DORA Compliance Architecture: CI/CD as a Regulated ICT System

by

The Digital Operational Resilience Act (DORA) introduces a fundamental shift in how regulated organizations must design, operate, and govern their ICT systems. Under DORA, compliance is no longer limited to policies or periodic controls—it must be embedded directly into technical architectures and operational workflows.

This article provides a conceptual and architectural explanation of how CI/CD pipelines fit into the DORA compliance model. It explains why modern software delivery pipelines must be treated as regulated ICT systems, how security and resilience controls are expected to operate across the software lifecycle, and where DORA requirements intersect with DevSecOps practices.

The goal of this article is understanding: clarifying the architectural intent behind DORA, introducing key concepts such as policy enforcement, evidence-by-design, and operational traceability, and helping readers build the right mental model before moving into implementation or audit preparation.

Under DORA, CI/CD pipelines are no longer simple engineering tools—they are regulated ICT systems that directly affect operational resilience, security, and regulatory compliance. As such, they must be designed, governed, and audited with the same rigor as production platforms.

This article defines the reference DORA compliance architecture used throughout Regulated DevSecOps. It describes how CI/CD pipelines function as controlled ICT systems under DORA, how technical controls enforce regulatory requirements across the delivery lifecycle, and how auditable evidence is generated by design.

The focus of this article is implementation and governance. It provides a structured architectural model aligned with DORA Article 21, serving as the foundation for related deep dives, control mappings, evidence packs, and audit preparation guides published on this site.

Why Architecture Matters for DORA Compliance

DORA does not prescribe specific technologies. Instead, it focuses on outcomes: risk control, resilience, traceability, and accountability. Architecture plays a crucial role in translating these regulatory expectations into concrete technical implementations.

A well-defined compliance architecture ensures that:

  • ICT risk controls are consistently enforced
  • Responsibilities are clearly assigned
  • Evidence is generated continuously
  • Audits can be supported without ad-hoc remediation

CI/CD pipelines sit at the intersection of development, operations, and governance, making them a natural anchor point for DORA-aligned architecture.

High-Level DORA Compliance Architecture Overview

The DORA compliance architecture is structured around three core layers:

  1. Governance and ICT Risk Management
  2. CI/CD Pipelines as Regulated Systems
  3. Production and Operational Controls

These layers are supported by cross-cutting evidence and monitoring capabilities that ensure continuous compliance rather than point-in-time validation.

DORA Compliance Architecture – CI/CD as Regulated System Architecture diagram showing how CI/CD pipelines enforce DORA Article 21 ICT risk management controls and generate continuous compliance evidence. DORA Compliance Architecture Article 21 · CI/CD as Regulated ICT System CONTINUOUS COMPLIANCE EVIDENCE Audit logs Approvals & SoD Artifact provenance Monitoring events Retention & reporting DORA Governance ICT Risk Management Risk identification Policies & oversight CI/CD Pipeline DORA Article 21 Enforcement Access control & segregation of duties Change approval & policy gates Security testing & integrity checks Production & Operations Operational Resilience Runtime monitoring Incident response
How CI/CD pipelines enforce DORA Article 21 ICT risk management controls and generate continuous compliance evidence.

How to Read This Diagram

The diagram is read from left to right, representing the flow of control and responsibility across the software delivery lifecycle:

  1. Governance & ICT Risk Management
  2. CI/CD Pipelines as Regulated Systems
  3. Production & Operations

A cross-cutting evidence layer spans all components, highlighting the continuous generation of audit-ready evidence.

Governance and ICT Risk Management Layer

At the top of the architecture sits the governance layer, which defines how ICT risks are identified, assessed, and managed in accordance with DORA.

This layer includes:

  • ICT risk management frameworks
  • Policies and standards applicable to software delivery
  • Ownership and accountability models
  • Oversight and review mechanisms

CI/CD pipelines must be explicitly included in ICT system inventories and risk assessments. Excluding pipelines from scope is a common gap observed during DORA readiness assessments.

