Our Alignment

Key Requirements of DORA

What We Do

runZero empowers the creation and maintenance of ICT risk management frameworks by delivering advanced asset discovery, continuous monitoring of IT, OT, IoT, and unmanaged devices, and identifying vulnerabilities and protection gaps across essential operational assets.

Your Outcome

This enables comprehensive risk assessments, eliminates blind spots, and ensures proactive mitigation of ICT risks.

What We Do

runZero provides detailed data on asset vulnerabilities, exposures, and criticality to assess the potential impact of incidents. It supports mapping affected areas of the network and offers data to inform classification and prioritization of incidents.

Your Outcome

This ensures that incidents are evaluated effectively based on their severity and urgency, enabling rapid and informed responses to minimize operational impact.

What We Do

runZero provides detailed visibility into ICT systems, their configurations, and vulnerabilities, aiding in the identification and prioritization of critical assets for resilience testing. It supports mapping network structures and defining testing scopes by highlighting sensitive areas and exposures.

Your Outcome

This ensures testing efforts are focused on the most critical areas, improving the accuracy and effectiveness of resilience evaluations and strengthening overall ICT operational readiness.

What We Do

runZero provides visibility into third-party assets, their interactions within the network, and changes in configurations that may introduce risks. It helps map dependencies, identify vulnerabilities, and assess the impact of third-party services on critical operations.

Your Outcome

This empowers organizations to proactively identify and mitigate third-party risks, ensuring a secure and resilient ICT environment and supporting informed policy development.

What We Do

runZero enhances collaboration by enabling comprehensive asset and risk visibility to share actionable intelligence with peers in the financial sector.

Your Outcome

This builds collective resilience against cyber threats, improving overall security across the industry.

Achieve Compliance

How runZero supports DORA requirements

runZero directly supports many DORA provisions related to asset visibility, inventory management, and vulnerability discovery, while also enabling programmatic approaches for protecting environments, detecting events, and responding to incidents. Its robust capabilities provide organizations with a single tool and source of truth across IT, OT, IoT, and external environments, ensuring compliance as operations and threats evolve.

Many DORA provisions require the integration of multiple security controls, programs, and policies working together to achieve compliance. runZero indirectly supports several of these provisions by supplying critical elements as part of a broader approach, contributing to compliance efforts that go beyond the specific areas it directly addresses.

Interested in a guided tour?

Support Types:

All

Direct

Indirect

ICT Risk Management Framework

Requirement		Support	How runZero Helps
Chapter II: Article 6	Include processes for identifying, assessing, and mitigating ICT risks, covering both internal and external threats, as well as risks associated with third-party service providers.	Direct	Continuously identifies IT, OT, and IoT devices across internal and external networks including third-parties. Accurately fingerprints devices providing deeper insights for more accurate risk assessment and mitigations. Safely monitors network traffic to identify sensitive devices without the risk of disrupting operations. Uses targeted scans for deeper insights into system configurations and vulnerabilities. Uses data from third-party tools such as vulnerability scanners to enhance risk context and streamline response. Identifies issues beyond CVEs, such as misconfigurations, segmentation weaknesses, insecure services, EoL, policy violations, etc. Continuously updates asset data to spot emerging risks and adapt strategies. Provides essential data to prioritize mitigation, focusing on critical internal and external threats.
Chapter II: Article 6	Regularly update the framework to adapt to emerging risks, ensuring that the entity is prepared for new threat vectors and changes in the technological environment.	Indirect	Provides visibility into new vulnerabilities and changes in the technological environment. Continuously scans and updates the asset inventory, ensuring that new or modified assets are included in risk assessments. Helps identify emerging risks and evolving threat vectors that require framework adjustments. Supports proactive adaptation by offering data that highlights shifts in the security landscape and tracks technological changes over time. Does not directly update the framework but provides critical insights for making necessary adjustments.

