This table maps DORA Article 21 ICT risk management requirements to concrete CI/CD pipeline security controls.
It supports regulatory interpretation, audit preparation, and technical implementation reviews.
Article 21(1) — ICT Risk Management Framework
| DORA Requirement | CI/CD Control | Evidence Generated |
|---|
| Identify and assess ICT risks | Automated security testing (SAST, SCA, DAST) | Scan reports, pipeline logs |
| Prevent and mitigate ICT risks | Policy enforcement and pipeline gates | Gate decisions, approvals |
| Detect anomalous activities | Pipeline monitoring and alerts | Alert logs, SIEM events |
| Respond to ICT incidents | Controlled rollback and redeployments | Deployment history |
| Recover from disruptions | Reproducible builds and releases | Build metadata |
Article 21(2)(a) — Access Control
| DORA Requirement | CI/CD Control | Evidence Generated |
|---|
| Prevent unauthorized access | RBAC for CI/CD configuration | Access control logs |
| Protect privileged operations | Least privilege service accounts | IAM policies |
| Secure administrative access | MFA for CI/CD admins | Authentication logs |
| Control automation identities | Separate pipeline identities | Identity inventory |
Article 21(2)(b) — Segregation of Duties
| DORA Requirement | CI/CD Control | Evidence Generated |
|---|
| Separate conflicting roles | Code review requirements | Pull request history |
| Prevent self-approval | Approval rules enforced by pipeline | Approval records |
| Control release authority | Separate build and deploy permissions | Pipeline role mapping |
| Log overrides and exceptions | Exception logging | Override audit logs |
Article 21(2)(c) — Logging and Monitoring
| DORA Requirement | CI/CD Control | Evidence Generated |
|---|
| Monitor ICT system activity | Full pipeline execution logging | Execution logs |
| Detect security-relevant events | Failed controls and anomaly alerts | Security alerts |
| Retain logs securely | Centralized log storage | Retention configuration |
| Support investigations | Immutable audit trails | Forensic-ready logs |
Article 21(2)(d) — Change Management & Integrity
| DORA Requirement | CI/CD Control | Evidence Generated |
|---|
| Control changes to ICT systems | Mandatory CI/CD pipelines | Deployment history |
| Ensure integrity of changes | Artifact signing and verification | Signature metadata |
| Trace changes end-to-end | Source → pipeline → artifact linkage | Provenance records |
| Prevent unauthorized deployments | Policy gates and approvals | Gate enforcement logs |
Article 21(2)(e) — Resilience, Backup, and Recovery
| DORA Requirement | CI/CD Control | Evidence Generated |
|---|
| Ensure system resilience | Hardened, isolated build environments | Environment configuration |
| Prevent single points of failure | Redundant CI/CD components | Architecture documentation |
| Enable recovery mechanisms | Rollback and redeploy workflows | Recovery logs |
| Protect configurations | Secure backup of pipeline config | Backup records |
Article 21(2)(f) — Continuous Improvement
| DORA Requirement | CI/CD Control | Evidence Generated |
|---|
| Review ICT risk posture | Periodic pipeline security reviews | Review reports |
| Update controls as needed | Pipeline configuration changes | Change logs |
| Improve detection and prevention | Tool updates and rule tuning | Version history |
| Align with evolving threats | Threat-informed pipeline updates | Risk assessments |
How Auditors Use This Table
- Validate that Article 21 requirements are technically enforced
- Identify where CI/CD contributes to ICT risk management
- Request specific evidence generated by pipelines
- Assess consistency and repeatability of controls
Related Resources
Audit-ready context
Written for regulated environments: controls before tools, policy enforcement in CI/CD, and evidence-by-design for audits.
Focus areas include traceability, approvals, exception governance, and evidence retention across build, release, and operations.
See methodology on the About page.
