dora
dorapostgresqlfinancial-servicesict-risk

DORA Compliance for PostgreSQL: A Practical Guide for Financial Institutions

Implement DORA compliance at the PostgreSQL database level. Health checks, incident reporting, and resilience testing for financial entities.

RL
Robert Langner
Managing Director, NILS Software GmbH · · 4 min read

What is DORA?

The Digital Operational Resilience Act (DORA, EU 2022/2554) is an EU regulation that requires financial entities to manage ICT risk systematically. Unlike GDPR, which focuses on personal data, DORA focuses on operational resilience — ensuring that digital systems remain available, secure, and recoverable.

DORA has been applicable since January 17, 2025. It affects every financial entity in the EU: banks, insurers, payment processors, investment firms, and their critical ICT providers.

Why Database Teams Should Care

Most DORA compliance discussions focus on organizational processes, but several articles have direct database implications:

  • Article 5-6: ICT Risk Management Framework — know your database configuration, monitor it continuously
  • Article 7: Identification — classify your data assets, understand what's critical
  • Article 8: Protection and Prevention — access control, encryption, masking
  • Article 9: Detection — track all changes, catch anomalies
  • Article 10: Response and Recovery — incident management, backup validation
  • Article 17: Incident Reporting — structured breach documentation with timelines

DORA Requirements at the Database Level

Change Management (Article 9)

DORA requires that all ICT changes are documented, tested, and tracked. For databases, this means logging every schema change.

pgcomply tracks DDL events automatically via PostgreSQL event triggers:

-- View all schema changes from the past 7 days
SELECT * FROM pgcomply.ddl_history(
  since := NOW() - INTERVAL '7 days'
);

Output:

 event_time          | command  | object_type | schema | object_name        | executed_by
---------------------+----------+-------------+--------+--------------------+------------
 2026-02-20 11:20:00 | CREATE   | TABLE       | public | newsletter_subs    | dev_lead
 2026-02-20 11:22:00 | ALTER    | TABLE       | public | users              | dev_lead
 2026-02-19 14:00:00 | ALTER    | TABLE       | public | orders             | migration

Every CREATE, ALTER, and DROP is captured with the executing role, timestamp, and affected object.

Access Control (Article 8)

DORA requires role-based access control with periodic recertification. pgcomply provides:

-- View current access map with PII risk levels
SELECT * FROM pgcomply.access_map();

-- Start a periodic access review (Pro)
SELECT pgcomply.start_access_review('Q1-2026');

-- Review and decide
SELECT pgcomply.review_decide('Q1-2026', 'dev_staging', 'users', 'revoke', 'No production access needed');

Configuration Monitoring (Article 5-6)

DORA's risk management framework requires continuous monitoring of ICT configurations:

-- 14 security checks based on CIS Benchmark
SELECT * FROM pgcomply.health_check();

-- Connection security analysis
SELECT * FROM pgcomply.connection_audit();

Incident Reporting (Article 17)

DORA requires a standardized process for reporting ICT incidents. pgcomply provides structured breach management:

-- Report an incident
SELECT pgcomply.report_breach(
  'Unauthorized access attempt',
  'Failed login attempts from unknown IP range detected',
  'medium',
  ARRAY['access_logs'],
  ARRAY['sessions']
);

-- Track with 72-hour DPA deadline countdown
SELECT * FROM pgcomply.breach_status();

Audit Evidence

DORA auditors need verifiable evidence. pgcomply's SHA-256 audit chain provides tamper-proof logging:

-- Verify no audit entries have been modified
SELECT pgcomply.verify_audit();

DORA Compliance Checklist

pgcomply includes a pre-seeded DORA checklist covering all 13 relevant articles:

-- View your DORA compliance progress
SELECT * FROM pgcomply.checklist('dora');

-- Update a requirement's status
SELECT pgcomply.checklist_update(
  'dora', 'ART-9', 'implemented',
  assigned_to := 'CTO',
  evidence := 'pgcomply.ddl_history()'
);

-- Get progress summary
SELECT * FROM pgcomply.checklist_progress('dora');

Generating a DORA Report

For auditor presentations, pgcomply Pro generates a structured DORA report:

SELECT pgcomply.dora_report();

This produces a JSON document covering:

  • ICT risk management framework status
  • Change management log (DDL history)
  • Access control matrix with review status
  • Incident history and response times
  • Configuration compliance (health check results)
  • Audit trail integrity verification

Summary

DORA compliance at the database level requires change tracking, access management, configuration monitoring, incident reporting, and verifiable audit trails. These are not one-time projects — they require continuous, automated monitoring. pgcomply provides this as pure SQL functions that run inside your PostgreSQL instance, producing the evidence your DORA auditor needs.

Frequently Asked Questions

When does DORA take effect?
DORA (Regulation EU 2022/2554) has been applicable since January 17, 2025. Financial entities and their critical ICT providers must now comply with all requirements.
Does DORA apply to my company?
DORA applies to banks, insurance companies, investment firms, payment institutions, crypto-asset service providers, and their critical ICT third-party providers operating in the EU. If you process financial data in PostgreSQL for any of these entities, your database needs to meet DORA requirements.
What is the difference between DORA and GDPR for databases?
GDPR focuses on personal data protection (consent, deletion, portability). DORA focuses on operational resilience (uptime, change management, incident response, testing). They overlap in areas like access control and audit trails. A compliant database setup should address both.
What database changes does DORA require?
DORA requires documented change management (track all schema changes), role-based access with periodic reviews, configuration monitoring, incident reporting workflows, and tamper-proof audit trails. These are process and monitoring requirements, not structural database changes.
Can pgcomply generate a DORA compliance report?
Yes. pgcomply Pro includes a dora_report() function that generates a structured compliance report covering Articles 5-28. It pulls data from the DDL log, access reviews, health checks, breach log, and audit trail to produce auditor-ready evidence.
Share:TwitterLinkedInHacker News

Related Articles

gdpr

How to Implement GDPR Right to Erasure in PostgreSQL

Implement GDPR Article 17 right to erasure in PostgreSQL. Delete user data across all tables, verify removal, and maintain audit proof.

security

PostgreSQL Security Hardening Checklist (2026): 14 Critical Checks

PostgreSQL security hardening checklist with 14 CIS-based checks. SSL, SCRAM-SHA-256, RLS, logging, and automated assessment.