RISE 2026 DORA Mapping
The table below aligns the RISE 2026 operational controls with the corresponding articles of the Digital Operational Resilience Act (DORA). The mapping uses the same section and control titles as the control table so teams can move directly between benchmark guidance, internal assessments, and DORA evidence collection.
Reference text is available on eur-lex.europa.eu.
| Category | Control name | DORA Article |
|---|---|---|
| Governance and Risk Management | Define a formal resilience governance model with clear accountability | Article 5 - Governance and organisation; Article 6 - ICT risk management framework |
| Governance and Risk Management | Perform regular resilience risk assessments and maintain a risk register | Article 6 - ICT risk management framework |
| Governance and Risk Management | Define resilience objectives and tolerances for critical services | Article 6 - ICT risk management framework |
| Governance and Risk Management | Establish exception management and compensating controls for unmet requirements | Article 6 - ICT risk management framework |
| Governance and Risk Management | Report resilience posture and remediation progress to leadership regularly | Article 5 - Governance and organisation; Article 6 - ICT risk management framework |
| Third-Party and SaaS Resilience | Maintain an inventory of critical third-party and SaaS dependencies | Article 28 - General principles |
| Third-Party and SaaS Resilience | Assess concentration risk and exit readiness for critical providers | Article 28 - General principles; Article 29 - Preliminary assessment of ICT concentration risk at entity level |
| Third-Party and SaaS Resilience | Define minimum resilience and security requirements for suppliers | Article 30 - Key contractual provisions |
| Third-Party and SaaS Resilience | Monitor supplier performance, incidents, and contractual recovery commitments | Article 28 - General principles; Article 30 - Key contractual provisions |
| Third-Party and SaaS Resilience | Test contingency plans for third-party and SaaS disruption | Article 11 - Response and recovery; Article 28 - General principles |
| Data Backup and Recovery | Establish a regular backup schedule for critical data | Article 12 - Backup policies and procedures, restoration and recovery procedures and methods |
| Data Backup and Recovery | Store backups in multiple locations (offsite and/or cloud-based storage) | Article 12 - Backup policies and procedures, restoration and recovery procedures and methods |
| Data Backup and Recovery | Implement a versioning system to track and restore previous versions of data | Article 12 - Backup policies and procedures, restoration and recovery procedures and methods |
| Data Backup and Recovery | Encrypt backups to protect sensitive data | Article 9 - Protection and prevention |
| Data Backup and Recovery | Test backup and recovery processes periodically to ensure data integrity | Article 25 - Testing of ICT tools and systems |
| Network redundancy and failover | Implement redundant network connections to prevent single points of failure | Article 7 - ICT systems, protocols and tools |
| Network redundancy and failover | Use load balancers to distribute traffic evenly across resources | Article 7 - ICT systems, protocols and tools |
| Network redundancy and failover | Employ network failover solutions (e.g., redundant routers, switches) | Article 7 - ICT systems, protocols and tools |
| Network redundancy and failover | Monitor network performance and latency to detect potential issues | Article 10 - Detection |
| Network redundancy and failover | Test network redundancy and failover processes to ensure proper functioning | Article 25 - Testing of ICT tools and systems |
| Infrastructure monitoring and alerting | Implement a monitoring system to track the health and performance of cloud infrastructure | Article 10 - Detection |
| Infrastructure monitoring and alerting | Set up alerts for critical events and performance thresholds | Article 10 - Detection |
| Infrastructure monitoring and alerting | Monitor resource usage to identify potential bottlenecks and capacity issues | Article 10 - Detection |
| Infrastructure monitoring and alerting | Establish a centralized logging system to collect and analyze logs from various components | Article 13 - Learning and evolving |
| Infrastructure monitoring and alerting | Regularly review monitoring data to identify trends and improve infrastructure resilience | Article 13 - Learning and evolving |
| Incident response planning | Develop a formal incident response plan, including roles and responsibilities | Article 11 - Response and recovery |
| Incident response planning | Establish a communication plan for internal and external stakeholders during incidents | Article 11 - Response and recovery |
| Incident response planning | Perform regular incident response drills to test and refine the plan | Article 25 - Testing of ICT tools and systems |
| Incident response planning | Document lessons learned from incidents and update the incident response plan accordingly | Article 13 - Learning and evolving |
| Incident response planning | Provide training for staff on incident response processes and best practices | Article 13 - Learning and evolving |
| Business Continuity and Crisis Management | Perform business impact analysis for critical services and processes | Article 11 - Response and recovery |
| Business Continuity and Crisis Management | Define business continuity plans and manual workaround procedures | Article 11 - Response and recovery |
| Business Continuity and Crisis Management | Establish a crisis management structure for severe disruptions | Article 11 - Response and recovery |
| Business Continuity and Crisis Management | Exercise continuity and crisis scenarios with business and technical stakeholders | Article 11 - Response and recovery; Article 25 - Testing of ICT tools and systems |
| Business Continuity and Crisis Management | Review continuity assumptions and recovery priorities after major change | Article 13 - Learning and evolving |
| Capacity planning and scaling | Regularly assess infrastructure capacity and plan for growth | Article 7 - ICT systems, protocols and tools |
