DEVOPSdigest

Azul announced that the integrated risk management practices for its OpenJDK solutions fully support the stability, resilience and integrity requirements in meeting the European Union’s Digital Operational Resilience Act (DORA) provisions.

With the upcoming DORA enforcement deadline of January 17, 2025, quickly approaching, thousands of EU financial organizations and companies around the world with business in the EU must act quickly to ensure their IT infrastructure meets stringent new operational resilience standards that potentially require significant time investments to fulfill.

DORA’s primary goal is to enhance the digital resilience of financial entities, mitigate risks associated with Information and Communications Technology (ICT) risks and ensure that financial entities can withstand, respond to, and recover from all types of ICT-related disruption. This includes risks from ICT service providers that deliver digital and data services through ICT systems to internal or external users; it also includes hardware services and technical support via software updates. Java is the programming language of choice for the Financial Services industry. According to the 2022 FINOS State of Open Source in Financial Services report, 51% of the code within the financial services data set is written in Java.

Azul’s comprehensive long-term support (LTS) Java versions ensure stability and ongoing security updates – including updates for older Java versions like versions 6 and 7— crucial for maintaining operational resilience under regulatory scrutiny. The company’s security features, comprehensive testing and compatibility with modern architectures and cloud environments provide a secure and scalable Java platform. With a proven track record in stability, reliability, and security, Azul’s Java solutions help customers meet the requirements of DORA.

The DORA regulation represents a significant shift in how financial institutions must approach their digital operational resilience, with non-compliance resulting in corporate fines of up to 2% of annual turnover and potential fines for individuals up to €1,000,000. This extensive regulation affects not only EU financial entities but also global organizations with EU operations or business relationships and third-party service providers.

According to Crucyble, the information security consulting firm that evaluated and assessed Azul’s DORA-related risk management practices: “Azul has made considerable efforts to comply with the Digital Operational Resilience Act (DORA) EU by implementing a robust governance framework, risk management protocols, incident response capabilities, and third-party risk management strategies. Through continuous monitoring, regular testing, including penetration tests, and comprehensive plans for ICT resilience and recovery, Azul demonstrates a strong commitment to ensuring operational continuity and resilience. The company is actively addressing the requirements of DORA EU to support its financial customers in maintaining operational integrity and security. Azul’s proactive stance ensures it is well-equipped to meet the evolving challenges of ICT risk management and digital operational resilience, reinforcing its readiness to support customers in complying with the DORA EU framework.”

Azul’s offering includes:

- Fully supported, OpenJDK distributions (Azul Platform Core and Azul Platform Prime) that ensure timely security updates and patches.

- Stabilized security-only updates across all Java versions, operating systems and architectures.

- Continuous vulnerability monitoring and accelerated remediation response time with Azul Intelligence Cloud.

- Expert guidance and support for migration from unsupported OpenJDK distributions.

To support financial entities in their DORA compliance efforts for the use of Java applications and Java-based infrastructure, Azul has outlined five essential steps:

- Develop and Implement an ICT Risk Management Framework. Unsupported OpenJDK distributions expose financial institutions to significant risks through unpatched vulnerabilities and performance issues. Azul provides the only commercially supported OpenJDK with stabilized, security-only patches across all Java versions, operating systems and architectures, ensuring applications remain resilient and compliant with ICT requirements.

- Establish an Incident Reporting Mechanism. Standard OpenJDK distributions often miss critical updates, leading to undetected incidents and non-compliance. Azul Intelligence Cloud provides continuous monitoring of vulnerabilities and dead code in production, enabling organizations to detect, report, and remediate issues faster.

- Conduct Regular and Rigorous Testing of ICT Systems. Outdated or vulnerable Java versions create unreliable test environments and false security assumptions. Azul maintains current and tested distributions for all Java versions, including 6 and 7, and architectures, including Windows x86 32-bit, enabling financial institutions to maintain accurate testing environments.

- Enhance Third-Party Risk Management Practices. Relying on unsupported OpenJDK distributions from third parties increases the risk of security breaches and operational failures. Azul’s fully supported builds of OpenJDK ensure that third-party Java-based applications and services meet the highest security and performance standards, reducing third-party risks.

- Facilitate Information Sharing on Cyber Threats. Unsupported Java installations often miss critical updates, creating weak links in security information chains. Azul’s supported distributions provide timely vulnerability updates and enable effective threat information sharing across organizations, strengthening collective cybersecurity efforts.

“As a trusted partner to our customers, we understand the complex challenges financial institutions face in meeting these stringent requirements,” said James Johnston, VP of EMEA at Azul. “With Java powering most critical financial systems, unsupported or vulnerable Java infrastructure puts DORA compliance at risk. Our solutions enable companies to accelerate their compliance efforts while reducing costs and complexity—critical factors given the rapidly approaching deadline.”