The Digital Operational Resilience Act is the operating standard for how we deliver to regulated financial customers. Not a checklist. The audit pack is built before the supervisor asks.
StatusActiveEffective17 Jan 2025FrameworkReg. (EU) 2022/2554Coverage5 pillars · ART. 5–45
01 / OVERVIEW
DORA, in plain language.
The Digital Operational Resilience Act (Regulation (EU) 2022/2554) became applicable on 17 January 2025. It places hard, audit-grade obligations on financial entities and the ICT third-party service providers they depend on — covering risk management, incident reporting, resilience testing, third-party risk, and information sharing.
Ophanix supplies ICT services to financial entities across the EU. We treat DORA not as a checklist but as the operating standard for how we deliver. This page summarises how we satisfy each of the five pillars and how we make our compliance evidence available to customer auditors and supervisors.
02 / ICT RISK MANAGEMENT (ART. 5–16)
An ICT risk framework that reaches the board.
Governance — named ICT risk owner at Ophanix accountable to the executive team. Quarterly review with named customer counterpart.
Identification — every Ophanix-managed component is mapped to a function, criticality tier, and dependency chain. Customer-critical functions are flagged and reviewed annually.
Protection — controls library aligned to NIS2, ISO 27001, and the EBA Guidelines on ICT and security risk management. Continuous control monitoring, not annual attestation theatre.
Detection — 24/7 monitoring on all customer-facing surfaces. Anomaly thresholds calibrated per customer, alert routing per customer playbook.
Response & recovery — tested runbooks, RTO and RPO defined per customer function, joint exercise at onboarding and annually thereafter.
Learning — every incident produces a documented post-mortem; structural changes are tracked to closure and reported in the quarterly board pack.
03 / INCIDENT REPORTING (ART. 17–23)
Major-incident notification, by the clock.
For incidents meeting DORA's major-incident classification criteria, we notify the customer's designated DORA contact within timeframes that allow the customer to meet their own ART. 19 obligations to the lead supervisor:
Initial notification — within 4 hours of classification.
Intermediate report — within 72 hours, with current scope, customer impact, containment status.
Final report — within 1 month, with root cause, structural remediation, lessons learned.
We maintain a templated incident classification register and provide it to customer compliance teams on each occurrence, so the customer's report to ESAs or the lead supervisor can be produced from a known source.
DORA · MAJOR-INCIDENT TIMELINEArticle 19 · auto-cycling
DetectionT+ 00:00
incident classified
Initial ReportT+ 04:00
regulator notified
IntermediateT+ 72:00
scope + actions
ClosureFinal
root cause + remediation
04 / DIGITAL OPERATIONAL RESILIENCE TESTING (ART. 24–27)
Threat-Led Penetration Testing, jointly.
For customers in scope of TLPT under ART. 26, Ophanix participates fully — under TIBER-EU or the customer's equivalent national framework. We provide:
Architecture documentation, threat intelligence inputs, and test scoping at the customer's discretion.
A named technical liaison for the duration of the test.
Joint remediation planning on every finding affecting the customer's critical or important functions.
Evidence packs for the customer's TLPT attestation report.
For non-TLPT customers, we participate in vulnerability assessments, scenario-based testing, and end-to-end testing per ART. 25 at the customer's request.
05 / THIRD-PARTY RISK (ART. 28–30)
The contract you sign with us reflects what DORA requires of you.
Contractual provisions — our standard Master Services Agreement maps directly to the contractual elements required by ART. 30 (service description, locations, audit rights, exit, sub-processing, etc.). Customer-specific addenda are accommodated, not resisted.
Sub-contracting — full sub-processor list per region, 30-day prior notification, customer right to object on substantive grounds.
Concentration risk — we document our dependencies (cloud providers, foundation-model providers, telemetry vendors) so customers can perform their own concentration analysis without guessing.
Audit and supervisor access — customer audit rights are unrestricted within reasonable notice; lead overseer access under the DORA oversight framework is contractually pre-agreed.
Exit— exit plan documented at contract signature, tested at the customer's request, executed without retention of customer data.
06 / INFORMATION SHARING (ART. 45)
We participate in the threat-intel community — under your terms.
We participate in sectoral threat-intelligence sharing through recognised channels (FS-ISAC, sector CERTs, ENISA-coordinated initiatives) where customers permit. Customer-specific indicators are never shared without explicit authorisation; aggregated, anonymised patterns are shared only where they materially help the sector defend itself.
07 / EVIDENCE & SUPERVISOR ACCESS
What your auditor and your supervisor will receive.
Control attestation pack (annual), mapped to DORA articles and EBA Guidelines.
Sub-processor register (live, per region).
Incident register and post-mortem library (customer-relevant entries).
Test results: VAPT, resilience testing, TLPT participation reports.
Exit-plan documentation, refreshed at each contract renewal.
Lead-overseer cooperation undertaking, signed at contract execution.
Direct to the regulator
Under the DORA oversight framework, ESAs and national competent authorities may engage us directly. We have named contacts, established channels, and pre-agreed cooperation procedures. compliance@ophanix.org
Engage
Need the full evidence pack?
We share the complete audit pack — methodology, findings, remediation log, third-party attestations — with prospective customers under NDA during procurement.