ICT Systems, Protocols, and Tools

Requirement		Support	How runZero Helps
Chapter II: Article 7	Implement secure ICT systems, protocols, and tools that adhere to industry best practices and are designed to safeguard the organization's digital infrastructure from unauthorized access and cyber threats.	Direct	Provides detailed visibility into IT, OT, and IoT assets, identifying areas needing stronger security. Detects misconfigured or outdated protocols, helping ensure alignment with industry best practices. Integrates with security tools like firewalls, encryption solutions, and access control systems, providing enriched data for better protection. Helps optimize security measures by offering insights that support secure configurations and access control. Identifies non-traditional vulnerabilities, such as insecure services and segmentation weaknesses, that compromise infrastructure. Continuously monitors for new or unexpected devices, ensuring prompt response to unauthorized access attempts. Note: Does not directly implement security protocols or tools but supplies valuable data for making informed security decisions and strengthening overall protection.
Chapter II: Article 7	Ensure ICT tools are tested for resilience against cyber threats, including regular vulnerability assessments and security audits to identify and rectify weaknesses.	Direct	Provides detailed visibility into IT, OT, and IoT assets, allowing security teams to focus vulnerability assessments on critical areas. Highlights outdated or vulnerable systems, helping prioritize them for testing and remediation. Supports regular vulnerability assessments by identifying and mapping all assets, ensuring that no devices or systems are overlooked. Integrates with third-party security audit tools, enriching data for more comprehensive audits and assessments. Helps identify misconfigurations and segmentation weaknesses that could be exploited during cyberattacks. Continuously monitors for new vulnerabilities as network configurations change, enabling timely updates to testing scopes. Provides insights for targeted testing of non-traditional vulnerabilities, such as insecure services or policy violations.
Chapter II: Article 7	Maintain an inventory of all ICT assets and regularly update it to ensure visibility over critical systems and their interdependencies, aiding in quick responses to potential risks.	Direct	Provides comprehensive visibility into both internal and external assets, covering IT, OT, and IoT devices to ensure all systems are tracked. Regularly updates asset data through continuous monitoring, maintaining up-to-date visibility into the network’s infrastructure. Discovers unknown devices that may not have been previously tracked, ensuring that all assets are accounted for. Maps interdependencies between systems, helping organizations understand how internal and external assets interact. Supports rapid risk identification by highlighting changes in critical systems, newly discovered devices, and shifts in the threat landscape. Enables quicker responses to potential risks by providing accurate, real-time information on internal and external assets. Helps identify unauthorized devices or unexpected changes in the network, supporting proactive risk management across the organization’s internal and external boundaries. Facilitates integration with other security tools to enrich asset data and enhance visibility into both known and unknown assets. Directly addresses the need for asset tracking, providing the foundational data needed for managing risks, ensuring resilience, and maintaining visibility over critical systems.
Chapter II: Article 7	Adopt industry standards and best practices for system security, ensuring compliance with relevant regulations and standards such as ISO/IEC 27001.	Indirect	Provides visibility into assets and their compliance status, helping organizations identify gaps in adherence to standards like ISO/IEC 27001. Supports audit readiness by offering a detailed inventory of assets and their security configurations. Assists in aligning security practices with industry standards by identifying areas needing improvement. Does not directly implement standards or achieve certification but provides the data needed to maintain compliance and benchmark against best practices.

Identification

Requirement		Support	How runZero Helps
Chapter II: Article 8	Identify critical ICT assets and services that are essential for the organization's operations and ensure these assets are protected with enhanced security measures.	Direct	Provides comprehensive visibility into internal and external assets, allowing organizations to identify which assets and services are critical. Discovers unknown devices and services that could be crucial for operations but were previously overlooked. Highlights critical assets by mapping interdependencies and their roles within the network. Identifies misconfigurations, outdated protocols, and vulnerabilities that need to be addressed for critical assets. Monitors both internal and external changes, ensuring that any new threats or changes affecting critical assets are quickly identified. Integrates with security tools to ensure that protective measures, such as encryption or access controls, are applied effectively.
Chapter II: Article 8	Assess vulnerabilities and risks associated with critical assets, conducting regular threat assessments to understand potential points of failure or exploitation.	Direct	Provides comprehensive visibility into internal and external assets, ensuring a clear understanding of the environment when assessing risks. Discovers unknown devices and services that might introduce unrecognized risks, ensuring that all potential vulnerabilities are covered. Identifies vulnerabilities in critical assets by mapping software versions, configurations, and known exposures, etc. Supports regular threat assessments by continuously updating data on internal and external assets, offering a real-time view of changes. Maps interdependencies between critical assets, helping identify potential points of failure and the broader impact of vulnerabilities. Monitors for emerging risks, such as newly discovered vulnerabilities or changes in threat behavior, that could affect critical assets. Integrates with other data sources and security tools, enhancing the ability to conduct thorough assessments and cross-reference risks.
Chapter II: Article 8	Map interdependencies between ICT systems and third-party services to understand how disruptions in one area could impact other parts of the organization.	Direct	Provides comprehensive visibility, allowing organizations to understand how systems and third-party services are connected. Discovers unknown devices and services, including those related to third-party providers. Maps interdependencies between internal systems and third-party services, helping to visualize how disruptions could affect operations. Highlights critical connections between third-party services and essential internal systems to identify potential points of failure. Monitors for changes in third-party services and internal assets, ensuring that updates or disruptions are quickly identified. Supports impact analysis by providing detailed data on how third-party services interact with internal systems, making it easier to predict the potential fallout of disruptions.
Chapter II: Article 8	Establish a continuous monitoring process to identify new risks, using tools such as threat intelligence feeds and automated monitoring systems.	Direct	Provides comprehensive visibility into internal and external assets, ensuring that changes and new risks are detected. Continuously monitors for the discovery of unknown devices and services, which could introduce risks, are quickly identified. Supports integration with other monitoring tools, enhancing the detection of emerging threats and vulnerabilities. Automates asset discovery and updates, ensuring that organizations maintain a real-time understanding of their risk landscape as it evolves. Identifies anomalies or unexpected changes in both internal and external networks, which may indicate new risks or emerging threats. Maps evolving interdependencies between assets, helping to spot changes that could lead to new vulnerabilities or points of failure. Provides data to prioritize responses by highlighting which newly identified risks could have the most significant impact on critical systems.

