With the Digital Operational Resilience Act (DORA) now in effect across the European Union as of January 17, 2025, financial institutions face unprecedented cybersecurity and operational resilience requirements.
Successfully achieving DORA compliance demands a comprehensive security strategy that also includes the following three fundamental components:
- Robust secrets management
- Hardened container images with minimal vulnerabilities
- Unified cloud-native application protection platforms (CNAPPs)
These technologies work synergistically to meet DORA’s stringent ICT risk management, asset identification, and third-party oversight mandates.
In my current role, I often work with financial institutions, and DORA has become the magic keyword to secure budgets, close sales, and successfully deliver projects.
If you work outside the financial sector, this doesn’t mean you should ignore this opportunity. Rather, it’s a chance to change how you work by implementing the right tools and enhancing your organization’s cybersecurity.
In this post, I won’t cover vendor-specific solutions, but I will explain the core concepts behind them. Regardless of DORA compliance requirements, if you haven’t implemented these solutions yet, now is the time to consider doing so.
Secrets Management
Let’s start with a brief definition: a secrets manager securely stores and manages sensitive data such as passwords, API keys, and certificates used by applications. It enables dynamic retrieval of secrets at runtime, avoiding hard-coded credentials, and provides encryption, access control, and automated secret rotation to enhance security. Secrets managers typically integrate with cloud-native environments to safeguard secrets across distributed systems.
The need for proper secrets management is clear: cyberattacks, bugs, and misconfigurations can affect any organization, not just financial institutions!!
Protecting secrets effectively is a fundamental security practice all organizations must take seriously.
There are many practical reasons why passwords should never be known broadly inside an organization and why automated secret rotation is crucial to minimize risk.
When choosing a secrets management solution, you’ll find both commercial and open-source options available. The right choice often depends on your specific environment—whether you operate in public cloud, a particular cloud vendor ecosystem, or on-premises infrastructure.
While selecting the right tool is a critical decision, it’s manageable by analyzing market options, licensing costs, and compatibility with your environment.
Regarding regulatory compliance, the following DORA articles illustrate why secrets management is essential:
| DORA Article | What It Requires Related to Secrets | Why a Secrets Manager Fulfills the Requirement |
|---|---|---|
| Article 6 | Secure, documented ICT risk management for all assets | Centralizes and governs access to digital secrets |
| Article 9 | Protection/prevention: policies, tools, key management | Ensures encryption, rotation, strong access control |
| Article 28 | Security when using third parties/cloud | Manages shared secrets, enforces controls with cloud vendors |
Hardened Container Images with Minimal Vulnerabilities
This is one of my favorite topics. Over the past 20 years, most reputable organizations have developed and implemented vulnerability management strategies for their servers.
But now that it’s 2025, do you have an equivalent plan in place for containers?
If you do, ask yourself: why should internal developers be responsible for building and maintaining your container base images?
This shouldn’t be their job, just as you wouldn’t expect them to manually patch Linux or Windows servers. Ideally, developers should focus on building company applications, relying on secure, hardened, and well-documented base images provided by specialized teams or vendors. Creating and maintaining secure images requires deep expertise and constant vigilance; it’s easy to do partially, but extremely challenging to do well.
Until recently, organizations faced limited options in this space. But in 2025, the market has grown, competition among vendors is building alternatives and consolidating leaders.
My strong advice: carefully select a software provider for your base images, unless you’re a very large organization with the resources to build and support this capability internally.
