Why teams search for a “tjekliste DORA” — and why architecture is the missing piece
Search for tjekliste dora and you will find long lists of governance tasks, policy requirements, and security processes. Most of them read like internal audit documentation: risk registers, vendor oversight, incident procedures, board accountability, and reporting obligations. Those lists are useful, but they miss a practical reality inside engineering teams.
Compliance frameworks rarely fail because the organization forgot to write a policy. They fail because the software architecture does not support the operational controls the policy promises.
Example: a company writes an incident response policy that promises traceability and monitoring across services. But the platform team never implemented structured logging or trace propagation across the services that actually run the system. The policy exists; the architecture cannot support it.
That gap is where most DORA readiness work actually lives.
Engineering leaders therefore search for a "tjekliste dora" not just to satisfy auditors but to translate regulatory expectations into concrete technical architecture. What must exist in the system? What must exist in CI/CD? What artifacts should engineering teams produce automatically?
This guide takes a different angle from typical compliance checklists. Instead of summarizing regulatory articles, it focuses on architecture artifacts and engineering practices that make DORA-style operational resilience achievable in real systems.
If you're an enterprise architect, platform engineer, or compliance officer working with development teams, the goal is straightforward: your system architecture should make compliance the default state rather than an afterthought.
The checklist below reflects what engineering teams actually need to implement and document.
Tjekliste DORA Step 1: Architecture documentation that auditors can follow
The first item in any practical tjekliste dora is architecture clarity. Regulators and internal risk teams need to understand how the system works, where dependencies live, and which components handle critical functions.
This sounds obvious, but many teams still operate with architecture knowledge scattered across whiteboards, Slack threads, and outdated wiki diagrams.
A compliance-ready architecture baseline should include:
• A system component model • Service boundaries and responsibilities • External dependencies and vendors • Data flows between components • Security boundaries • Deployment topology
ArchiMate models are particularly useful for this because they connect business capabilities, applications, and infrastructure in one coherent structure. Instead of static diagrams, the architecture becomes a model that can produce multiple artifacts: diagrams, decision records, and system documentation.
A practical architecture artifact set typically includes:
| Artifact | Purpose | Who Uses It |
|---|---|---|
| Architecture model | Shows services, boundaries, and dependencies | Architects, auditors |
| Architecture decision records | Documents design choices and rationale | Engineering leadership |
| Deployment architecture | Shows runtime infrastructure and environments | DevOps and security teams |
| Dependency map | Identifies external services and vendors | Risk management |
Many compliance reviews fail because architecture documentation exists only after the system is already running. When documentation is generated directly from the architecture model, the artifacts remain consistent with the system implementation.
Modern architecture-to-code tooling pushes this further. Instead of architecture diagrams describing software, the architecture model becomes the source of truth for generating the system scaffolding itself.
That approach ensures the architecture is not just documentation—it becomes executable design.
Tjekliste DORA Step 2: Identity, authentication, and session handling
Security controls frequently appear in compliance checklists, but they often remain abstract: "implement strong authentication" or "protect user sessions." Engineering teams still have to translate those expectations into concrete implementation patterns.
A practical architecture checklist should therefore answer:
• Where authentication happens • How sessions are stored • How user identity propagates across services • How secrets are handled
One common architectural pitfall is storing authentication tokens in browser localStorage, which increases exposure to cross-site scripting attacks.
A safer approach is cookie-based session handling using httpOnly cookies so client-side scripts cannot access authentication tokens.
Generated systems from Archiet follow this pattern automatically: authentication uses httpOnly cookies rather than localStorage, and security tests are included with the generated application {{fact:icp_objection_cto_startup}}.
Example configuration produced in a generated project:
# auth/session_config.py
SESSION_COOKIE_HTTPONLY = True
SESSION_COOKIE_SECURE = True
SESSION_COOKIE_SAMESITE = "Lax"
AUTH_PROVIDER = "internal"
TOKEN_STORAGE = "server_session"Engineering teams reviewing a DORA-style architecture should confirm several practical elements:
• Authentication flows are documented • Session management is implemented consistently across services • Authentication events are logged • Security tests verify session protections
When these elements exist directly in the application scaffolding rather than being implemented ad hoc by each team, the security baseline becomes much easier to audit.
This is one of the reasons architecture-driven scaffolding matters: the security model becomes standardized rather than reinvented for every service.
Tjekliste DORA Step 3: Operational resilience and observability
Another recurring theme in DORA readiness is operational resilience. Systems must detect incidents quickly, maintain service continuity, and provide visibility during failures.
For engineering teams, this translates into observability architecture.
Your tjekliste dora should confirm the presence of several operational capabilities:
• Structured logging across services • Centralized log aggregation • Metrics for critical service health • Request tracing between components • Alerting tied to service-level indicators
Without these elements, incident response becomes guesswork.
Consider a microservice architecture handling payments or account management. If an outage occurs and logs are scattered across containers without correlation IDs, tracing the failure path can take hours.
A resilient architecture instead ensures every request includes a trace identifier.
Example middleware used in generated services:
# middleware/request_context.py
import uuid
def attach_request_id(request):
request.id = str(uuid.uuid4())
return requestThe request ID then appears in logs across services:
[request_id=91c2f] user_service -> auth_service
[request_id=91c2f] auth_service -> databaseFrom an audit perspective, the benefit is traceability. Investigators can reconstruct incident timelines quickly.
Engineering teams often underestimate how important these design patterns are for compliance reviews. Observability is not just an operations concern—it is a regulatory resilience capability.
