DORA + SBOM Primer: Software Supply Chain Security in Regulated Industries

At Anchore, we frequently discuss the steady drum beat of regulatory bodies mandating SBOMs (Software Bills of Materials) as the central element of modern software supply chain security. The Digital Operational Resilience Act (DORA) is the most recent framework responding to the accelerating growth of software supply chain attacks—by requiring, in all but name, the kind of structured software inventory that SBOMs provide.

In this post, we provide an educational overview of DORA, explain its software supply chain implications, and outline how SBOMs factor into DORA compliance. We’ll also share how to achieve compliance—and how Anchore Enterprise can serve as your DORA compliance “easy button.”

What is DORA?

The Digital Operational Resilience Act (DORA)—formally Regulation (EU) 2022/2554—is an EU regulatory framework designed to ensure the digital operational resilience of financial entities. Key points include:

Effective Date: January 17, 2025

• TL;DR: It is already being enforced.

Scope: Applies to a wide range of EU financial entities, including:

• Banks
• Payment service providers
• Investment firms
• Crypto-asset service providers, and more

Core Topics

• Proactive Risk Management: For both 1st- and 3rd-party software.
• Incident Response and Recovery: Mandating robust strategies to handle ICT (Information and Communication Technology) disruptions.
• Resilience Testing: Regular, thorough testing of incident response and risk management systems.
• Industry Threat Information Sharing: Collaboration across the sector to share threat intelligence.
• 3rd-party Software Supplier Oversight: Continuous monitoring of 3rd-party software supply chain.

DORA is organized into a high-level cybersecurity and risk management framework document and a separate technical control document—referred to as the “Regulatory Standards Technical Document”—that outlines in detail how to achieve compliance. If you’re familiar with NIST’s RMF (NIST 800-37) and its “Control Catalog” (NIST 800-53) DORA follows this pattern.

What challenge does DORA solve?

In part driven by a 2020 study that highlighted “systemic cyber risk” due to the “high level of interconnectedness” among the technologies used by financial organizations, DORA aims to mitigate the risk that a vulnerability in one component could lead to widespread sector disruption. Two critical factors underline this need:

• The Structure of Modern Software Development: With extensive 3rd-party and open source dependencies, any gap in security can have cascading consequences.
• The Rise of Software Supply Chain Attacks: Now that open source software “constitutes 70-90% of any given piece of modern software” threat actors have embraced this attack vector. Software supply chain attacks have not only become a primary cybersecurity target but are seeing accelerating growth.

DORA is designed to fortify the financial sector’s digital resilience by addressing vulnerabilities in modern software development and countering the rapid rise of software supply chain attacks.

What are the consequences of DORA non-compliance?

Compliance is not optional. The European Supervisory Authorities (ESAs) have been given broad powers to:

• Access Documents and Data: Assessing an organization’s compliance status through comprehensive audits.
• Conduct On-Site Investigations: Ensuring that all software supply chain controls are in place and functioning.
• Enforce Steep Penalties: For instance, DORA Article 35 notes that critical ICT third-party service providers could face fines of up to “1% of the average daily worldwide turnover… in the preceding business year.”

For financial entities—and their technology suppliers—the cost of non-compliance is too high to ignore.

Does DORA Require an SBOM?

DORA does not explicitly mention “SBOMs” by name. Instead, it mandates organizations track “third-party libraries, including open-source libraries”. SBOMs are the industry standard method for achieving this result in an automated and scalable manner. 

Specifically, financial entities are required to track:

• Third-Party Libraries: Including open-source libraries used by ICT services that support critical or important functions.
• In-House or Custom Software: ICT services developed internally or specifically customized by an ICT third-party service provider.

These “general” requirements without specifically naming a specific technology (like an SBOM) is a common pattern for other global regulatory compliance frameworks (e.g., SSDF).

Another reason to adopt SBOMs for DORA compliance is that the EU Cyber Resilience Act (CRA) compliance specifically names SBOMs as a required compliance artifact. SBOMs knock out two birds with one stone.

