Technical Reference ยท Updated 2026

DORA Server Hardening Requirements

The complete checklist of server hardening controls required by DORA, mapped to Commission Delegated Regulation (EU) 2024/1774 (RTS on ICT risk management). 8 control domains, 60+ specific requirements.

RTS 2024/1774 15 min read May 2026

TL;DR

DORA does not publish a single "server hardening" checklist. The requirements are distributed across RTS 2024/1774 (ICT risk management framework) โ€” specifically Articles 4-15 covering ICT security policies, access management, cryptography, ICT operations, network security, and vulnerability management. This page consolidates them into a single auditable hardening reference.

The 8 Control Domains

Server hardening under DORA is governed by eight interlocking control domains. Each maps to specific articles of RTS 2024/1774 and applies to all ICT systems supporting Critical or Important Functions (CIFs).

1. Identity & Access

Strong authentication, MFA, privileged access management, least privilege.

2. Cryptography

Encryption at rest and in transit, key management, certificate lifecycle.

3. Configuration

Secure baselines, change management, hardening templates.

4. Network Security

Segmentation, firewalls, intrusion detection, secure protocols.

5. Vulnerability Mgmt

Scanning, patching, remediation timelines tied to severity.

6. Logging & Monitoring

Centralised logs, integrity protection, retention, real-time alerting.

7. Endpoint Protection

EDR, anti-malware, hardened OS images, application control.

8. Backup & Recovery

Offline backups, integrity verification, tested recovery time objectives.

Domain 1 — Identity & Access Management

RTS 2024/1774 Art. 21 requires ICT systems supporting CIFs to enforce strong authentication, segregation of duties, and continuous review of privileged access. Specific server hardening controls:

  • MFA enforced for all administrative access (SSH, RDP, console, web admin panels) — password-only access disabled
  • Privileged Access Management (PAM) with session recording, just-in-time elevation, and break-glass procedures documented
  • No shared service accounts — every account tied to a named individual or a dedicated technical identity
  • SSH key authentication only, password authentication disabled in /etc/ssh/sshd_config
  • Local admin accounts deleted or rotated automatically every 24h via password vault
  • Quarterly access review with documented sign-off by the system owner
  • Account lockout after 5 failed attempts, alerting to SOC

Domain 2 — Cryptography & Encryption

RTS 2024/1774 Art. 6 requires encryption of data at rest and in transit, with documented key management. Specific server requirements:

  • TLS 1.2 minimum, TLS 1.3 preferred, weak ciphers disabled (no SSL 3.0, TLS 1.0, RC4, 3DES, MD5)
  • Disk encryption on all servers handling client data (LUKS on Linux, BitLocker on Windows)
  • HSTS enabled with min-age 31536000, preload, includeSubDomains
  • Certificate lifecycle managed: max 90 days for public certs, automated renewal, OCSP stapling
  • Key management policy documented: rotation, escrow, destruction; HSM for high-value keys
  • Database encryption for any database storing personal data or transactional records

Domain 3 — Secure Configuration & Change Management

RTS 2024/1774 Art. 14 requires documented secure configuration baselines and a formal change management process. Server hardening practices:

  • Hardened baselines per OS family (CIS benchmarks, STIG) enforced via configuration management (Ansible, Puppet, Chef, Salt)
  • Default credentials removed on all components: OS, hypervisor, database, application server, network device
  • Unnecessary services disabled: telnet, FTP, rsh, X11 forwarding by default, sample apps removed
  • Banner suppression: server software version not exposed in HTTP headers, SMTP banners, FTP banners
  • Change management workflow with approval, test, rollback plan, and post-change verification documented
  • Drift detection: automated compliance scanning detects unauthorised configuration changes within 24h
  • Golden image policy: production servers spawned from validated templates; no manual installs in production

Domain 4 — Network Security

RTS 2024/1774 Art. 13 requires network segmentation and traffic filtering for ICT systems supporting CIFs:

  • Network segmentation: production isolated from corporate, DMZ between internet and internal services
  • Default-deny firewall with documented inbound/outbound rules per server role
  • Management plane isolated on dedicated VLAN with jump-host access only
  • IDS/IPS deployed at network borders with signatures updated daily
  • DDoS protection active for internet-facing services (CDN/WAF/scrubbing)
  • Egress filtering: outbound connections from servers limited to documented destinations
  • VPN with MFA required for all remote administrative access; split-tunnel disabled

