As the Digital Operational Resilience Act (DORA) comes into effect, many organizations are evaluating their software supply chain to ensure compliance. If your organization uses Duende Software SDKs, you may be wondering what responsibilities you have regarding DORA compliance.
Duende is committed to helping our customers stay compliant with upcoming regulation changes regarding DORA, however, it is important to clarify that Duende does not provide digital and data services through ICT systems on an ongoing basis and we also do not provide support through software. Duende provides packages of code that developers leverage in building their own .NET applications. In the same way that .NET does not provide digital and data services through ICT systems via the NuGet packages that your developers are using.
In addition, we understand that many of our customers are seeking contractual addendums regarding DORA, however, these addendums are only meant to be for your critical ICT service suppliers in a downstream context.
In most instances, it is unlikely that Duende is a critical ICT service provider, as again, we only provide a binary library developer component and do not provide critical ICT Services.
Your Responsibilities Under DORA
DORA focuses on the operational resilience of financial and critical service institutions, requiring them to have robust risk management, incident reporting, and third-party oversight. If you use Duende Software SDKs as part of your authentication or identity management systems, you should consider:
1. Software Supply Chain Security
- Ensure you are using official Duende Software SDK releases, obtained directly from our repositories.
- Monitor for security updates and apply patches in a timely manner.
- Use cryptographic verification (e.g., signed packages) where applicable.
2. Risk Management & Business Continuity
- Assess how your reliance on Duende Software SDKs affects your operational resilience.
- Have contingency plans in place in case an update or security vulnerability requires action.
- Document your dependencies on Duende SDKs as part of your risk assessments.
3. Incident Handling & Vulnerability Management
- Subscribe to our security advisories and monitor CVEs related to Duende Software products.
- Implement internal processes to assess and mitigate risks when a vulnerability is disclosed.
- Follow best practices for secure software development and deployment.
4. Third-Party Oversight
- As a user of our SDKs, you are responsible for ensuring that the software is integrated and maintained in a way that aligns with applicable DORA requirements.
- If you require compliance documentation, refer to our official security and lifecycle policies.
- This document is provided for informational purposes only and is not intended to be legal or regulatory advice. Always consult your own legal and compliance advisors to ensure your compliance with DORA and other applicable regulations.
What Duende Software Provides
While DORA compliance is ultimately your responsibility, we provide:
- Secure, regularly updated SDKs with a strong focus on software security best practices.
- Clear documentation on software lifecycle policies, including version support and end-of-life schedules.
- Transparency regarding security updates and vulnerability disclosures.
Summary
If your organization must be DORA-compliant, using Duende Software SDKs does not impose additional compliance burdens beyond standard software supply chain best practices. You are responsible for managing your integration, keeping software up to date, and incorporating risk management strategies into your operations. For further information, refer to our documentation or contact our support team.
By understanding and addressing these areas, you can confidently use Duende Software SDKs while ensuring compliance with DORA regulations.