Skip to content
Apiway Docs

DORA

The Digital Operational Resilience Act (DORA) requires financial entities to manage ICT risk, test resilience, and maintain exit strategies for third-party providers. Apiway’s architecture directly supports these requirements.

ICT Risk Management

Section titled “ICT Risk Management”

DORA requires entities to identify, protect against, detect, respond to, and recover from ICT-related incidents.

How Apiway addresses this:

  • Drift analysis — The compliance service continuously validates that your APIs match their specifications. Architectural drift is detected before it becomes a risk.
  • Risk classification — WAF violations, authentication failures, and rate limit breaches are classified by severity in real time.
  • Automated remediation — Blue-green revisions enable instant rollback. Discard a problematic deployment without affecting live traffic.

Third-Party Risk

Section titled “Third-Party Risk”

DORA mandates managing risks from ICT third-party service providers.

How Apiway addresses this:

  • External API governance — Every third-party API goes through your approval workflow before use
  • Consumption metering — All outbound API calls are metered and tracked
  • Budget guards — Hard spending limits prevent uncontrolled third-party costs
  • Dependency mapping — Full visibility into which services depend on which third-party APIs

Exit Strategy & Vendor Portability

Section titled “Exit Strategy & Vendor Portability”

DORA requires exit strategies to prevent vendor lock-in.

How Apiway addresses this:

Apiway is gateway-agnostic. Your API definitions, governance history, compliance scores, and subscription data are independent of the gateway runtime:

  • Multi-gateway support — Deploy to Alpha Gateway, Kong, Azure APIM, Apigee, Tyk, or Zuplo
  • Same governance — Approval workflows and audit trails work identically across all gateways
  • Portable APIs — Move your entire API portfolio to a different gateway by registering a new instance and redeploying. No lock-in.

Resilience Testing

Section titled “Resilience Testing”

DORA requires regular testing of digital operational resilience.

How Apiway addresses this:

  • Assurance engine — Post-deployment validation generates test permutations from your OAS and runs them against your live API
  • SLA validation — Assurance validates latency against your OpenSLA commitments
  • Compliance scoring — Continuous runtime validation catches regressions