In the past six months, two significant new regulations have come into force and now apply to businesses across the EU – and those who operate with them.
We’re talking the Network and Information Systems Directive (NIS2), which was implemented in October 2024, and the Digital Operational Resilience Act (DORA), which was applied in January 2025.
In today’s article, we’ll take a closer look at how you can use your Atlassian tools to support with your DORA compliance efforts. Whilst NIS2 is also a vital regulation – and we will touch on it – as the more recent legislation, we’ll focus our attention on DORA.
With heavy sanctions in place for those who don’t comply, it’s likely you’ve already taken measures to meet the requirements of DORA and/or NIS2. But if your compliance efforts are delayed or you’re still finding your feet, this piece may come in handy.
We’ll start with some basic definitions before moving on to a closer look at the relationship between DORA and your Atlassian tools.
What is DORA?
The Digital Operational Resilience Act (DORA) first came into force in January 2023, designed to strengthen the resilience of organisations in the financial sector. Now, over two years on, the regulation has been applied (on 17th January 2025) – meaning affected businesses will now need to comply with its key principles or risk receiving sanctions like fines.
Who is impacted by DORA?
According to figures from PWC, over 22,000 financial entities and ICT service providers will be affected by the legislation. Banks, insurance companies and payment service providers are all subject to DORA, alongside critical third-party providers that serve financial firms. Organisations within the EU will need to comply, alongside UK firms who may operate within the European Union.
Why was DORA introduced?
The threat on IT security remains at an all-time high, so DORA seeks to embed a standard level of IT security and resilience across the financial sector. By asking all relevant financial entities to follow ‘uniform rules on the security of network and information systems’, the aim is that all organisations have a base-layer of robust processes to protect them.
How do you comply with DORA?
A disclaimer before we begin. We are not legal professionals here at AC, and nothing in this article constitutes legal advice. Always contact a trained professional. It’s also worth saying that the DORA legislation includes a whole host of technical detail that we simply cannot cover in a piece like this – so this is a high level exploration. We are, however, Atlassian champions and experts. So we really do know our stuff when it comes to the Atlassian System of Work – and would always encourage you to talk to us if you need best practice support and guidance.
DORA covers the following key areas:
- ICT Risk Management
- ICT-related incident reporting
- Digital Operational Resilience Testing
- ICT Third Party Risk Management
- Information Sharing Arrangements
Within each of these areas are a number of requirements that firms will need to meet (to understand the full scope of DORA, we’d recommended reviewing this summary from EUR-Lex here).
How can Atlassian users comply with DORA?
Undoubtedly, most financial entities will already have robust IT and information security procedures in place. We imagine much of the below is likely embedded in your organisation, perhaps supported by your Atlassian tools.
However, it’s still worth us taking a look at each of those five key areas, and understanding how the Atlassian System of Work aligns with your compliance efforts.
Risk management
One of the key actions you’ll need to take (or have hopefully already taken) is to embed a robust risk management framework, which should include all systems, roles and processes, and the potential hazards to each of these. Risk assessments should be regularly undertaken and you should have well-documented risk management policies.
This framework should be a live entity, continually reviewed and stress-tested to ensure that it remains fit for purpose.
How can you use Atlassian tools to support with Risk Management?
We’d recommend using Confluence – a product that sits at the heart of the Atlassian System of Work – to manage your risk management documentation.
From capturing the results of gap analysis work and identifying your list of tooling, to writing your policies and documenting your incident response process, Confluence enables simple, secure collaboration and sharing.
💡 Tip!
For greater security and improved document management, you could also explore an Atlassian Marketplace third-party app, such as Compliance for Confluence, created by our colleagues at AppFox.
Control your documentation and manage access with powerful data classification levels, and protect high-risk information with sensitive data detection and redaction. Try it free today on the Atlassian Marketplace.
Incident response and reporting
In line with DORA guidance, you should have clearly detailed incident reporting procedures, which ensure that information security breaches or leaks are reported correctly to the relevant authorities and bodies.