Domain 5 — Vulnerability Management

RTS 2024/1774 Art. 10 requires a documented vulnerability management process with patching SLAs based on severity:

SeverityCVSSPatch SLACompensating control if delayed
Critical9.0+72 hoursWAF rule, network isolation, monitoring escalation
High7.0–8.914 daysDocumented mitigation + risk acceptance
Medium4.0–6.930 daysTracked in risk register
Low0.1–3.9Next maintenance windowDocumented in next review
  • Authenticated vulnerability scanning at least monthly, all CIF-supporting servers
  • Threat intelligence feed integrated: MITRE, vendor advisories, sectoral CSIRTs, FS-ISAC
  • End-of-life software inventory tracked: no production EOL OS or unsupported versions
  • Penetration testing annually + after major changes (DORA Art. 24-25)

Domain 6 — Logging, Monitoring & Detection

RTS 2024/1774 Art. 15 requires comprehensive logging with integrity protection, retention, and real-time monitoring:

  • Centralised SIEM: all server logs aggregated; tamper protection; segregation of duties between log producers and reviewers
  • Log retention: minimum 12 months online (immediate query), 5 years archived for security-relevant events
  • Mandatory log sources: authentication, authorisation, configuration changes, system events, application errors, network flows
  • Time synchronisation: NTP enforced across all servers, time drift <200ms
  • SOC monitoring with 24/7 coverage for CIF-supporting servers (DORA Art. 17 detection requirements)
  • Use-case library covering MITRE ATT&CK techniques relevant to financial services
  • Mean-time-to-detect (MTTD) tracked per use case; quarterly review with remediation actions

Domain 7 — Endpoint & Workload Protection

  • EDR/XDR deployed on every server (production, staging, DR sites) with detection rules updated daily
  • Application allowlisting on critical servers (no arbitrary executable launches)
  • Container/Kubernetes hardening: rootless containers, read-only filesystem, network policies, admission controllers
  • Image scanning in CI/CD: no critical CVEs reach production
  • Secrets management: no hardcoded credentials; HashiCorp Vault, AWS Secrets Manager or equivalent

Domain 8 — Backup & Recovery

RTS 2024/1774 Art. 11-12 require backup integrity and tested recovery aligned with the RTO defined for each CIF:

  • 3-2-1-1 rule: 3 copies, 2 different media, 1 offsite, 1 immutable/offline
  • Backups encrypted at rest and in transit; restoration keys protected separately
  • Recovery testing: full restore exercise minimum annually; recovery point and time objectives validated against business requirements
  • Ransomware-resistant copies: at least one offline or immutable backup per system
  • Backup integrity verification: checksums monitored; failed backups alerted

Automate Hardening Tracking with Resiplan

Maintaining 60+ hardening controls across hundreds of servers manually is impossible at audit scale. Resiplan — the specialised SaaS for DORA, business continuity and GRC — provides a built-in hardening control library mapped to RTS 2024/1774, with continuous evidence collection, drift alerts, and audit-ready reports.

Try Resiplan Free

Frequently Asked Questions

Does DORA mandate a specific hardening standard like CIS or STIG?

No. DORA is principle-based: it requires effective hardening but does not prescribe a specific framework. The most defensible approach is to adopt CIS Benchmarks or STIG as the technical baseline and document the mapping to RTS 2024/1774 articles.

Do hardening requirements apply to non-CIF servers?

Hardening controls in RTS 2024/1774 apply with higher intensity to ICT systems supporting CIFs. Non-CIF systems must still meet baseline ICT security requirements (proportionality principle, DORA Art. 4) but with less-strict SLAs and evidence requirements.

How often must hardening be re-validated?

Continuous configuration monitoring is expected (drift detection) plus a formal annual review. After any material change (OS upgrade, application migration, infrastructure refactor), re-validation is mandatory.

Is hardening covered by TLPT?

Indirectly. TLPT (Threat-Led Penetration Testing) exercises real attack scenarios and frequently expose hardening gaps as findings. A robust hardening programme typically reduces TLPT severity findings by 60-80%.

Related Resources

How Compliant Is Your Institution?

Take our free 5-minute assessment and get an instant DORA compliance score with personalised recommendations.

Get Your Free DORA Score Join Free Monthly Webinar