DORA

Operational resilience for AI and data in financial services

DORA makes ICT resilience a board-level obligation for financial entities. Scrydon's audit trails, fail-closed defaults and sovereign, self-hosted deployment reduce concentration risk and give supervisors something to inspect.

Book a DemoCommon Questions
What it is

Digital Operational Resilience Act (DORA)

The Digital Operational Resilience Act (Regulation (EU) 2022/2554) creates a uniform framework for the digital operational resilience of the EU financial sector. It requires financial entities to manage ICT risk, classify and report major ICT-related incidents, test their digital operational resilience, and manage the risks of ICT third-party providers — including concentration risk and contractual safeguards. Critical ICT third-party providers fall under a dedicated EU oversight regime. DORA has applied since January 2025.

At a glance
Jurisdiction
European Union
Applies to
Financial entities across the EU — banks, insurers, investment firms, payment and crypto-asset providers and others — and the critical ICT third-party providers that serve them.
Talk to us
How we help

How Scrydon helps you comply

Controls are built into the runtime, so compliance is something you can demonstrate with evidence drawn from the platform itself — not assembled after the fact.

ICT risk management by design

Fail-closed defaults, an mTLS service mesh and policy-as-code authorisation give you a resilient, least-privilege architecture for AI and data workloads. Controls are enforced consistently across the application and data planes, supporting the ICT risk-management framework DORA expects financial entities to operate.

Audit log and incident traceability

The immutable, queryable audit log captures actors, IPs and decisions with retention controls, providing the traceability needed to detect, classify, investigate and report major ICT-related incidents and to evidence resilience to supervisors and auditors.

Reducing third-party and concentration risk

Self-hosted and sovereign deployment means critical workloads need not depend on a single external hyperscaler, directly addressing DORA's concern with ICT third-party concentration risk. Opt-in external AI vendors keep the supply chain explicit and under your control.

Resilience testing and continuity

Because the platform can run within your own environment with reproducible, policy-governed configuration, you can include it in your digital operational resilience testing and continuity planning, exercising failover and recovery on infrastructure you control.

Framework evidence packs

Evidence packs map platform controls to DORA's resilience and ICT-risk themes alongside ISO 27001 and SOC 2, giving your risk, compliance and audit teams a documented starting point for register-of-information and oversight engagement.

Key requirements

What DORA asks of you

  • Operate a comprehensive ICT risk-management framework governed by the management body.
  • Detect, classify and report major ICT-related incidents within set timelines.
  • Carry out regular digital operational resilience testing.
  • Manage ICT third-party risk, including contractual safeguards and exit strategies.
  • Monitor and mitigate ICT concentration risk across critical providers.
  • Maintain a register of information on ICT third-party arrangements.
  • Share cyber-threat information and intelligence where appropriate.
FAQ

Frequently asked questions

How does Scrydon support DORA compliance for financial entities?+
Scrydon provides the technical foundations DORA emphasises: a resilient, fail-closed, mTLS-secured architecture for ICT risk management, an immutable audit log for incident detection and reporting, and sovereign self-hosted deployment that reduces dependence on a single external provider. Evidence packs map these to DORA themes. We speak to alignment and the controls that help you meet your obligations; classifying incidents, reporting to your competent authority and your overall resilience programme remain your responsibility.
How does the platform reduce ICT third-party concentration risk?+
DORA is explicit about the systemic risk of over-reliance on a few ICT providers. Because Scrydon can be deployed in your own environment or sovereign infrastructure rather than locking critical workloads to a single hyperscaler, you can diversify and retain control of your most important AI and data systems. Opt-in external AI vendors keep any third-party dependency explicit and governable.
Does Scrydon help with major incident detection and reporting?+
The immutable, queryable audit log records actor, IP, decision and agent activity with retention controls, which supports detecting, classifying and investigating ICT-related incidents and assembling the information you need for regulatory reporting. The platform provides the traceability; the classification thresholds and notifications to your competent authority remain yours to operate.
Can Scrydon be part of our digital operational resilience testing?+
Yes. Because the platform runs with reproducible, policy-governed configuration on infrastructure you control, you can exercise failover, recovery and access controls as part of your resilience testing programme, and include it in scenario testing and continuity planning.
Is Scrydon a critical ICT third-party provider under DORA?+
Designation as a critical ICT third-party provider is made by the European Supervisory Authorities against defined criteria, not self-declared by a vendor. Regardless of designation, deploying Scrydon in a sovereign, self-hosted way keeps your most critical workloads under your direct control and helps you manage third-party risk under your DORA framework.

Related

Financial ServicesAI GovernanceAll compliance frameworks
Back to all compliance frameworks