DORA Compliance Architecture: CI/CD as a Regulated ICT System

by

Under DORA, CI/CD pipelines are no longer simple engineering tools—they are regulated ICT systems that directly affect operational resilience, security, and regulatory compliance. As such, they must be designed, governed, and audited with the same rigor as production platforms.

This article defines the reference DORA compliance architecture used throughout Regulated DevSecOps. It describes how CI/CD pipelines function as controlled ICT systems under DORA, how technical controls enforce regulatory requirements across the delivery lifecycle, and how auditable evidence is generated by design.

The focus of this article is implementation and governance. It provides a structured architectural model aligned with DORA Article 21, serving as the foundation for related deep dives, control mappings, evidence packs, and audit preparation guides published on this site.

Readers new to DORA or seeking a high-level explanation of the architectural concepts may want to start with:
DORA Compliance Architecture — Explained.

Why Architecture Matters for DORA Compliance

DORA does not prescribe specific technologies. Instead, it focuses on outcomes: risk control, resilience, traceability, and accountability. Architecture plays a crucial role in translating these regulatory expectations into concrete technical implementations.

A well-defined compliance architecture ensures that:

  • ICT risk controls are consistently enforced
  • Responsibilities are clearly assigned
  • Evidence is generated continuously
  • Audits can be supported without ad-hoc remediation

CI/CD pipelines sit at the intersection of development, operations, and governance, making them a natural anchor point for DORA-aligned architecture.

High-Level DORA Compliance Architecture Overview

The DORA compliance architecture is structured around three core layers:

  1. Governance and ICT Risk Management
  2. CI/CD Pipelines as Regulated Systems
  3. Production and Operational Controls

These layers are supported by cross-cutting evidence and monitoring capabilities that ensure continuous compliance rather than point-in-time validation.

DORA Compliance Architecture – CI/CD as Regulated System Architecture diagram showing how CI/CD pipelines enforce DORA Article 21 ICT risk management controls and generate continuous compliance evidence. DORA Compliance Architecture Article 21 · CI/CD as Regulated ICT System CONTINUOUS COMPLIANCE EVIDENCE Audit logs Approvals & SoD Artifact provenance Monitoring events Retention & reporting DORA Governance ICT Risk Management Risk identification Policies & oversight CI/CD Pipeline DORA Article 21 Enforcement Access control & segregation of duties Change approval & policy gates Security testing & integrity checks Production & Operations Operational Resilience Runtime monitoring Incident response
How CI/CD pipelines enforce DORA Article 21 ICT risk management controls and generate continuous compliance evidence.

Governance and ICT Risk Management Layer

At the top of the architecture sits the governance layer, which defines how ICT risks are identified, assessed, and managed in accordance with DORA.

This layer includes:

  • ICT risk management frameworks
  • Policies and standards applicable to software delivery
  • Ownership and accountability models
  • Oversight and review mechanisms

CI/CD pipelines must be explicitly included in ICT system inventories and risk assessments. Excluding pipelines from scope is a common gap observed during DORA readiness assessments.

CI/CD Pipelines as Regulated ICT Systems

In a DORA-compliant architecture, CI/CD pipelines are treated as regulated systems with clearly defined controls and enforcement mechanisms.

Key architectural principles include:

  • Strong access control and segregation of duties
  • Mandatory use of CI/CD for all production changes
  • Automated policy enforcement and approval gates
  • Integrated security testing and integrity verification

By embedding these controls directly into CI/CD workflows, organizations ensure that compliance requirements are enforced consistently and automatically.

Change Management and Control Enforcement

DORA places strong emphasis on controlled change management. CI/CD pipelines are the primary mechanism for enforcing this requirement.

Architecturally, this means:

  • All production deployments are executed through CI/CD pipelines
  • Manual or out-of-band changes are prevented or logged
  • Approvals are enforced technically rather than procedurally
  • Each change is traceable from source code to deployment

This approach provides strong guarantees of integrity and accountability.

Continuous Evidence Generation

One of the most important aspects of DORA compliance architecture is evidence generation. Rather than collecting evidence manually during audits, the architecture ensures that evidence is produced continuously as a byproduct of normal operations.

CI/CD pipelines generate:

  • Execution logs and approval records
  • Security testing results
  • Artifact metadata and provenance
  • Deployment histories

This evidence is retained, centralized, and made available for audit and supervisory review.

Production and Operational Controls

The architecture extends beyond delivery into production and operations. DORA requires organizations to demonstrate operational resilience across the entire lifecycle.

Production-layer controls include:

  • Runtime monitoring and alerting
  • Incident detection and response procedures
  • Rollback and recovery mechanisms
  • Controlled access to production systems

CI/CD pipelines integrate with these controls to support resilience and rapid response.

Cross-Cutting Controls and Evidence

Across all architectural layers, certain controls apply universally:

  • Logging and monitoring
  • Audit trails
  • Evidence retention and reporting
  • Continuous review and improvement

These cross-cutting controls ensure that compliance is sustained over time and not dependent on manual effort.

Mapping the Architecture to DORA Article 21

This architecture directly supports the requirements of DORA Article 21 by embedding ICT risk management controls into technical systems.

CI/CD pipelines contribute to:

  • Risk identification and prevention
  • Access control and segregation of duties
  • Change management and integrity
  • Logging, monitoring, and detection
  • Resilience, recovery, and continuous improvement

The result is an operational interpretation of Article 21 that auditors can verify through technical evidence.

Common Architectural Pitfalls

Organizations often encounter the following issues:

  • CI/CD pipelines treated as non-regulated tooling
  • Excessive privileges granted to automation
  • Optional or advisory security controls
  • Insufficient evidence retention
  • Weak linkage between governance and technical enforcement

Addressing these pitfalls early significantly reduces regulatory risk.

Conclusion

DORA compliance cannot be achieved through documentation alone. It requires an architecture that embeds risk management, governance, and evidence generation directly into technical systems.

By treating CI/CD pipelines as regulated ICT systems, organizations can enforce DORA requirements continuously, improve operational resilience, and demonstrate compliance with confidence. A well-designed DORA compliance architecture transforms CI/CD from an audit risk into a compliance asset.

Related Resources

Audit-ready context

Written for regulated environments: controls before tools, policy enforcement in CI/CD, and evidence-by-design for audits.

Focus areas include traceability, approvals, exception governance, and evidence retention across build, release, and operations.

See methodology on the About page.