Architecture models should therefore explicitly show monitoring pipelines, telemetry services, and alert routing so auditors understand how incidents are detected and handled.
Tjekliste DORA Step 4: CI/CD and repeatable deployments
Compliance reviews rarely trust manual deployments.
If releasing a new version of the system requires a sequence of undocumented commands performed by a senior engineer, the system is inherently risky. Repeatability is essential.
A practical tjekliste dora must therefore include CI/CD pipeline design.
Engineering teams should verify that the following exist:
• Automated build pipelines • Infrastructure definitions stored as code • Deployment steps that can be reproduced • Automated testing before deployment • Versioned release artifacts
A generated application scaffold often includes Docker environments and CI pipelines as part of the project baseline.
Example CI pipeline snippet:
# .ci/pipeline.yml
stages:
- test
- security
- build
security_scan:
stage: security
script:
- run_security_tests
build_image:
stage: build
script:
- docker build -t app:$CI_COMMIT_SHA .Including these capabilities in the initial architecture prevents a common compliance problem: retrofitting pipelines onto systems that were built manually.
Generated systems from Archiet include Docker and CI scaffolding as part of the application ZIP, along with architecture artifacts and test suites {{fact:icp_objection_technical_founder}}.
The key architectural principle is simple:
If the system cannot be rebuilt automatically, it cannot be reliably recovered after failure.
Tjekliste DORA Step 5: Compliance artifacts generated with the system
Traditional compliance work produces documentation separate from the software system.
Architecture diagrams live in PowerPoint. Control evidence lives in spreadsheets. Test documentation lives somewhere else entirely.
That fragmentation slows down compliance reviews.
A modern architecture workflow generates compliance artifacts directly alongside the codebase.
For example, generated projects from Archiet include a compliance report and security tests as part of the project output {{fact:icp_objection_cto_startup}}.
Typical artifact structure inside a generated project:
project_root/
/docs
ARCHITECTURE.md
ADR-001-authentication.md
ADR-002-database.md
COMPLIANCE_REPORT.md
/tests
security_tests/
integration_tests/
DEPLOYMENT_GUIDE.mdEach artifact serves a practical role:
• Architecture documents describe the system structure • ADRs explain design decisions • Security tests verify implementation • Deployment guides document operational steps
Because these files are generated together with the application scaffolding, they remain synchronized with the system design.
For compliance officers, this dramatically reduces the time spent gathering evidence during reviews.
For engineering teams, it eliminates the "documentation sprint" that often appears right before an audit.
Tjekliste DORA Step 6: Replace weeks of scaffolding with architecture-driven generation
Engineering teams often assume they can build compliance-ready scaffolding manually in a few days.
The reality tends to be different.
Even a relatively simple production-ready service typically requires:
• authentication • environment configuration • migrations • containerization • CI/CD • architecture documentation • security tests
Across multiple frameworks or services, that scaffolding quickly grows into dozens of templates and configuration files.
Generated architecture-driven systems often include between 84 and 147 templates covering these concerns {{fact:icp_objection_technical_founder}}.
That scale explains why many teams underestimate setup effort.
One example illustrates the difference. In a documented case:
{{fact:customer_example_format}}
Instead of building scaffolding across multiple stacks manually, the architecture model generated a deployable project archive in minutes.
The broader implication for compliance is straightforward:
If architecture artifacts and system scaffolding are produced together, the organization starts from a compliant baseline rather than attempting to retrofit controls later.
Compliance becomes a property of the architecture itself.
FAQ: Tjekliste DORA
What is the purpose of a DORA checklist for engineering teams?
A DORA checklist translates regulatory expectations into practical engineering tasks. Instead of focusing only on governance documents, a technical checklist confirms whether the architecture includes authentication controls, observability pipelines, CI/CD processes, and documented system structure.
These elements determine whether resilience policies can actually be executed during incidents.
Who should maintain the DORA architecture checklist?
Ownership typically sits between enterprise architecture and platform engineering teams. Architects define system structure and documentation standards, while platform teams implement the operational capabilities such as logging, CI/CD pipelines, and security testing.
Compliance officers then review the artifacts produced by those systems.
Can generated code pass security review?
Security reviews often focus on session handling, authentication patterns, and test coverage. Generated systems from Archiet include httpOnly cookie-based authentication, security test suites, and a compliance report in the generated project package {{fact:icp_objection_cto_startup}}.
These elements give security reviewers concrete artifacts to evaluate instead of relying on assumptions about how the system was built.
Isn’t scaffolding something developers can build themselves?
Developers can certainly scaffold projects manually. The question is time and consistency. A typical production scaffold includes dozens of templates, migrations, CI configuration, documentation artifacts, and security patterns.
Architecture-driven generation can collapse weeks of setup into minutes while ensuring the architecture, documentation, and deployment pipeline remain consistent {{fact:icp_objection_technical_founder}}.
Building a DORA-ready architecture baseline
Most organizations approach compliance by creating policies first and hoping engineering teams implement the required capabilities later.
A more reliable approach starts with architecture.
When architecture models produce the application scaffolding, CI/CD pipelines, documentation, and compliance artifacts together, resilience and traceability are built into the system from day one.
That shift matters because compliance frameworks rarely test documentation alone—they test whether the organization can actually operate resilient systems under stress.
Archiet turns ArchiMate architecture models into production-ready application scaffolding, documentation artifacts, and compliance-ready project structures automatically. Instead of spending weeks assembling the baseline for a new system, teams can generate it in minutes and move directly to business logic.
If your team is building a new service or platform component and needs a faster path to a compliance-ready architecture, explore how Archiet generates production-ready systems from architecture models.