ANALYSIS OF THE IMPACT OF DIGITAL OPERATIONAL RESILIENCE ACT (DORA) REQUIREMENTS ON THE PROCESS OF SECURE SOFTWARE DEVELOPMENT

Abstract

The article provides a comprehensive analysis of the impact of the European Union’s Digital Operational Resilience Act (DORA) Regulation on the Secure Software Development Life Cycle (Secure SDLC) in the financial sector. In the context of the rapid digital transformation of banking, insurance and investment services, the DORA forms a new mandatory regulatory framework for digital operational resilience, covering a wide range of areas, including information and communication technology (ICT) risk management, mandatory reporting of serious cyber incidents, regular security testing, control of IT service providers, and coordination of threat information exchange between financial market participants. The paper discusses in detail the five key DORA requirements defined in the text of the Regulation, with an emphasis on their consistent integration into all stages of the Secure SDLC - from initialization, planning, requirements analysis, and architecture design to implementation, testing, deployment, technical support, modernization, and decommissioning. Particular attention is paid to the implementation of automated security testing tools (SAST, DAST, IAST), the use of abnormal activity detection systems (SIEM, UEBA), the implementation of Software Bill of Materials (SBOM) to increase component transparency, as well as the development and implementation of incident response plans (IRP) and business continuity plans (BCP). A table of alignment of the key DORA articles with the relevant phases of the SDLC life cycle is proposed, which allows identifying critical compliance points, reducing security gaps and optimizing the implementation of digital resilience requirements. The study examines modern approaches to integrating security practices into CI/CD processes, the importance of raising employees’ awareness of current cyber threats, and the formation of a security culture focused on proactive protection even after software deployment. It is noted that compliance with DORA requirements should not be viewed solely as a response to regulatory pressure, but as a basis for the long-term transformation of corporate digital security in financial institutions. The results of the study are of interest to software developers, information security professionals, risk management professionals, regulators, and internal and external auditors seeking to ensure compliance with new regulatory requirements and strengthen the digital resilience of organizations in a high-risk environment.