| Capacity planning and scaling | Implement auto-scaling strategies to handle fluctuating workloads | Article 7 - ICT systems, protocols and tools |
| Capacity planning and scaling | Use load testing to identify capacity limits and potential bottlenecks | Article 25 - Testing of ICT tools and systems |
| Capacity planning and scaling | Monitor resource usage to anticipate and address potential capacity issues | Article 10 - Detection |
| Capacity planning and scaling | Review and update capacity plans based on changing business requirements and growth | Article 13 - Learning and evolving |
| Identity, Secrets, and Administrative Access | Centralize and harden privileged identity administration | Article 9 - Protection and prevention |
| Identity, Secrets, and Administrative Access | Use short-lived credentials and just-in-time access for privileged operations | Article 9 - Protection and prevention |
| Identity, Secrets, and Administrative Access | Manage secrets with controlled storage, rotation, and access policies | Article 9 - Protection and prevention |
| Identity, Secrets, and Administrative Access | Protect and test emergency access and break-glass procedures | Article 9 - Protection and prevention; Article 11 - Response and recovery |
| Identity, Secrets, and Administrative Access | Govern machine identities and service credentials across workloads | Article 9 - Protection and prevention |
| Security and access controls | Implement strong authentication and authorization mechanisms | Article 9 - Protection and prevention |
| Security and access controls | Regularly review and update user access permissions | Article 9 - Protection and prevention |
| Security and access controls | Enable encryption for data at rest and in transit | Article 9 - Protection and prevention |
| Security and access controls | Apply security patches and updates promptly | Article 9 - Protection and prevention |
| Security and access controls | Conduct regular vulnerability assessments and penetration testing | Article 25 - Testing of ICT tools and systems |
| Software Delivery and Supply Chain Resilience | Protect source code, build systems, and deployment pipelines from unauthorized change | Article 9 - Protection and prevention |
| Software Delivery and Supply Chain Resilience | Maintain traceability and integrity for build artifacts and releases | Article 7 - ICT systems, protocols and tools; Article 9 - Protection and prevention |
| Software Delivery and Supply Chain Resilience | Control dependency and base image risk through continuous inventory and update processes | Article 9 - Protection and prevention |
| Software Delivery and Supply Chain Resilience | Design deployments for safe rollback and progressive release | Article 7 - ICT systems, protocols and tools; Article 11 - Response and recovery |
| Software Delivery and Supply Chain Resilience | Test CI/CD recovery and release continuity during platform disruption | Article 11 - Response and recovery; Article 25 - Testing of ICT tools and systems |
| Application resiliency and fault tolerance | Design applications to be stateless and horizontally scalable | Article 7 - ICT systems, protocols and tools |
| Application resiliency and fault tolerance | Implement circuit breakers and retries to handle transient faults | Article 7 - ICT systems, protocols and tools |
| Application resiliency and fault tolerance | Use health checks and load balancing to distribute traffic among instances | Article 7 - ICT systems, protocols and tools |
| Application resiliency and fault tolerance | Isolate application components to limit the impact of failures | Article 7 - ICT systems, protocols and tools |
| Application resiliency and fault tolerance | Monitor application performance and error rates to identify potential issues | Article 10 - Detection |
| Data center and geographic redundancy | Deploy infrastructure across multiple data centers or availability zones | Article 12 - Backup policies and procedures, restoration and recovery procedures and methods |
| Data center and geographic redundancy | Use geo-replication to store data redundantly across different regions | Article 12 - Backup policies and procedures, restoration and recovery procedures and methods |
| Data center and geographic redundancy | Implement global load balancing to distribute traffic across data centers | Article 7 - ICT systems, protocols and tools |
| Data center and geographic redundancy | Test failover processes between data centers to ensure smooth recovery | Article 25 - Testing of ICT tools and systems |
| Data center and geographic redundancy | Regularly review and update data center redundancy strategies based on evolving needs | Article 13 - Learning and evolving |
| Regular resilience testing and validation | Conduct regular disaster recovery and failover tests | Article 25 - Testing of ICT tools and systems |
| Regular resilience testing and validation | Use chaos engineering techniques to simulate failures and test system resilience | Article 25 - Testing of ICT tools and systems |
| Regular resilience testing and validation | Test backup and recovery processes to validate data integrity | Article 12 - Backup policies and procedures, restoration and recovery procedures and methods |
| Regular resilience testing and validation | Perform load and stress tests to identify capacity limits and potential bottlenecks | Article 25 - Testing of ICT tools and systems |
| Regular resilience testing and validation | Use the results of testing to inform updates and improvements to infrastructure resilience | Article 13 - Learning and evolving |
| Documentation and Knowledge Sharing | Document architecture, processes, and best practices for cloud resilience | Article 13 - Learning and evolving |
| Documentation and Knowledge Sharing | Maintain a centralized knowledge base for easy access to documentation | Article 13 - Learning and evolving |
| Documentation and Knowledge Sharing | Regularly review and update documentation to reflect changes and improvements | Article 13 - Learning and evolving |
| Documentation and Knowledge Sharing | Encourage knowledge sharing and collaboration among team members | Article 13 - Learning and evolving |
| Documentation and Knowledge Sharing | Provide training and resources to help staff stay informed about resilience | Article 13 - Learning and evolving |