EVENT The Astronomer Roadshow: Exploring Apache Airflow 3 is coming to a city near you - Register Now!
Support | Log In

From Regulation to Resilience: How Astronomer Powers DORA-Ready Data Operations

  • M Matthew Keep Astronomer

The Digital Operational Resilience Act (DORA) addresses the critical need for the financial sector to effectively manage digital operational resilience in the face of rising cyber threats and Information and Communication Technology (ICT) disruptions.

Digitalization has become fundamental to financial services, transforming payment systems, trading, clearing, settlement, and insurance, increasing interconnectedness, and creating significant ICT risks. Current fragmented and inconsistent regulatory approaches across the EU have exposed the financial sector to potential systemic vulnerabilities.

DORA seeks to harmonize requirements across Member States, ensuring operational continuity and stability of the EU financial system. Its ultimate aim is to secure consumer confidence, market integrity, and financial stability in the face of evolving digital threats.

A critical dimension of operational resilience is data: its accuracy, availability, and trustworthiness underpin everything from regulatory reporting to AI, analytics, and real-time decision-making. Astronomer is committed to supporting financial institutions in meeting DORA requirements by integrating robust security measures and best practices into our data operations (DataOps) platform. With a focus on resilience, compliance, and secure data orchestration, we help organizations strengthen their operational defenses, manage ICT risks, and safeguard critical data assets.

DORA’s Five Key Pillars for Risk

DORA requires financial institutions to take a proactive approach to managing ICT risk, with a focus on five key pillars:

  • ICT Risk Management: This pillar focuses on establishing a robust framework for managing ICT risks. It requires financial entities to have comprehensive strategies, policies, and procedures in place to identify, protect against, detect, respond to, and recover from ICT-related incidents.
  • ICT-Related Incident Reporting: DORA mandates a harmonized and streamlined approach to reporting major ICT-related incidents. This ensures that incidents are reported to relevant authorities in a consistent and timely manner, allowing for better monitoring and response.
  • Digital Operational Resilience Testing: This pillar emphasizes the importance of regular testing to assess the resilience of ICT systems. It includes requirements for both basic and advanced testing, such as threat-led penetration testing (TLPT), to identify vulnerabilities and ensure preparedness for potential disruptions.
  • ICT Third-Party Risk Management: Recognizing the financial sector's reliance on third-party ICT providers, DORA establishes a framework for managing the risks associated with these relationships. It includes requirements for contractual arrangements, due diligence, and oversight of critical providers.
  • Information Sharing: This pillar promotes the voluntary sharing of cyber threat information and intelligence among financial entities. This collaborative approach aims to enhance the sector's collective ability to detect, prevent, and respond to cyber threats.

The Role of ICT Third Parties and the Criticality of Data

As financial institutions navigate the requirements introduced by DORA, their reliance on trusted technology partners becomes increasingly critical. Meeting DORA's stringent requirements demands specialized capabilities in monitoring, managing, and mitigating digital risks, especially those stemming from third-party ICT dependencies. Partnering with technology vendors that offer advanced solutions specifically tailored to address these regulatory obligations can substantially ease compliance burdens.

Managing digital risk is a multi-faceted challenge. It doesn’t stop at the resilience and reliability of physical systems, cloud providers or operational processes. The resilience and reliability of data is just as important. Why? Because its data that is driving the most important digital initiatives every financial institution is working on; specifically AI, analytics, and applications.

How Astronomer Helps Financial Institutions on Their Path to DORA Compliance

Astronomer's cloud-native data orchestration platform, Astro, provides a robust solution for financial institutions seeking to comply with DORA.

DORA emphasizes both resilience and cybersecurity, and Astro addresses both aspects by providing a secure and reliable platform for managing data pipelines. Here's how Astronomer helps organizations address the five key pillars of DORA:

Enhanced ICT Risk Management

Astronomer empowers organizations to build a centralized and auditable platform for managing data pipelines. Minimizing risks to data workflows, Astro dynamically adjusts resources to meet workload demands and minimizes downtime with queue-based task execution and multi-zone deployments.

Astro offers multi-cloud support with centralized management through a single pane of glass, eliminating reliance on any one cloud provider as a potential point of failure. It runs on dedicated clusters with isolated compute and private networking to securely execute data pipelines.

With Astro Observe, organizations have better visibility into data flows, improved data lineage tracking, and enhanced governance controls, strengthening their ICT risk management framework.

Astronomer’s CI/CD integrationsstreamline development workflows, supporting frequent commits, automated testing to catch issues early and reduce failures, and the controlled promotion of Airflow pipelines. This approach fosters reliable, repeatable releases, strengthening data orchestration and overall data quality.

