FAQ: The Impact of
Digital Operational Resilience Act
(DORA) on Java Investments

The Digital Operational Resilience Act (DORA), Regulation (EU) 2022/2554, is a key piece of European Union legislation focused on strengthening the resilience of the financial sector against digital operational risks, such as cyber attacks and other ICT-related disruptions.  

DORA is part of the broader Digital Finance Package introduced by the European Commission to enable innovation and competition in the financial sector while ensuring its security and resilience. It is focused on enhancing ICT risk management, strengthening cybersecurity, ensuring continuity and recovery, managing risks arising from dependencies on third-party ICT service providers, and incident reporting. 

Regulation for all financial sector institutions will apply on 17 January 2025. 

By addressing digital threats in the financial sector, DORA was implemented to ensure that financial institutions can withstand, respond to, and recover from all types of ICT-related disruptions and threats, such as cyberattacks. Ultimately, DORA protects the stability and integrity of the EU financial system. 

All EU financial entities including banks, e-money and payment institutions, asset managers, insurance and re-insurance, and trading exchanges.

Companies are subject to fines up to 2% of their annual turnover as well as administrative repercussions, license revocation, and brand degradation. Individuals face criminal penalties up to $€1,000,000 EUR.

1. ICT Risk Management:Financial institutions must implement comprehensive risk management frameworks to identify, assess, and mitigate ICT-related risks

2. Incident Reporting: Entities must report major ICT-related incidents to the competent authorities within tight deadlines.

3. Digital Operational Resilience Testing: Regular testing of ICT systems, including penetration testing, is required to ensure operational resilience. Additionally, critical third-party ICT service providers will be subject to oversight.

4. Third-Party Risk Management: Institutions must carefully manage and monitor risks associated with third-party ICT service providers, including cloud services.

5. Information Sharing: DORA encourages financial entities to share information on cyber threats and vulnerabilities to improve collective resilience.

DORA significantly impacts investments by the financial sector in Java, because of its emphasis on secure and resilient software. 

Azul is the only commercially supported OpenJDK distribution which provides stabilized, security-only updates and patches to address vulnerabilities swiftly, which is crucial for protecting financial systems under DORA’s stringent cybersecurity mandates. 

In short: all Java platforms whether Oracle Java SE or free, unsupported distributions of OpenJDK are impacted by DORA because of the regulation’s emphasis on secure and resilient software. 

It’s important that organizations select a commercially supported version of Java. Furthermore, only Azul provides a commercially supported OpenJDK distribution with stabilized, security-only updates and patches quarterly and as necessary off-cycle as identified to address vulnerabilities swiftly. This includes legacy versions like Java 6 & 7 and architectures like Windows x86 32-bit. 

Non-compliance with DORA can have a serious impact on your organization and the individuals responsible for your Java investments. This includes: 

• Security Risks: Unsupported distributions do not receive timely security-only updates, leaving systems vulnerable to cyberattacks and breaches. 

• Compliance Issues: Lack of support can lead to non-compliance with regulatory requirements like DORA, potentially resulting in fines and reputational damage. 

• Operational Instability: Unsupported distributions might not receive performance improvements or critical bug fixes, leading to system outages and degraded performance. 

• Inaccurate Testing: Outdated Java environments can cause testing environments to be less accurate, leading to vulnerabilities being missed in resilience tests. 

By implementing the following five steps to comply with DORA, financial organizations can safely strengthen their digital operational resilience. 

1. Develop and Implement an ICT Risk Management Framework 

• Chapter: DORA, Chapter II: ICT Risk Management 
• Relevant Articles: Articles 6(1-3), 8(1) 
• Explanation: Chapter II mandates a strong ICT risk management framework. Unsupported OpenJDK distributions can expose financial institutions to significant risks, such as unpatched security vulnerabilities and performance issues. Azul is the only commercially supported OpenJDK distribution to provide stabilized, security-only patches across Java versions, operating systems and architectures to help ensure that Java applications remain resilient and compliant with ICT risk management requirements. 

2. Establish an Incident Reporting Mechanism 

• Chapter: DORA, Chapter III: ICT-related Incident Reporting 
• Relevant Articles: Articles 17(1), 18(1) 
• Explanation: Chapter III focuses on timely incident reporting. Unsupported OpenJDK distributions may not receive critical updates or fixes, leading to unreported and unnoticed incidents, which can result in non-compliance. Azul Intelligence Cloud provides continuous support and monitoring of vulnerabilities and unused & dead code in production, helping organizations quickly and accurately detect, report, and remediate critical vulnerabilities and helps in ensuring compliance with DORA. 