From a regulatory standpoint, these DORA articles highlight why using zero-CVE (0-CVE) container images is essential:
| DORA Article | Requirement or Control Area | How 0-CVE Container Images Meet This Requirement |
|---|---|---|
| Article 6: ICT Risk Management Framework | Establish and maintain a comprehensive risk management framework for ICT, including processes, protocols, and tools to protect all information and ICT assets from risks such as damage and unauthorized access. | Using container images free of known vulnerabilities demonstrably reduces ICT risk by limiting exposure to exploitable flaws in application and OS layers. |
| Article 9: Protection and Prevention | Implement policies, protocols, and tools to ensure high standards of availability, authenticity, integrity, and confidentiality of data. Requires use of solutions and processes that: (a) ensure secure data transfer; (b) minimize unauthorized access; (c) address technical flaws and vulnerabilities. | 0-CVE images provide strong assurance against exploitable vulnerabilities, maintain system and data integrity, and minimize attack surface by being up-to-date and fully patched. |
| Article 10: Detection and Patch Management | Requires mechanisms for prompt detection of anomalous activities and vulnerabilities, as well as robust vulnerability and patch management processes: tracking, prioritizing, and evidencing remediation (see especially Article 10 sections (d)-(g)). | Automated, continuous vulnerability scanning with instant patching and verification ensures rapid detection and remediation of new CVEs; updated SBOMs document compliance and lifecycle. |
| Article 24/25: Digital Operational Resilience Testing | Demands regular vulnerability assessments, scans, and testing of ICT systems, including containers and images, to identify weaknesses and ensure prompt corrective actions. | 0-CVE containers make it straightforward to pass security scans and vulnerability assessments, reducing remediation burden and simplifying compliance demonstration. |
| Article 28: ICT Third-Party Risk Management | Requires due diligence and contract clauses to ensure third parties (cloud/container platforms and image providers) adhere to highest security standards, especially when supporting critical or important functions. | Selecting 0-CVE image and platform vendors demonstrates compliance with “state-of-the-art” security requirements when outsourcing or using third-party images/services. |
Unified Cloud-Native Application Protection Platforms (CNAPPs)
A Unified Cloud-Native Application Protection Platform (CNAPP) is an all-in-one security solution designed to protect cloud-based applications throughout their entire lifecycle. It integrates vulnerability and posture management, workload protection, identity control, and compliance tools into a single platform.
What it does:
- Provides comprehensive visibility across cloud applications, infrastructure, and users
- Detects risks such as misconfigurations and vulnerabilities
- Automates threat detection, policy enforcement, and remediation
- Embeds security early in development and maintains continuous protection during operations
If you don’t already have a centralized solution to manage your cloud-native infrastructure, CNAPPs are essential and increasingly self-explanatory.
The rapid growth and complexity of cloud-native environments make such platforms critical to maintaining control and security.
This isn’t just about regulatory compliance, it’s about organizational survival!
Regulatory context: Why DORA requires CNAPPs
| DORA Article | Requirement | How CNAPP Meets Requirement |
|---|---|---|
| Article 6: ICT Risk Management Framework | Establish comprehensive ICT risk management to protect information and ICT assets against risks, including vulnerabilities. | CNAPP provides unified vulnerability management and risk visibility across the cloud-native application lifecycle, enabling organizations to identify and mitigate misconfigurations and vulnerabilities early. |
| Article 9: Protection | Implement measures ensuring confidentiality, integrity, and availability of data and systems. | CNAPP enforces security policies continuously, monitors workloads and configurations, preventing vulnerabilities and misconfigurations in complex cloud environments. |
| Article 10: Detection and Patch Management | Detect vulnerabilities and anomalous activities promptly and manage patching effectively. | CNAPP includes continuous scanning, automated vulnerability detection, and alerting with remediation guidance, facilitating proactive risk management. |
| Article 11: Incident Response and Recovery | Develop and maintain incident response and recovery capabilities. | CNAPP enables detection and response to runtime threats with automated workflows supporting rapid incident containment and recovery. |
| Article 28: ICT Third-Party Risk Management | Manage risks related to third-party ICT service providers. | By integrating controls over third-party cloud resources, CNAPP helps manage and monitor third-party risks in multi-cloud and hybrid environments. |
Conclusions
IT professionals are fortunate to live in a fascinating era, working with cutting-edge technologies and developing innovative solutions every year.
Regulations can often seem like a gray area, but when understood properly, they become valuable opportunities to implement improvements and drive innovation.
If you work in a financial institution, you likely already have these tools in place or have started projects to implement them. If you are outside the financial sector or not part of an EU company, I hope this post has given you something to consider: security matters.
Regardless of regulation, there are critical areas in every organization that deserve proper protection and auditing.