Subscribe to the Non-Human & AI Identity Journal

How do security teams know if DORA control evidence is actually working?

Control evidence is working when it can be regenerated from live telemetry, not manually reconstructed for an audit. If the same register, dependency map, or control assertion changes materially when the environment changes, the programme has continuous assurance. If it does not, the evidence is stale.

Why This Matters for Security Teams

DORA evidence is only meaningful if it proves control operation under real conditions, not just policy existence. For regulated firms, that distinction affects audit readiness, incident response, and management accountability. A dependency map that is accurate only at quarter-end cannot support operational resilience claims when a provider outage, configuration drift, or access change happens mid-cycle. The standard is evidence that can be regenerated from systems of record and live telemetry, not reconstructed after the fact.

This is especially important because DORA expects firms to demonstrate ICT risk management, testing, and oversight across critical services, including third-party dependencies. Security teams often overestimate the value of static screenshots, manual registers, and spreadsheet attestations because they look complete in an audit pack. Current guidance from DORA — Digital Operational Resilience Act and control evidence practices in NIST SP 800-53 Rev 5 Security and Privacy Controls points toward traceability, repeatability, and timely refresh. In practice, many security teams discover weak evidence quality only after a control failure or supervisory challenge has already exposed the gap.

How It Works in Practice

Working evidence is generated from operational sources that already reflect the current state of the environment. For DORA, that usually means tying each control assertion to a source of truth such as CMDB data, cloud inventory, IAM logs, ticketing records, backup telemetry, vulnerability feeds, or resilience test outputs. The evidence should show not only that a control exists, but that it is exercised, monitored, and producing measurable results.

A practical implementation pattern is to define each control around three layers:

  • Control intent: what the control is supposed to prevent, detect, or recover.
  • Operational signal: the telemetry or system event that proves the control is active.
  • Evidence output: the report, log extract, dashboard, or signed record generated from that signal.

That model helps teams avoid stale artifacts. For example, an access review is stronger when it is regenerated from current identity data and revocation logs than when it is manually assembled from email approvals. Likewise, resilience evidence is more credible when it includes actual restoration test outcomes, dependency failures, and timestamped change records. NHIMG’s Ultimate Guide to NHIs — Regulatory and Audit Perspectives is useful here because the same evidence discipline applies to non-human identities, service accounts, and API keys that sit inside DORA-scoped services. Where those identities are hidden, evidence tends to become cosmetic rather than operational.

Teams should also validate evidence freshness. A control can be technically “present” while the data behind it is no longer current. That matters for third-party dependencies, privileged access, backup integrity, and incident response playbooks. DORA-aligned evidence should be reproducible, timestamped, and linked to the operating environment so that changes in the environment change the evidence automatically. These controls tend to break down when ownership is split across operations, risk, and compliance because no single team owns the telemetry pipeline that keeps evidence current.

Common Variations and Edge Cases

Tighter evidence requirements often increase operational overhead, requiring organisations to balance audit convenience against automation cost. That tradeoff is real when systems are legacy, outsourced, or highly fragmented. Current guidance suggests that not every control needs the same evidence depth, but high-impact ICT controls, critical dependencies, and recovery capabilities should have the strongest proof.

Edge cases appear when the control is partly manual, partly automated, or dependent on third parties. In those environments, evidence may need to combine machine-generated telemetry with documented sign-off, but the manual portion should be narrow and clearly bounded. There is no universal standard for this yet, so firms should be explicit about which records are authoritative, how often they refresh, and who can attest to exceptions. That is also where NHI governance intersects with DORA: service accounts, API keys, and automation tokens often drive the control process itself, so weak NHI hygiene can make otherwise sound evidence unreliable. The NHIMG research on The State of Non-Human Identity Security shows why this matters operationally when visibility and rotation are poor. For control evidence to hold up, the underlying identities that generate it must be visible, monitored, and revocable. In practice, evidence usually fails in hybrid estates where cloud, SaaS, and on-prem records do not reconcile cleanly and the control owner cannot prove which system is the current source of truth.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST CSF 2.0 and NIST SP 800-53 Rev 5 set the technical controls, while DORA define the regulatory obligations.

Framework Control / Reference Relevance
NIST CSF 2.0 GV.OC-01 DORA evidence needs clear operational outcomes and accountability.
DORA The question is directly about proving operational resilience controls work.
NIST SP 800-53 Rev 5 CA-7 Continuous monitoring is central to evidence that stays current.

Link each control to ongoing monitoring data, not periodic manual snapshots.