CI/CD Pipelines as Regulated ICT Systems

In a DORA-compliant architecture, CI/CD pipelines are treated as regulated systems with clearly defined controls and enforcement mechanisms.

Key architectural principles include:

  • Strong access control and segregation of duties
  • Mandatory use of CI/CD for all production changes
  • Automated policy enforcement and approval gates
  • Integrated security testing and integrity verification

By embedding these controls directly into CI/CD workflows, organizations ensure that compliance requirements are enforced consistently and automatically.

Change Management and Control Enforcement

DORA places strong emphasis on controlled change management. CI/CD pipelines are the primary mechanism for enforcing this requirement.

Architecturally, this means:

  • All production deployments are executed through CI/CD pipelines
  • Manual or out-of-band changes are prevented or logged
  • Approvals are enforced technically rather than procedurally
  • Each change is traceable from source code to deployment

This approach provides strong guarantees of integrity and accountability.

Continuous Evidence Generation

One of the most important aspects of DORA compliance architecture is evidence generation. Rather than collecting evidence manually during audits, the architecture ensures that evidence is produced continuously as a byproduct of normal operations.

CI/CD pipelines generate:

  • Execution logs and approval records
  • Security testing results
  • Artifact metadata and provenance
  • Deployment histories

This evidence is retained, centralized, and made available for audit and supervisory review.

Production and Operational Controls

The architecture extends beyond delivery into production and operations. DORA requires organizations to demonstrate operational resilience across the entire lifecycle.

Production-layer controls include:

  • Runtime monitoring and alerting
  • Incident detection and response procedures
  • Rollback and recovery mechanisms
  • Controlled access to production systems

CI/CD pipelines integrate with these controls to support resilience and rapid response.

Cross-Cutting Controls and Evidence

Across all architectural layers, certain controls apply universally:

  • Logging and monitoring
  • Audit trails
  • Evidence retention and reporting
  • Continuous review and improvement

These cross-cutting controls ensure that compliance is sustained over time and not dependent on manual effort.

Mapping the Architecture to DORA Article 21

This architecture directly supports the requirements of DORA Article 21 by embedding ICT risk management controls into technical systems.

CI/CD pipelines contribute to:

  • Risk identification and prevention
  • Access control and segregation of duties
  • Change management and integrity
  • Logging, monitoring, and detection
  • Resilience, recovery, and continuous improvement

The result is an operational interpretation of Article 21 that auditors can verify through technical evidence.

Common Architectural Pitfalls

Organizations often encounter the following issues:

  • CI/CD pipelines treated as non-regulated tooling
  • Excessive privileges granted to automation
  • Optional or advisory security controls
  • Insufficient evidence retention
  • Weak linkage between governance and technical enforcement

Addressing these pitfalls early significantly reduces regulatory risk.

Why This Architecture Matters for DORA

DORA does not require organizations to document compliance after the fact. It requires them to operate securely and resiliently at all times.

This architecture translates DORA Article 21 requirements into:

  • Technical enforcement instead of procedural controls
  • Continuous evidence instead of periodic audits
  • Operational resilience instead of reactive remediation

CI/CD pipelines become compliance assets rather than audit risks.

Conclusion

DORA compliance cannot be achieved through documentation alone. It requires an architecture that embeds risk management, governance, and evidence generation directly into technical systems.

By treating CI/CD pipelines as regulated ICT systems, organizations can enforce DORA requirements continuously, improve operational resilience, and demonstrate compliance with confidence. A well-designed DORA compliance architecture transforms CI/CD from an audit risk into a compliance asset.

Related Resources

Audit-ready context

Written for regulated environments: controls before tools, policy enforcement in CI/CD, and evidence-by-design for audits.

Focus areas include traceability, approvals, exception governance, and evidence retention across build, release, and operations.

See methodology on the About page.