Protection and Prevention

Requirement		Support	How runZero Helps
Chapter II: Article 9	Regularly update software and apply security patches to minimize vulnerabilities in systems and applications, ensuring that the latest security fixes are implemented promptly.	Direct	Identifies outdated software and unpatched systems by providing detailed asset inventories and version information. Highlights vulnerabilities associated with unpatched applications, helping prioritize patch management efforts for all types of devices, including those not traditionally covered by CVEs. Detects misconfigurations, segmentation weaknesses, and insecure services, ensuring non-traditional vulnerabilities are addressed. Identifies devices that have reached end-of-life (EOL), allowing organizations to mitigate risks by updating or replacing systems. Flags policy violations and deviations from secure configurations, helping ensure compliance with internal standards. Supports monitoring of patch status across the network, ensuring that critical systems—whether IT, OT, or IoT—receive updates promptly.
Chapter II: Article 9	Implement measures to protect ICT systems from cyber threats, including the deployment of advanced threat detection tools, firewalls, and endpoint protection systems.	Indirect	Provides detailed visibility into assets and their vulnerabilities, helping to identify areas needing additional protection. Supports the effective deployment of threat detection tools by offering accurate asset data for monitoring. Assists in optimizing firewall and endpoint protection settings through comprehensive network mapping. Continuously monitors the network to identify newly connected devices, ensuring that new assets are accounted for in security measures. Enables early detection of potential threats through regular updates to asset inventories and identification of anomalous behavior. Does not directly deploy protection tools but provides valuable insights to enhance their effectiveness in securing ICT systems.
Chapter II: Article 9	Deploy preventive measures such as firewalls, encryption, and secure access controls to create layers of defense that protect sensitive data and critical infrastructure.	Indirect	Provides detailed visibility into assets and their vulnerabilities, helping to identify areas needing additional protection. Supports the effective deployment of threat detection tools by offering accurate asset data for monitoring. Assists in optimizing firewall and endpoint protection settings through comprehensive network mapping. Identifies areas needing stronger access controls by highlighting assets that are exposed or accessible without adequate restrictions, ensuring that critical systems and data have proper safeguards in place. Continuously monitors the network to identify newly connected devices, ensuring that new assets are accounted for in security measures. Aids in identifying critical infrastructure components that require enhanced encryption and access controls. Helps identify gaps in firewall rules and encryption practices by highlighting unprotected or exposed assets. Enables early detection of potential threats through regular updates to asset inventories and identification of anomalous behavior. Does not directly deploy protection tools like firewalls or encryption but provides valuable insights to enhance their effectiveness in securing ICT systems and protecting sensitive data.

Detection

Requirement		Support	How runZero Helps
Chapter II: Article 10	Establish protocols for analyzing detected threats and vulnerabilities, ensuring that incidents are prioritized based on their severity and potential impact.	Indirect	Provides detailed data on detected vulnerabilities and exposures, aiding in threat analysis. Helps assess the severity and potential impact of incidents through asset and network visibility. Supports the prioritization of incidents by identifying critical assets and their vulnerabilities. Does not directly establish protocols but supplies the data needed for effective threat analysis and prioritization.