In addition to these core functionalities, Astronomer incorporates specific technologies and best practices into its Astro service for DORA compliance, such as control plane/data plane separation and isolated recovery environments.

Control plane/data plane separation

Control plane / data plane separation isolates the management interfaces used to control ICT systems, aiding in resilience by mitigating access from malicious actors who breach the production network. It also prevents resource-intensive automation, security monitoring, and resilience testing workflows from affecting the speed or availability of the production network.

In the upcoming Apache Airflow® 3.0 release on Astro, Remote Execution will allow tasks to run within your own environment while connecting securely to Astro’s control plane via outbound, encrypted connections. This ensures sensitive data, secrets, and code remain entirely within your infrastructure, supporting zero-trust policies and compliance requirements. It provides centralized orchestration control while giving you the flexibility to deploy on-premises, in the cloud, or at the edge.

Multi-layered Disaster Recovery and Reliability Design

Astro is designed with multiple, redundant disaster recovery and reliability layers. All core databases and key management infrastructure are deployed in a multi-cloud, multi-region, high-availability configuration with automated fail-overs. All code that is executed in Astronomer’s cloud is in docker images, which allows for automated scanning of vulnerabilities during the build process and for storage in a trusted, third-party registry. All code is also stored separately in third-party version control systems. Because open source Apache Airflow® is also available as a fall back, Astronomer customers have multiple, redundant recovery options in the event that Astronomer is unable to provide services. The Astro CLI also enables users to run local developer instances of Airflow independently of the cloud platform.

Streamlined Incident Response

Astronomer provides detailed visibility across orchestrated workflows at both the data pipeline and data product levels, enabling rapid response and recovery, minimizing downtime and ensuring business continuity.

  • With Astro Alerts your teams can configure notifications in Slack, PagerDuty, or through email when individual pipelines complete, if you have a pipeline run failure, or if a task duration exceeds a specified time.
  • Astro Observe operates at the higher level of data products (the pipelines, tasks, and data sets that collectively produce data assets such as ML/AI models, dashboards, etc.). This enables organizations to quickly identify the impact of ICT incidents on core business operations that rely on those data products , facilitating faster response and mitigation.

In the event of a security incident affecting a customer, Astronomer will engage proactively, providing relevant audit logs, reports, and support in accordance with contractual obligations and relevant regulations.

Improved Third-Party Risk Management

Astronomer provides a secure and controlled environment for integrating with third-party data sources and services. This helps organizations manage the risks associated with relying on external vendors while ensuring data security and compliance.

To further enhance data security and comply with DORA's requirements for secure data deletion, Astronomer supports "cyber shredding" based on user implementation. If configured properly, the customer can ensure that when data is transferred or deleted, it is completely removed from the original location and cannot be recovered, minimizing the risk of data leaks. As there is no data storage or retention in the cloud other than related metadata, this risk is further mitigated.

Digital Operational Resilience Testing and Information Sharing

Astronomer demonstrates high standards of operational resilience, regularly testing continuity and disaster recovery (BCP/DR) plans.

Customers are required to establish a detailed information register in which all contracts with ICT suppliers must be recorded. Astronomer endeavors to assist customers with the completion of their registers.

Our Commitment to Your Compliance Journey

Astronomer is committed to transparency and collaboration in helping financial institutions meet DORA requirements. While we are not directly regulated under DORA, we understand the responsibilities that financial institutions have in managing ICT risk and third-party dependencies. Here’s what organizations can expect from us:

  • ICT Compliance Documentation: We provide necessary documentation, including an ICT security code of conduct, security policies, and audit reports (e.g., SOC 2, PCI-DSS) to support due diligence efforts. You can find more information at the Astronomer Trust Center.
  • Risk and Security Assessments: Upon request, we assist in completing risk assessments, security questionnaires, and due diligence forms to help financial institutions evaluate our controls and compliance posture.
  • Incident Response Collaboration: In the event of a security incident affecting a customer, we will engage proactively, providing relevant audit logs, reports, and support in accordance with contractual obligations.
  • Contractual and Regulatory Support: We align our agreements with key regulatory expectations, including data processing agreements (DPAs) and third-party risk management requirements, to help customers maintain compliance.
  • Ongoing Compliance Updates: As DORA implementation evolves, we continuously assess its impact and update our security practices to ensure alignment with regulatory expectations.

Astronomer has over 700 customers, including organizations operating in highly regulated industry verticals. At this early stage of DORA implementation, we know you will have many questions on how your data operations are impacted. We are ready to help, so feel free to contact us and get the discussions started.

Build, run, & observe
your data workflows.
All in one place.

Try Astro today and get $300 in free credits during your 14-day trial.

Get Started FreeBook a Demo