This question evaluates whether AppSec policies are not only defined but also officially approved and reviewed as part of the broader ICT governance process.

DORA Articles:
Primary article:
– DORA Article 9 – Protection and Prevention: Mandate financial entities to develop and document an information security policy.

Secondary articles:
– DORA Article 5 – Governance and organisation: Requires the management body to approve and oversee the implementation of all ICT risk management frameworks.
– DORA Article 6 – ICT Risk Management Framework: Mandates a documented ICT risk management framework which must include strategies, policies, procedures, ICT protocols and tools.

This evaluates how well Application Security (AppSec) is embedded into the organization’s ICT risk management, focusing on policies, testing, and incident prevention as required by Article 6 of DORA.

DORA Articles:
Primary article:
– DORA Article 6 – ICT Risk Management Framework: Requires Financial entities shall have a sound, comprehensive and well-documented ICT risk management framework.

Secondary article:
– DORA Article 5 – Governance and organisation: Management body shall define, approve, oversee and be responsible for the implementation of all arrangements related to the ICT risk management framework.

Training should address AppSec practices and align with role-specific responsibilities under regulatory expectations.

DORA Articles:
– DORA Article 13 – Learning and evolving: Mandates financial entities to develop ICT security awareness programmes and digital operational resilience training.

Assesses whether third-party ICT relationships formally include enforceable AppSec responsibilities.

DORA Articles:
Section I – Key principles for a sound management of ICT third-party risk
Primary article:
– Article 30 – Key contractual provisions: Explicitly mandates contractual provisions covering data protection (30(2)(c)), incident assistance (30(2)(f)), incident notification (30(3)(b)), security measures (30(3)(c)), and penetration testing (30(3)(d)).

Secondary articles:
– Article 28 – General principles: Financial entities shall manage ICT third-party risk as an integral component of ICT risk within their ICT risk management framework.
– Article 29 – Preliminary assessment of ICT concentration risk at entity level: Requires pre-contract assessment of security standards and subcontractor risks.

This checks whether your KPIs are not only defined but strategically aligned with compliance maturity and risk outcomes.

DORA Articles:
– Article 6 – ICT Risk Management Framework: (8 (c)) : Mandates Financial entities setting out clear information security objectives, including key performance indicators and key risk metrics.

An application inventory is the inventory of applications developed by the organisation. This inventory should include the risk rating for each application. This inventory is essential to allocate the right priority and strategy for security measures and security testing strategy for each application.
The risk rating process is defined as the process to qualify and classify applications regarding their business risk and therefore the need for protection on the application layer. The result of the process is a categorization of the application in the application inventory.

Evaluates the use and maturity of automated AppSec testing tools in detecting and preventing ICT incidents.

DORA Articles:
Primary article:
– Article 25 – Testing of ICT tools and systems: The digital operational resilience testing programme referred to in Article 24 shall provide, in accordance with the criteria set out in Article 4(2), for the execution of appropriate tests, such as vulnerability assessments and scans, open source analyses, network security assessments, gap analyses, physical security reviews, questionnaires and scanning software solutions, source code reviews where feasible, scenario-based tests, compatibility testing, performance testing, end-to-end testing and penetration testing.

Secondary articles:
– Article 8 – Identification: Financial entities shall, on a continuous basis, identify all sources of ICT risk. Financial entities, other than microenterprises, shall perform a risk assessment upon each major change.
– Article 9 – Protection and Prevention: Financial entities shall continuously monitor and control the security and functioning of ICT systems and tools and shall minimise the impact of ICT risk.

An optimal scanning strategy requires automation to achieve consistent and predictable results of the analysis process. Integration points refer to how the application security testing is integrated into the software development lifecycle (SDLC). Potential integration points for scan automation can be source control management (SCM) integration, build pipeline (CI/CD) integration, or scheduled scans.

Taking action from security testing includes:
– Reviewing results consistently,
– Taking effective remediation action, and
– Automation to ensure that an automated build or deployment process does not continue in the case of serious vulnerabilities detected or that issues or risks are reported automatically.

In line with DORA Article 13, organizations should perform structured post-incident reviews for all AppSec-related ICT incidents, documenting root causes, lessons learned, and remediation actions. These reviews should feed into process improvements, strengthen preventive controls, and demonstrate that incidents drive measurable learning across the organization.

DORA Article:
Primary article:
– Article 13 – Learning and evolving: Financial entities shall put in place post ICT-related incident reviews after a major ICT-related incident.

Secondary articles:
– Article 17 – ICT-related incident management process: Financial entities shall define, establish and implement an ICT-related incident management process to detect, manage and notify ICT-related incidents.
– Article 18 – Classification of ICT-related incidents and cyber threats: Financial entities shall classify ICT-related incidents and shall determine their impact.

Organizations should actively engage in secure information-sharing initiatives with relevant authorities and industry peers, exchanging intelligence on AppSec threats and incidents. This helps improve collective resilience, ensures timely awareness of emerging risks, and demonstrates a culture of collaboration and transparency.

DORA Article:
Primary article:
– Article 45 – Information-sharing arrangements on cyber threat information and intelligence: Financial entities may exchange amongst themselves cyber threat information and intelligence

Secondary articles:
– Article 19 – Reporting of major ICT-related incidents and voluntary notification of significant cyber threats: Financial entities shall report major ICT-related incidents to the relevant competent authority.
– Article 47 – Cooperation with structures and authorities established by Directive (EU) 2022/2555: Competent authorities and the ESAs shall cooperate with relevant authorities designated or established in accordance with Directive (EU) 2022/2555
– Article 48 – Cooperation between authorities: Competent authorities shall cooperate closely with each other and provide each other with mutual assistance…including exchanging information without undue delay.

This verify financial entities maintain an up-to-date inventory of application components, dependencies, and their security status (SBOM).

DORA Article:
– Article 8 – Identification: financial entities shall identify, classify and adequately document all ICT supported business functions, roles and responsibilities, the information assets and ICT assets supporting those functions, and their roles and dependencies in relation to ICT risk. They shall map the configuration of the information assets and ICT assets and the links and interdependencies between the different information assets and ICT assets.

This question relates to the deployment model and architecture for the technical deployment of the security testing solution. The deployment models can include SaaS/public cloud multi-tenant, single-tenant on private cloud, or on-prem. It also includes hybrid deployment models of the aforementioned.
Furthermore, it includes different architectures such as all-in-one, distributed, or high availability for certain deployment models. The deployment model and architecture need to be planned and decided carefully depending on the scale of the security testing required, as well as confidentiality or compliance requirements which may include regulations from different regions in multinational corporations.
The architecture planning also includes questions such as data retention.

– Roll-out plan: We define roll-out plan as the plan to implement the solution until a business as usual (BAU) state is reached and includes considerations such as whether a pilot phase is planned and how to move between different stages until the BAU state is reached.
– Adoption plan: The adoption plan refers to scale up to the whole application estate of the organization that is scope for the AppSec program.
– Resource plan: The plan for the human resources needed for the AppSec program including the capacity needs and the roles & responsibilities.
– Training plan: The plan for the training that is required for stakeholders in the AppSec program.