Learning and Evolving

Requirement		Support	How runZero Helps
Chapter II: Article 13	Encourage a culture of learning and adaptation within the organization, fostering an environment where staff are encouraged to stay updated with the latest security trends.	Indirect	Provides insights into new vulnerabilities and emerging risks, helping staff stay informed about the latest security trends. Enables security teams to identify gaps and areas needing improvement, promoting a mindset of continuous learning. Supports informed decision-making and discussions around evolving security challenges. Does not directly create training programs or cultural initiatives but offers data that can be used to support education and awareness efforts.
Chapter II: Article 13	Implement processes for continuous improvement in ICT resilience, using lessons learned from past incidents and changes in the threat landscape.	Indirect	Provides detailed insights into past incidents including assets affected, associated vulnerabilities, security control gaps and weaknesses, and more. Helps identify changes in the threat landscape that require adjustments to resilience strategies. Supports iterative improvements by offering data to analyze the effectiveness of previous mitigations. Does not directly implement improvement processes but provides the information needed for refining resilience measures.
Chapter II: Article 13	Update risk management practices based on new knowledge and threat landscapes, ensuring that strategies evolve as threats become more sophisticated.	Indirect	Provides up-to-date visibility into emerging vulnerabilities and changes in the threat landscape relevant to assets affected across the network. Helps identify new risks and exposures that require adjustments to existing strategies and mitigating controls. Supports the continuous refinement of risk management practices with relevant data on evolving threats. Does not directly update strategies but supplies the information needed for making informed adjustments.

Further Harmonisation of Risk Management Tools

Requirement		Support	How runZero Helps
Chapter II: Article 15	Adopt standardized tools and methods for ICT risk management, ensuring consistency across all departments and entities within the organization.	Indirect	Provides a consistent asset inventory and vulnerability data across all departments and entities. Supports the use of standardized risk assessment methods by offering uniform data and insights. Helps ensure that all parts of the organization have a similar view of risks, aiding in consistent decision-making. Does not directly provide risk management tools but offers the data needed for applying standardized methods effectively.
Chapter II: Article 15	Facilitate harmonization across group entities for consistent risk management, ensuring that subsidiaries and branches follow the same principles.	Indirect	Provides consistent visibility into assets and vulnerabilities across all entities, aiding in standardized risk assessment. Helps identify risks and exposures uniformly, ensuring that subsidiaries and branches adhere to the same security standards. Supports centralized monitoring, enabling a unified approach to managing and addressing risks. Does not directly enforce risk management policies but supplies the data necessary for maintaining consistency across the organization.

Classification of ICT-related Incidents and Cyber Threats

Requirement		Support	How runZero Helps
Chapter III: Article 18	Develop criteria for classifying ICT-related incidents based on their severity, impact, and urgency, ensuring that critical incidents are prioritized.	Indirect	Provides detailed data on asset vulnerabilities and exposures to assess the potential impact of incidents. Helps identify which assets and systems are critical, aiding in prioritizing incidents based on their severity and urgency. Supports the understanding of incident impact by mapping affected areas of the network. Does not directly develop classification criteria but provides the necessary data to inform and prioritize incident classification.
Chapter III: Article 18	Include criteria for classifying cyber threats based on their potential to disrupt operations or pose risks to data integrity and confidentiality.	Indirect	Provides visibility into assets and their vulnerabilities, aiding in assessing potential threat impact. Helps identify exposures that could compromise data integrity and confidentiality. Assists in understanding the operational impact of threats by mapping them to affected assets and systems. Does not directly establish classification criteria but offers data to inform the creation of threat classification standards.

Harmonisation of Reporting Content and Templates

Requirement		Support	How runZero Helps
Chapter III: Article 20	Include specific details in reports such as incident classification, timeline, root cause, and impact analysis to facilitate a comprehensive understanding of the incident.	Indirect	Provides asset and network data that can aid in incident classification and analysis. Helps identify changes or anomalies that contribute to understanding the incident timeline and root cause. Supplies visibility into affected assets, supporting impact analysis. Does not directly generate incident reports but offers valuable data to enrich report details and analysis.

