
DORA is redefining software supply chain security in the financial sector by demanding transparency, proactive risk management, and continuous monitoring of 3rd-party suppliers. For technology providers, this shift represents both a challenge and an opportunity: by embracing SBOMs and comprehensive supply chain security practices, you not only help your customers achieve regulatory compliance but also strengthen your own security posture.
At Anchore, we’re committed to helping you navigate this evolving landscape with solutions designed for the modern world of software supply chain security. Ready to meet DORA head-on? Contact us today or visit our blog for more insights and resources.