DORA and Software Supply Chain Security 

DORA Regulation 56 underscores the necessity of open source analysis (or Software Composition Analysis, SCA) as a fundamental component for achieving operational resilience. SCA’s are software supply chain security tools that are typically tightly coupled with SBOM generators.

Standalone SCA’s and SBOM generation are fantastic tools to create simple point-in-time inventories for generating the necessary compliance artifacts to pass an initial audit. Unfortunately, DORA demands that financial entities continuously monitor their software supply chain:

• Ongoing Monitoring: Article 10 of DORA requires that financial entities, in collaboration with their ICT third-party service providers, not only maintain an inventory but also track version updates and monitor third-party libraries on an ongoing basis.
• Continuous Software Supply Chain Risk Management: It’s not enough to have an SBOM at one moment in time; you must continuously scan and update the inventory to ensure that vulnerabilities are promptly identified and remediated.

This level of supply chain security requires organizations to directly integrate SBOM generation into their DevSecOps pipeline and utilize an SBOM management platform.

How to Fulfill DORA’s Software Supply Chain Requirements

1. Software Composition Analysis (SCA) and SBOM Generation

• Automate SBOM Creation: Integrate SBOM generation into your CI/CD pipelines to ensure that every release is accompanied by an up-to-date, machine-readable software inventory.
• Adopt Standard Formats: Use accepted SBOM standards (e.g., CycloneDX or SPDX) to maintain interoperability and ease of analysis.

2. Ingest SBOMs from Third-Party Suppliers

• Collaborative Supply Chain Management: Ensure that you receive and maintain SBOM data from all your third-party suppliers to achieve full visibility into the software components you rely on.

3. Continuous Monitoring in Production

• Regular Scanning: Implement continuous monitoring to detect any unexpected changes or vulnerabilities in production environments.
• Key Features to Look For:
  • Alerts for unexpected software components
  • A centralized repository to store and manage SBOMs
  • Revision history tracking to monitor changes over time

DORA Compliance Easy Button: Anchore Enterprise

Anchore Enterprise is engineered to satisfy all of DORA’s software supply chain requirements, acting as your DORA compliance easy button. Here’s how Anchore Enterprise can help:

Automated Software Supply Chain Risk Management

• End-to-End SBOM Lifecycle Management (Anchore SBOM): Automatically generate and update SBOMs throughout your software development lifecycle.
• Programmatic Vulnerability Scanning & Risk Assessment (Anchore Secure): Continuously scan software components and assess risk based on real-time data.
• Policy-as-Code Enforcement (Anchore Enforce): Automate risk management policies to ensure adherence to DORA’s requirements.

Software Supply Chain Incident Response Automation

• Continuous SCA and SBOM Generation (Anchore SBOM): Keep an updated view of your production software environment.
• Surgical Zero-Day Vulnerability Identification (Anchore Secure): Quickly identify and remediate vulnerabilities, reducing the potential blast radius of an attack.

Google resolved the XZ Utils zero-day incident in less than 10 minutes by utilizing SBOMs and an SBOM management platform. Anchore Enterprise can help your organization achieve similar results >> SBOM management solutions.

Continuous Compliance Monitoring

• Real-Time Dashboards (Anchore Enforce): Monitor compliance status with customizable, real-time dashboards.
• Automated Compliance Reports (Anchore Enforce): Generate and share compliance reports with stakeholders effortlessly.
• Policy-as-Code Compliance Automation (Anchore Enforce): Enforce compliance at every stage of the software development lifecycle.

If you’re interested in trying any of these features for yourself, Anchore Enterprise offers a 15-day free trial or reach out to our team for a demo of the platform.

Wrap-Up

DORA is redefining software supply chain security in the financial sector by demanding transparency, proactive risk management, and continuous monitoring of 3rd-party suppliers. For technology providers, this shift represents both a challenge and an opportunity: by embracing SBOMs and comprehensive supply chain security practices, you not only help your customers achieve regulatory compliance but also strengthen your own security posture.

At Anchore, we’re committed to helping you navigate this evolving landscape with solutions designed for the modern world of software supply chain security. Ready to meet DORA head-on? Contact us today or visit our blog for more insights and resources.