DORA → BSI IT-Grundschutz Mapping
Cross-reference mapping between DORA (Digital Operational Resilience Act) articles and BSI IT-Grundschutz building blocks.
This page maps DORA (Digital Operational Resilience Act) articles to BSI IT-Grundschutz building blocks. DORA (EU Regulation 2022/2554) establishes digital operational resilience requirements for the EU financial sector, applicable since January 2025.
Art. 10(1)
Detection — malware detection
Art. 10(2)
Detection — logging requirements
Art. 11(1)
Response and recovery — business continuity and disaster recovery
Art. 11(2)
Response and recovery — ICT business continuity policy
Art. 11(6)
Response and recovery — crisis communication
Art. 12(1)
Backup policies and procedures, restoration and recovery
Art. 12(4)
Backup testing and restoration drills
Art. 13(1)
Learning and evolving — post-incident analysis and training
Art. 17(1)
ICT-related incident management process
Art. 17(3)
ICT-related incident management — forensic evidence requirements
Art. 18(1)
Classification of ICT-related incidents
Art. 19(1)
Reporting of major ICT-related incidents
Art. 24(1)
General digital operational resilience testing programme
Art. 24(6)
Third-party involvement in resilience testing
Art. 25(1)
Advanced testing of ICT tools, systems and processes (TLPT)
Art. 26(1)
Requirements for testers carrying out TLPT
Art. 28(1)
General principles for sound management of ICT third-party risk
Art. 28(2)
ICT third-party risk — cloud arrangements
Art. 28(4)
ICT third-party risk — register of outsourcing
Art. 28(7)
ICT third-party risk — exit strategies
Art. 30(1)
Key contractual provisions
Art. 30(2)
Key contractual provisions — cloud service agreements
Art. 30(3)
Key contractual provisions — audit rights
Art. 5(1)
ICT risk management framework — regulatory compliance
Art. 5(2)
ICT risk management framework — board responsibilities
Art. 5(4)
ICT risk management — management awareness and training requirements
Art. 6(1)
ICT risk management framework — documentation and review
Art. 8(1)
Identification — ICT asset management
APP.4.2
APP.4.2 SAP ERP System
OPS.1.1.6
OPS.1.1.6 Software Testing and Approvals
SYS.1.1
SYS.1.1 General Server
SYS.1.2.2
SYS.1.2.2 Windows Server 2012
SYS.1.2.3
SYS.1.2.3 Windows Server
SYS.1.3
SYS.1.3 Servers Running Linux and Unix
SYS.2.1
SYS.2.1 General Client
SYS.2.2.3
SYS.2.2.3 Clients Running Windows
Art. 8(2)
Identification — application and system inventory for secure development
Art. 9(2)
Protection — remote access security
Art. 9(4)(a)
Protection — network infrastructure security
APP.3.1
APP.3.1 Web Applications and Web Services
APP.3.2
APP.3.2 Web Servers
APP.4.4
APP.4.4 Kubernetes
APP.7
APP.7 Development of Custom Software
CON.8
CON.8 Software Development
INF.2
INF.2 Data Center and Server Room
NET.1.1
NET.1.1 Network Architecture and Design
NET.1.2
NET.1.2 Network Management
NET.2.1
NET.2.1 WLAN Operation
NET.2.2
NET.2.2 WLAN Use
NET.3.1
NET.3.1 Routers and Switches
NET.3.2
NET.3.2 Firewall
NET.3.3
NET.3.3 VPN
OPS.1.1.1
OPS.1.1.1 General IT Operations
SYS.1.1
SYS.1.1 General Server
SYS.1.2.2
SYS.1.2.2 Windows Server 2012
SYS.1.5
SYS.1.5 Virtualization
SYS.1.6
SYS.1.6 Containerization
SYS.1.8
SYS.1.8 Storage Solutions
SYS.4.1
SYS.4.1 Printers, Copiers, and Multifunction Devices
Art. 9(4)(b)
Protection — identity management and access control
Art. 9(4)(c)
Protection — malware protection measures
Art. 9(4)(d)
Protection — data transfer security
Art. 9(4)(e)
Protection — data encryption policies
These mappings are provided for reference and do not replace a professional compliance assessment.