Synced 16 Jun 2026 15:24 UTC Account
← Home
DORA · EU 2022/2554 · applies since Jan 2025

ICT vulnerability management for DORA

DORA's ICT risk-management framework (Article 9) expects financial entities to identify, assess and remediate vulnerabilities in their ICT assets — including third-party components. IsItPatched delivers that from an SBOM — a component inventory, known and actively-exploited CVEs, prioritisation, the minimum safe version, end-of-life tracking and exportable evidence.

Scan your SBOM → Monitor your components Export DORA pack →

1046 actively-exploited CVEs across 613 tracked products right now

Built for financial entities & their ICT providers

Financial entities

Banks, insurers, investment & payment firms, crypto. Evidence the vulnerability-management part of your ICT risk framework without new tooling.

ICT third-party providers

Serving regulated clients? Show component transparency and a vulnerability-handling process they can rely on in their third-party assessments.

Risk & resilience teams

A repeatable record: inventory ICT components, prioritise by exploitation, track remediation and end-of-life.

DORA → what IsItPatched gives you

Identify vulnerabilities (Art. 9)

Scan a CycloneDX/SPDX SBOM to identify and assess vulnerabilities across the components in your ICT assets — protection & prevention under Article 9.

Scan an SBOM →

Prioritise the real exposure

CVEs ranked by actively-exploited (CISA KEV) and high-EPSS status, so urgent and out-of-cycle patching is justified.

See actively-exploited CVEs →

Third-party transparency

The SBOM inventory of third-party & open-source components supports your ICT third-party risk assessments.

Open your dashboard →

End-of-life & evidence

End-of-life tracking flags ICT assets that can no longer be patched; export a risk register and VEX as evidence.

End-of-life calendar →

Export your evidence — today, free

  • Per-component vulnerability scan of your CycloneDX / SPDX SBOM (matched against OSV)
  • CycloneDX VEX document (exploitability + remediation per component)
  • Software risk register (CSV / print-to-PDF) citing the exact versions you run
  • A prioritised, known-exploited-first patch queue — your ICT risk-management record

Sign in (free, no password) to sync your component stack and generate these from your dashboard.

Build your evidence →

Straight with you: DORA is broad — governance, incident classification & reporting, threat-led penetration testing, third-party registers and contractual terms, and more. IsItPatched is an informational tool (NVD · CISA KEV · OSV · endoflife.date) that helps with the software-vulnerability identification, prioritisation and component-transparency slice of ICT risk management (Art. 9). It is not legal advice and not a supervisory assessment of compliance. Disclaimer.

DORA — frequently asked

What is DORA?

The Digital Operational Resilience Act (Regulation EU 2022/2554) is the EU rulebook for ICT risk in the financial sector. It has applied since 17 January 2025 to banks, insurers, investment firms, crypto and many other financial entities — and to the ICT third-party providers that serve them. It covers ICT risk management, incident reporting, resilience testing, third-party risk and information sharing. Identifying and remediating vulnerabilities in ICT assets sits within the ICT risk-management framework (Article 9 — protection and prevention).

How does IsItPatched help with DORA?

It supports the vulnerability-management and component-transparency parts: scan a CycloneDX/SPDX SBOM to inventory the third-party and open-source components in your ICT assets, identify and prioritise their known and actively-exploited (CISA KEV) vulnerabilities, see the minimum safe version, track end-of-life, and export a risk register / VEX as evidence for your ICT risk-management framework and third-party assessments.

Does IsItPatched make us DORA compliant?

No. DORA is broad — governance, incident classification and reporting, threat-led penetration testing, third-party registers and contractual requirements, and more. IsItPatched helps with the software-vulnerability identification, patch prioritisation and component-transparency slice of ICT risk management. It is informational, built on public data — not legal advice and not a supervisory assessment.

Subject to more than one regime? See all our compliance editions →