3. Conduct Regular and Rigorous Testing of ICT Systems 

• Chapter: DORA, Chapter IV: Digital Operational Resilience Testing 
• Relevant Articles: Articles 24(1), 24(2), 25(1) 
• Explanation: Chapter IV requires regular testing of ICT systems. Using outdated or vulnerable versions of Java may not accurately reflect production environments, leading to false security assumptions. Azul provides up-to-date, tested Java distributions including for legacy versions like Java 6 & 7, enabling reliable and accurate testing environments for financial institutions. 

4. Enhance Third-Party Risk Management Practices 

• Chapter: DORA, Chapter V: Management of ICT Third-Party Risk 
• Relevant Articles: Article 28(2) 
• Explanation: Chapter V addresses third-party ICT risks. Relying on unsupported OpenJDK distributions from third parties increases the risk of security breaches and operational failures. Azul’s fully supported builds of Java help ensure that third-party Java-based applications and services meet the highest security and performance standards, reducing third-party risks. 

5. Facilitate Information Sharing on Cyber Threats 

• Chapter: DORA, Chapter VI: Information Sharing Arrangements 
• Relevant Articles: Articles 45(1) 
• Explanation: Chapter VI encourages sharing information on cyber threats. Unsupported Java may miss critical updates and patches, relegating those applications and services as a weak link in the information-sharing chain. By using Azul’s supported Java distributions, organizations can help ensure they are aware of the latest vulnerabilities and can share relevant threat information with other entities to enhance collective cybersecurity. 

For a more detailed explanation of provisions which point towards usage of supported OpenJDK distributions by financial institutions so as to mitigate risk and promote resilience please please refer to: https://foojay.io/today/unsupported-openjdk-distributions-are-at-risk-of-non-compliance-with-dora/  

Azul’s technologies and expertise are second to none in helping to ensure that financial institutions using Java can become and remain compliant with DORA by providing a secure, supported, and stable Java platform, mitigating the risks associated with unsupported OpenJDK distributions.  

Azul’s 100% focus on Java, including security features, comprehensive testing, and compatibility with modern architectures and cloud environments provide the secure and stable Java platform demanded by DORA and help ensure financial applications remain operational during disruptions. 

Additionally, Azul’s commitment to long-term support and regular updates across Java versions, operating systems and architectures, including its extended support for Java 6 and 7 which are still commonly implemented at financial institutions and only offered by Azul, uniquely helps to mitigate risks associated with third-party dependencies, meeting DORA’s high security standards. 

Azul Intelligence Cloud continuously detects known vulnerabilities in Java applications, which is critical for DORA’s reporting and incident response requirements. 

With uniquely advanced monitoring tools and detailed logging mechanisms, Java applications on Azul’s platform can provide real-time insights and retains history focused on detecting vulnerabilities as well as unused & dead code, enabling financial entities to detect, report, and respond to vulnerabilities promptly. 

While the primary focus of DORA is on EU-based entities, its impact extends beyond the EU’s borders, particularly to financial organizations outside the EU that have business ties with the region. 

Here’s how DORA impacts financial organizations outside the EU: 

1. Third-Party Service Providers who serve EU financial institution must comply with DORA requirements even if they are based outside the EU.
   
2. Cross-Border Operations – Non-EU financial organizations with subsidiaries or branches in the EU must ensure that these entities comply with DORA.
   
3. Competitive Pressure – To maintain or gain access to the EU market, non-EU financial organizations must align with DORA’s requirements. Failure to comply might restrict their ability to operate within the EU or provide services to EU-based clients. Likewise, organizations that proactively comply with DORA may gain a competitive edge by being seen as trustworthy and secure partners and conversely, face reputational risk if they do not.
   
4. Indirect Impact Through Business Relationships – non-EU organizations may incur operational costs to comply with DORA, as well as operational and legal expenses to comply or renegotiate contracts with their EU counterparts.
   
5. Global Regulatory Influence – DORA could set a precedent to other jurisdictions to adopt similar regulatory frameworks creating a broader wave of operational resilience regulations globally, beyond just the EU.
   
6. Impact on Financial Services Market – DORA’s stringent requirements may act as a barrier to entry for smaller or less-resourced non-EU financial firms seeking to enter the EU market, potentially limiting competition. Likewise, DORA could slow down innovation as non-EU fintech firms consider a more cautious approach in launching new products or services in the EU. 

For more information, please refer to the “The Impact of the EU DORA Act on Non-EU Financial Organizations” blog post. 

Azul’s specialized focus on Java performance and reliability aligns with DORA’s continuity planning and disaster recovery emphasis. Azul Platform Prime’s OpenJDK distribution is optimized for high-performance and stability, helping to ensure financial applications remain operational during software downtime and performance disruptions.  

For more information, please refer to the “The Impact of the Digital Operational Resilience Act (DORA) on Java Investment with Azul” blog post