DORA (Regulation 2022/2554, applicable since 17 January 2025) sets ICT risk-management
requirements for credit institutions, investment firms, crypto-asset providers, and
other financial entities. The four chapter-III articles below carry the operational
ICT-security content; nixfleet-compliance covers each via the named controls.
| Article | Requirement | Controls |
|---|---|---|
| Art. 8 | ICT asset management & change/patch management | _asset-inventory, _change-management, _vulnerability-mgmt |
| Art. 9 | ICT access control, authentication, network segmentation | _access-control, _authentication, _network-segmentation |
| Art. 12 | Backup & recovery, business continuity | _backup-retention, _disaster-recovery |
| Art. 17 | ICT incident management | _incident-response |
Canonical control source: docs/dora-mapping.md in the compliance repo.