Skip to main content
GenioCT

DORA on Azure

Azure DORA audit-readiness, with continuous evidence instead of recurring consultancy

DORA is, by design, a continuous regime: ongoing ICT risk management, mandatory resilience testing, and a third-party register that has to stay current. Governator handles the Azure side as managed tooling, not as a yearly consulting cycle.

What DORA actually requires from your Azure environment

The Digital Operational Resilience Act (Regulation (EU) 2022/2554) became applicable on 17 January 2025 for financial entities operating in the EU: banks, insurers, investment firms, payment institutions, crypto-asset service providers, and many more. Unlike NIS2, which is broad-spectrum, DORA is sector-specific and explicitly prescriptive. It sets out four pillars that every in-scope entity has to demonstrate, plus a fifth area on information sharing.

On Microsoft Azure, the underlying capabilities exist: Defender for Cloud, Sentinel, Azure Backup, Site Recovery, Lighthouse, the cost and activity logs. What does not exist out of the box is the evidence layer that demonstrates, in regulator-readable form, that the four DORA pillars are operating continuously and that the third-party register is current.

Governator collects the Azure evidence, maps each finding to the DORA article it relates to, maintains the register of ICT third parties (including the service-principal-to-supplier mapping that most teams skip), and produces the resilience-testing trail on demand.

The four pillars on Azure

Each pillar maps to a specific Azure evidence model. The table below shows what Governator collects continuously to support a DORA audit.

Articles 5–14

ICT risk management framework

A documented, board-approved framework that maps controls to identified risks, with periodic review and demonstrable maintenance.

Azure evidence Governator collects

Defender for Cloud regulatory dashboard, Azure Policy compliance state, exemption register with reviews, secure score trend.

Articles 17–23

ICT-related incident management & reporting

Classification, reporting, and post-incident analysis of major ICT incidents within the regulator-defined timelines.

Azure evidence Governator collects

Sentinel incidents with timeline metadata, Defender alert workflow evidence, runbook attestations, post-incident report register.

Articles 24–27

Digital operational resilience testing

Annual scenario-based testing for in-scope entities, plus Threat-Led Penetration Testing (TLPT) every three years for significant entities.

Azure evidence Governator collects

Test plan attestations, scenario-coverage matrix, evidence of corrective actions, dated retest results.

Articles 28–44

ICT third-party risk management

A maintained register of all ICT third-party arrangements, with criticality assessment, contractual coverage, and exit strategies for critical providers.

Azure evidence Governator collects

Service principal inventory mapped to third-party providers, RBAC scope per provider, Lighthouse delegation register, contract metadata.

Why continuous assurance fits DORA better than annual consultancy

DORA was written, in regulatory text, as an ongoing regime. The third-party register cannot be twelve months stale. Resilience testing is a recurring obligation, not a project. Incident reporting is triggered by events, not by the audit calendar. A model where you commission a readiness assessment every twelve months, get a fresh PDF, and resume drift in between is structurally a poor fit for the regulation.

Governator's continuous-assurance mode is built for this shape. The third-party register stays current because service-principal and Lighthouse-delegation inventory runs on a schedule. The resilience-testing trail accumulates between formal tests instead of being reconstructed at year-end. Incident timeline data is captured as it happens, ready for the regulator-defined reporting clock. Most importantly, the recurring spend goes into the toolchain that produces evidence on demand, not into commissioning the same readiness deliverable every year.

  • Third-party register reconciled against your live service-principal and Lighthouse-delegation inventory.
  • Resilience-testing trail with dated attestations and corrective-action evidence kept up to date between TLPT cycles.
  • Incident timeline metadata captured from Sentinel and Defender for the regulator-defined classification windows.
  • Recurring budget shifts from annual external readiness engagements into managed tooling that produces fresh evidence on demand.

What Microsoft gives you, and what Microsoft does not

Microsoft gives you

  • Defender for Cloud and Secure Score for ICT risk identification
  • Sentinel for incident detection and timeline data
  • Azure Backup, Site Recovery, and zone/region redundancy primitives
  • Activity Log and audit trail for resource-level changes
  • Lighthouse delegation telemetry for cross-tenant access

Microsoft does not give you

  • Per-finding mapping to DORA articles (5–14, 17–23, 24–27, 28–44)
  • A maintained ICT third-party register tied to actual Azure access
  • Resilience-testing register with dated attestations and corrective actions
  • Incident classification metadata aligned to DORA reporting timelines
  • Pre-audit export with executive summary and article-level evidence matrix
  • Continuous-assurance dashboard that demonstrates ongoing operation, not a snapshot

Defender's regulatory dashboard now includes a DORA initiative, which is a useful starting point for the Articles 5–14 controls. It does not maintain the third-party register, the resilience-testing trail, or the incident-classification metadata that DORA expects. Those are the operating-model layers Governator adds.

Where to start

Most financial entities running Azure workloads start with a DORA readiness assessment that uses Governator to baseline the four pillars: ICT risk-management evidence, incident-reporting alignment, resilience-testing trail, and the third-party register. The assessment produces a scoped remediation roadmap and a regulator-ready evidence pack at point in time. From there, continuous assurance keeps the register current, the testing trail dated, and the audit pack regenerable on demand.

Discuss a DORA readiness assessment See the full Governator platform

Related

→ Azure NIS2 compliance: Article 21 mapping and audit evidence → CyberFundamentals on Azure: assurance levels and audit readiness → Defender for Cloud vs Governator: where Microsoft stops on compliance → Your Board Is Asking About NIS2. Here Is What You Actually Need to Do → Your Service Principals Are a Bigger Blast Radius Than Your VMs

Start with a Governator-powered Azure Health Check

Not sure where to begin? A quick architecture review gives you a clear picture. No obligation.

  • Risk scorecard across identity, network, governance, and security
  • Top 10 issues ranked by impact and effort
  • 30-60-90 day roadmap with quick wins
Book a Conversation