DORA Firewall Compliance: What Financial Institutions Must Document in 2026
DORA firewall compliance became mandatory for EU financial institutions on January 17, 2025. The Digital Operational Resilience Act requires banks, insurance companies, investment firms, and their ICT service providers to document every network change with formal approval workflows and complete audit trails. If your firewall changes are not tracked, tested, and approved through a structured process, you are already non-compliant.
Unlike sector-specific standards, DORA is an EU regulation with direct applicability — no national transposition needed. This means consistent DORA firewall compliance requirements across all 27 member states, enforced by national financial supervisory authorities like BaFin in Germany, AMF in France, and FCA-equivalent bodies across Europe.
What Is DORA and Why Does It Affect Firewall Management
The Digital Operational Resilience Act (Regulation EU 2022/2554) establishes a unified framework for ICT risk management in the financial sector. It covers everything from incident reporting to third-party risk, but Chapter II — ICT Risk Management — is where DORA firewall compliance requirements hit hardest.
DORA applies to over 22,000 financial entities across the EU. This includes banks, credit institutions, payment institutions, insurance companies, investment firms, crypto-asset service providers, and critically — their ICT third-party service providers. If you manage firewalls for any of these entities, you are in scope.
Article 9 specifically mandates that financial entities implement policies and procedures to manage ICT changes in a controlled manner. Every firewall rule change, network modification, or security policy update must follow a formal firewall change management process with documented approvals and risk assessments.
7 Critical DORA Firewall Compliance Requirements
Based on DORA Articles 5-15 and the accompanying Regulatory Technical Standards (RTS) published by the European Banking Authority, here are the seven requirements that directly impact firewall operations.
1. Formal ICT Change Management (Article 9)
Every firewall change must go through a structured change management process. This includes pre-change risk assessment, documented approval by authorized personnel, testing in a non-production environment, and defined rollback procedures. Ad-hoc changes without documentation violate DORA firewall compliance requirements.
The regulation specifically requires that changes are recorded, tested, and approved before deployment. Emergency changes are permitted but must be retrospectively documented within a defined timeframe.
2. Complete Audit Trails (Article 8)
DORA requires financial entities to maintain comprehensive logs of all ICT activities. For firewalls, this means every rule addition, modification, deletion, and policy change must have a timestamped audit record showing who requested it, who approved it, what was changed, and why. These records must be available to supervisory authorities on request.
Manual spreadsheet tracking does not meet this standard. Automated DORA firewall compliance tools generate tamper-proof audit trails that satisfy regulator expectations. The audit trail must be retained for a minimum period defined by your national supervisory authority — typically five years.
3. Network Security Documentation (Article 7)
Financial entities must maintain up-to-date documentation of their network architecture, including all firewall configurations, security zones, and traffic flows. This goes beyond simple topology diagrams. DORA expects documented security policies that map to business functions and risk classifications.
A thorough firewall rule audit reveals undocumented rules, shadow policies, and configuration drift that would fail a DORA inspection. Your documentation must reflect the actual state of your firewall infrastructure at all times.
4. Risk-Based Change Assessment (Article 8)
Before any firewall change is implemented, DORA requires a risk assessment proportionate to the change's potential impact. Opening a new port to the internet carries different risk than modifying an internal zone policy. Your DORA firewall compliance process must classify changes by risk level and apply appropriate review and approval workflows accordingly.
High-risk changes — those affecting internet-facing rules, critical application flows, or regulatory boundaries — require senior management approval. Low-risk changes can follow expedited processes. But every change, regardless of risk level, must be documented.
5. ICT Third-Party Risk Management (Articles 28-30)
If a managed security service provider (MSSP) or cloud provider manages your firewalls, DORA holds your financial institution responsible for their compliance. Contractual arrangements must explicitly require that third parties follow your DORA firewall compliance standards, provide audit access, and maintain the same documentation standards.
This creates a chain of accountability. Your MSSP must demonstrate that firewall changes they make on your behalf follow formal change management processes with full audit trails.
6. Testing and Validation (Articles 24-25)
DORA mandates that financial entities test their ICT systems regularly, including network security controls. This means periodic firewall rule reviews, penetration testing of firewall configurations, and validation that implemented changes perform as intended.
For DORA firewall compliance, this translates to scheduled rule reviews at minimum annually, post-change validation testing, and documented results. Entities identified as significant must conduct threat-led penetration testing (TLPT) at least every three years, which includes testing firewall resilience.