General Requirements for the Performance of Resilience Testing

Requirement		Support	How runZero Helps
Chapter IV: Article 24	Establish a digital operational resilience testing program that includes regular testing of ICT systems, ensuring that all critical systems are evaluated for their ability to withstand disruptions.	Indirect	Provides detailed visibility into critical ICT systems and their configurations. Helps identify vulnerabilities and potential weaknesses that should be included in resilience testing. Aids in prioritizing critical systems for testing based on their role within the network. Does not directly establish or conduct the testing program but supplies data to inform and focus testing efforts on areas most in need of evaluation.

Testing of ICT Tools and Systems

Requirement		Support	How runZero Helps
Chapter IV: Article 25	Perform regular testing of ICT tools and systems to evaluate their security and operational resilience, including vulnerability assessments and penetration tests. Ensure that testing covers a broad range of scenarios, such as system failures, cyberattacks, and data breaches, to validate the effectiveness of controls. Document the outcomes of each test, including identified weaknesses, remediation actions, and any residual risks that remain after mitigation efforts. Integrate testing results into the ICT risk management framework to inform future risk assessments and decision-making processes.	Indirect	Provides comprehensive visibility into assets and vulnerabilities, aiding in identifying targets for testing. Helps prioritize areas for vulnerability assessments and penetration tests based on asset details and exposure data. Supports scenario testing by mapping out network structure and identifying critical assets. Does not directly conduct tests or document outcomes but offers data for documenting identified weaknesses and planning remediation. Facilitates the integration of testing results into broader ICT risk management by providing insights into asset and exposure changes.

Requirements for Testers Carrying Out Resilience Testing

Requirement		Support	How runZero Helps
Chapter IV: Article 27	Provide testers with clear instructions and access to relevant systems and data, while ensuring that testing activities are conducted within defined boundaries to avoid unintentional disruptions.	Indirect	Provides detailed asset inventory and system visibility, helping to identify target systems for testing. Supplies information on vulnerabilities and potential exposures, aiding testers in focusing their efforts. Assists in defining testing scope by mapping out network boundaries and sensitive areas. Does not directly manage or conduct penetration tests but offers the data needed for informed and controlled testing activities.

General Principles

Requirement		Support	How runZero Helps
Chapter V: Article 28	Establish comprehensive management practices for ICT third-party risk, ensuring that risks from outsourcing are thoroughly identified, monitored, and mitigated across all service relationships.	Indirect	Provides visibility into third-party assets and their interactions within the network. Helps identify risks associated with third-party services through detailed asset and vulnerability data. Assists in monitoring changes that could indicate emerging risks from outsourced services. Does not directly manage third-party risks but supplies the data needed for effective risk identification, monitoring, and mitigation.
Chapter V: Article 28	Develop policies for selecting, contracting, and managing ICT third-party providers, with a focus on maintaining operational resilience and minimizing risks associated with dependencies on external service providers.	Indirect	Offers visibility and insights into dependencies on third-party assets and services within the organization. Helps identify potential risks associated with third-party providers by mapping their assets and potential impact on the network. Supports risk assessments that inform policy development and management of third-party relationships. Does not directly create or manage policies but provides data to support policy-making and risk minimization.
Chapter V: Article 28	Regularly assess the impact of third-party services on critical operations, revisiting these assessments to adjust for changes in service providers or operational needs.	Indirect	Provides visibility into third-party assets and their connections within the organization. Identifies changes in third-party service configurations that may affect security. Aids in evaluating the impact of these services on critical operations through detailed asset data. Does not directly conduct assessments but provides crucial data for ongoing evaluation and adjustment.

Ongoing Oversight

Requirement		Support	How runZero Helps
Chapter V: Article 40	Monitor changes in the operations or structure of critical ICT providers that could impact their ability to provide secure services.	Indirect	Offers detailed asset discovery and inventory, highlighting changes in connected systems and infrastructure. Helps identify shifts in asset configurations or network structure that may indicate changes in provider operations. Supports security teams in assessing the impact of these changes on overall security posture. Does not directly monitor ICT provider operations but provides data to inform such assessments.

Information-sharing Arrangements on Cyber Threat Information and intelligence

Requirement		Support	How runZero Helps
Chapter VI: Article 45	Establish information-sharing arrangements among financial entities to enhance awareness of cyber threats, vulnerabilities, and best practices within the industry.	Indirect	Provides comprehensive visibility into all assets, including IoT and OT devices. Helps identify vulnerabilities and exposures, enhancing threat detection accuracy. Enables sharing of accurate and relevant data with other security tools. Does not directly handle the exchange of threat intelligence but ensures high-quality data input for such exchanges.