DORA Compliance

DORA ICT change management
evidence, automated.

The Digital Operational Resilience Act requires EU financial institutions to maintain documented ICT change management processes with auditable evidence. MergeWhy captures this evidence automatically from your engineering workflow.

DORA enforcement is live since January 2025. Financial institutions face supervisory action for non-compliance.

Install GitHub App — Free Talk to sales →

22,000+

EU financial entities

Jan 2025

enforcement date

Art. 9

change management

frameworks supported

Capabilities

Built for
EU financial institutions.

Article 9 — ICT Change Management

DORA Article 9 requires financial entities to have a sound ICT change management process with documented evidence of authorization, testing, and rollback procedures. MergeWhy captures this evidence automatically for every code change.

Article 17 — Incident Reporting

Link ICT incidents to the code changes that caused them. MergeWhy creates an auditable chain from incident report to specific merge, with the complete decision trail: who approved it, what was tested, and what evidence existed.

Articles 24-25 — Testing Requirements

DORA mandates regular testing of ICT systems. MergeWhy captures CI/CD test results, security scans, and code coverage for every change — mapped to DORA testing requirements with per-control evaluation.

Evidence Vault for Regulatory Inspection

SHA-256 cryptographic sealing creates tamper-proof evidence that satisfies regulatory inspection requirements. Every Decision Evidence Record is immutable once sealed — auditors and regulators can verify integrity independently.

How It Works

Three steps to DORA-ready evidence.

Install the GitHub App

Connect your repositories in under 2 minutes. MergeWhy integrates with GitHub and GitLab for complete SCM coverage.

Merge as usual

Engineers change nothing. Every merge generates a Decision Evidence Record mapped to DORA ICT requirements with automatic gap detection.

Demonstrate compliance

Generate audit bundles with per-article evidence packages. Sealed evidence vault satisfies regulatory inspection requirements.

Coverage

Key DORA articles addressed.

Article 9

ICT Change Management

Documented change processes, authorization records, testing evidence, rollback procedures

Article 17

ICT Incident Reporting

Change-to-incident traceability, root cause evidence, timeline reconstruction

Articles 24-25

Digital Operational Resilience Testing

CI/CD test evidence, security scan results, coverage metrics per change

Article 5

ICT Risk Management Framework

Risk assessment per change, evidence-based risk scoring, gap detection and remediation tracking

Who It's For

DORA applies to all of these.

Banks & Credit InstitutionsInvestment FirmsInsurance CompaniesPayment InstitutionsCrypto-Asset ProvidersTrading VenuesCentral CounterpartiesICT Third-Party Providers

Get Started

DORA is already live.
Your evidence trail starts now.

Start capturing ICT change management evidence today. Free for your first repository. GitHub and GitLab supported.

Install GitHub App — Free Request a demo →

DORA ICT change managementevidence, automated.

Built forEU financial institutions.