The Digital Operational Resilience Act (DORA) introduces a fundamental shift in how regulated organizations must design, operate, and govern their ICT systems. Under DORA, compliance is no longer limited to policies or periodic controls—it must be embedded directly into technical architectures and operational workflows.
This article provides a conceptual and architectural explanation of how CI/CD pipelines fit into the DORA compliance model. It explains why modern software delivery pipelines must be treated as regulated ICT systems, how security and resilience controls are expected to operate across the software lifecycle, and where DORA requirements intersect with DevSecOps practices.
The goal of this article is understanding: clarifying the architectural intent behind DORA, introducing key concepts such as policy enforcement, evidence-by-design, and operational traceability, and helping readers build the right mental model before moving into implementation or audit preparation.
For readers looking for the formal reference architecture used across this site—including explicit mappings to DORA Articles, control objectives, and audit-ready evidence—see:
DORA Compliance Architecture: CI/CD as a Regulated ICT System.
DORA Compliance Architecture (Overview)
“DORA Compliance Architecture – CI/CD as a Regulated ICT System”
This architecture shows how governance, CI/CD pipelines, and production operations work together to support continuous compliance and operational resilience under DORA.
How to Read This Diagram
The diagram is read from left to right, representing the flow of control and responsibility across the software delivery lifecycle:
- Governance & ICT Risk Management
- CI/CD Pipelines as Regulated Systems
- Production & Operations
A cross-cutting evidence layer spans all components, highlighting the continuous generation of audit-ready evidence.
Governance & ICT Risk Management Layer
The left side of the diagram represents the governance layer required by DORA. This is where ICT risks are identified, assessed, and managed.
This layer includes:
- ICT risk management frameworks
- Policies and standards
- Defined ownership and accountability
- Oversight and review mechanisms
CI/CD pipelines are explicitly included in this scope. Treating pipelines as out-of-scope tooling is a common gap identified during DORA assessments.
CI/CD Pipelines as Regulated ICT Systems
At the center of the architecture, CI/CD pipelines act as control enforcement systems rather than simple automation tools.
In this architecture, CI/CD pipelines enforce:
- Access control and segregation of duties
- Mandatory approval workflows
- Policy enforcement gates
- Security testing and integrity checks
All production changes flow through CI/CD pipelines, ensuring that governance requirements are enforced consistently and automatically.
Production & Operations Layer
The right side of the diagram represents production and operational environments.
This layer focuses on:
- Runtime monitoring and alerting
- Incident detection and response
- Rollback and recovery mechanisms
- Controlled access to production systems
CI/CD pipelines integrate with operational controls to support DORA’s operational resilience objectives.
Continuous Compliance Evidence (Cross-Cutting)
Across all layers, the architecture generates continuous compliance evidence.
This includes:
- Pipeline execution logs
- Approval and segregation-of-duties records
- Security scan results
- Artifact provenance and deployment history
- Monitoring and incident records
Evidence is system-generated, timestamped, and retained, enabling organizations to support audits without relying on manual documentation.
Why This Architecture Matters for DORA
DORA does not require organizations to document compliance after the fact. It requires them to operate securely and resiliently at all times.
This architecture translates DORA Article 21 requirements into:
- Technical enforcement instead of procedural controls
- Continuous evidence instead of periodic audits
- Operational resilience instead of reactive remediation
CI/CD pipelines become compliance assets rather than audit risks.
From Architecture to Detailed Controls
This diagram provides the architectural baseline. Detailed interpretations, mappings, and audit guidance are covered in the following resources:
- DORA Article 21 Deep Dive
- Article 21 ↔ CI/CD Controls Mapping
- DORA Article 21 Auditor Checklist
- DORA Article 21 Evidence Pack
- How Auditors Actually Review CI/CD
Conclusion
DORA compliance starts with architecture. By treating CI/CD pipelines as regulated ICT systems and embedding governance, control enforcement, and evidence generation into technical workflows, organizations can meet regulatory expectations with confidence.
This diagram provides a clear, shared understanding of how DORA compliance is implemented in practice across the software delivery lifecycle.