7. Incident Reporting for Network Changes (Article 19)
If a firewall change causes an ICT-related incident — whether an outage, security breach, or service degradation — DORA requires reporting to supervisory authorities within strict timeframes. Initial notification within 4 hours, intermediate report within 72 hours, and a final report within one month.
Organisations with automated DORA firewall compliance processes can trace any incident back to the specific change that caused it, including who approved it and what risk assessment was performed. This is nearly impossible with manual processes.
How FwChange Automates DORA Firewall Compliance
FwChange was built by a security consultant with 17 years of enterprise firewall experience — including work with financial institutions subject to BaFin oversight. Every feature maps directly to a DORA firewall compliance requirement.
DORA Requirement → FwChange Feature
- Formal change management: Structured request workflows with mandatory business justification, risk classification, and approval chains
- Audit trails: Every change automatically generates a timestamped record with the full approval chain — exportable in seconds
- Network documentation: Real-time visibility into firewall configurations across multi-vendor environments
- Risk assessment: Built-in risk scoring for every change request with configurable approval thresholds
- Policy drift detection: Automated drift detection catches unauthorized changes between audits
- Vulnerability scanning: 18 automated security checks with threat intelligence integration
DORA firewall compliance becomes measurable with FwChange. Dashboards show open change requests, pending approvals, overdue reviews, and compliance status across your entire firewall estate. When BaFin or your external auditor requests documentation, you export a complete audit trail in seconds — not weeks.
DORA vs Other Compliance Frameworks
Financial institutions often face overlapping compliance requirements. Here is how DORA firewall compliance compares to other frameworks you may already follow.
| Framework | Scope | Firewall Focus | Enforcement |
|---|---|---|---|
| DORA | All EU financial entities + ICT providers | All ICT systems | National financial authorities (BaFin, AMF) |
| NIS2 | Essential & important entities across sectors | Network security broadly | National cybersecurity authorities (BSI) |
| PCI-DSS 4.0 | Card payment processors | Cardholder data environment only | QSA auditors, acquiring banks |
| TISAX | Automotive suppliers | Information security broadly | VDA audit providers |
If you are a bank subject to both DORA and NIS2, DORA's firewall requirements are stricter and take precedence for ICT risk management. DORA is lex specialis — the sector-specific regulation overrides the general directive.
DORA Firewall Compliance Checklist
Use this checklist to assess your current DORA firewall compliance posture and identify gaps.
- • Formal change management policy covering all firewall modifications
- • Documented approval workflows with named responsible persons
- • Pre-change risk assessment procedure with classification levels
- • Automated audit trail generation for every change
- • Post-change validation and testing procedures
- • Up-to-date network architecture documentation
- • Firewall rule review schedule (minimum annually)
- • Third-party contractual clauses for MSSP-managed firewalls
- • Incident response procedures linked to change records
- • Supervisory reporting templates pre-configured
If you checked fewer than seven items, your institution has material gaps in DORA firewall compliance. The European Union Agency for Cybersecurity (ENISA) provides additional guidance on ICT risk management frameworks.
Frequently Asked Questions
Who must comply with DORA?
All EU financial entities including banks, insurance companies, investment firms, payment institutions, crypto-asset service providers, and their critical ICT third-party service providers. Over 22,000 entities are in scope.
When did DORA take effect?
DORA took effect on January 17, 2025. Unlike directives such as NIS2, DORA is a regulation with direct applicability — no national transposition required. Financial entities must be compliant now.
What are the penalties for DORA non-compliance?
National supervisory authorities can impose administrative penalties and remedial measures. For critical ICT third-party providers, the lead overseer can impose periodic penalty payments of up to 1% of average daily worldwide turnover for each day of non-compliance, for up to six months.
Does DORA replace NIS2 for financial institutions?
DORA is lex specialis — it takes precedence over NIS2 for financial entities regarding ICT risk management. However, financial institutions may still need to comply with NIS2 for aspects not covered by DORA, particularly around broader supply chain security.
Automate Your DORA Firewall Compliance
DORA enforcement is active. Financial supervisory authorities across Europe are conducting inspections. FwChange gives you audit-ready firewall change management out of the box — built in Germany, hosted on EU infrastructure, fully GDPR-compliant.
Start Free Firewall Audit →See How Your Firewall Rules Score
Upload your config and get a free compliance report with shadow rule detection, conflict analysis, and optimization recommendations.
Stay Updated
Get firewall management tips, compliance guides, and product updates.
No spam. Unsubscribe anytime.