Staff training is also key here, to ensure everyone understands their roles and responsibilities if/when an incident occurs.
How can you use Atlassian tools to support with incident response and reporting?
If you’re using Jira Service Management, make use of its powerful automation engine to create custom workflows and automated actions to alert and escalate incidents quickly and securely. You can automatically categorise incidents (such as ‘critical’) and assign to users.
When JSM is integrated with Jira, your software development team can seamlessly pick up the ticket to investigate, and by integrating with Confluence, you can seamlessly refer back to incident reporting policy and procedure documentation, all within a secure and connected ecosystem.
🔍 This guide covers:
- New JSM features including AI, AIOps, and asset management upgrades
- Case study on Domino’s Pizza using JSM to unify systems across 3,800 stores.
- Built-in dashboards for inventory, lifecycle management and employee productivity.
Resilience testing
To maintain operational resilience in line with DORA, it’s vital to undertake regular testing, from pen testing to scenario analysis. You should have a documented testing strategy or your own self-hosted tools and software, and be clear on resilience testing measures taken by third-party providers, too, like your Cloud hosting provider.
Atlassian Cloud, for example, is hosted on AWS, which is noted for its high availability and performance. You can read more here about Atlassian’s approach to resilience.
Information sharing
From timely reporting, in line with industry requirements and your own documented response plan, to sharing best practice with other firms in your field, DORA promotes secure and collaborative information sharing.
This can increase awareness of potential threats and contribute towards collective security across the financial industry.
How can you use Atlassian tools to support with information sharing?
Again, using a collaboration platform like Confluence is ideal for collecting and distributing information, particularly with its access and permission controls, both native and via Atlassian Marketplace apps.
Third-party risk management
We all use a range of third-party tools in our day-to-day work and, under DORA, it’s essential that all your providers comply with the regulation’s guidance. This requires action on your part to identify and risk-assess all relevant third-party tools, to understand how they meet DORA requirements, and to continue to monitor them.
Your suppliers may also have to provide information that demonstrates their compliance with DORA.
How does Atlassian tools support with DORA compliance?
If you’re an Atlassian Cloud user, you’ll need to understand how Atlassian manages risk, testing and security measures – and how it ultimately complies with the principles of DORA. To support customer organisations with this, Atlassian has published a DORA compliance guide in its Trust Center.
Are you unsure if your tooling is DORA compliant? Talk to us!
Using Atlassian tools to comply with DORA
Your Atlassian toolset – and wider techstack – aren’t going to answer your DORA compliance prayers -but secure, intuitive and powerful technology does play a part in your compliance efforts.
From secure and centralised policy documentation (Confluence) to powerful incident response handling (Jira Service Management), your Atlassian tooling can contribute to successful risk management, incident response, information sharing and more.
And what about NIS2
Of course! We did say we’d touch on NIS2, the older of the two recent new legislations, although equally important.
NIS2 came into effect in October 2024, so just under six months ago at the time of the writing. An extension of the original NIS directive, it seeks to strengthen a shared foundation of cybersecurity across the EU.
Whilst DORA primarily impacts firms operating in the financial sector, NIS2’s scope is broader, impacting all ‘essential’ sectors, such as energy, healthcare and transport. Finance is included within this list, so there is some overlap with DORA.
Compliance, collaboration and communication
At the heart of strong information security processes, and DORA and NIS2 compliant processes, lies your organisational culture. For truly secure and compliant workplaces, you need to encourage ongoing training and education, the sharing of centralised information and best practice, and a collective sense of accountability across your teams.
With people at the forefront of our services, we can guide you through organisational transformation and compliance work, supporting with stakeholder engagement, delivering training and change management. And if you’re seeking a tooling change, either from self-hosted to Cloud, or a move to Atlassian Cloud from a different platform entirely, we can guide you to long-term success with our migration and implementation consultancy services.
Why not talk to us today?
If you’d like to learn more about DORA and NIS2, book a free 30-min consultation with one of our experts now! Simply fill out the form below and we’ll be in touch.
