Core Tools
Infrastructure
Product previews
From zero to regulator-ready
See how ComplyBridge walks you through a full MiCA CASP application — from entity setup to final submission package.
See how it works →The only AI that knows your firm
Reasons across the live EU rulebook and your own policies, KYB data, UBOs, and integrations.
Explore capabilities →DORA
Operational resilience, proven .
DORA asks financial entities to demonstrate — not just describe — operational resilience. ComplyBridge turns the five pillars of the Act into continuously evidenced controls, with every artefact ready for the JST on the morning they walk in.
At a glance
5
Pillars: risk, incidents, testing, third party, info sharing
4h
Initial major-incident notification window
3y
TLPT cycle for significant entities
DORA applies from
January 17, 2025
Enforcement scaling through 2026–2027
Five pillars, one evidenced posture.
DORA applies to a very wide population — credit institutions, investment firms, payment and e-money institutions, crypto-asset service providers, insurance and reinsurance undertakings, crowdfunding platforms, and critical ICT third-party providers. If you're supervised in EU financial services, you're almost certainly in scope.
The Act replaces a patchwork of national ICT expectations with a single, directly-applicable resilience regime. It is prescriptive in the right ways — incident classification thresholds, TLPT frequency, third-party register fields — and outcomes-based where it matters.
What DORA covers.
The Act structures resilience into five interlocking domains, each with specific RTS and ITS.
ICT risk management framework
Governance, risk register, controls mapping, and board attestation under RTS on ICT risk.
Incident reporting
Classification thresholds, initial (4h), intermediate (72h), and final (1m) notifications.
Resilience testing
Threat-led penetration testing (TLPT) for significant entities every three years.
Third-party risk
Register of contractual arrangements, exit strategies, and concentration monitoring.
Subcontracting chains
Visibility into ICT sub-outsourcing and flag critical dependencies.
Information sharing
Optional threat-intel sharing arrangements under Article 45.
What ComplyBridge does for you.
DORA obligations are intensely operational. ComplyBridge is purpose-built for the artefacts and rhythms the Act requires.
- ICT risk register live-synced with your cloud and on-prem inventory.
- Incident classification engine with 4h / 72h / 1m report templates pre-filled.
- Third-party register with RTS-aligned fields and exit-plan status per contract.
- TLPT engagement lifecycle — scoping, provider selection, validation, attestation.
- Resilience scenario library and evidence hooks for tabletop and live drills.
- Board-ready resilience pack quarterly, with JST-ready evidence in one click.
Getting to continuous DORA-readiness.
The first twelve months are about reaching baseline. After that, the objective is continuous evidence — no more point-in-time assessments.
Baseline your ICT estate
Consolidate the inventory — apps, infra, data flows, third parties — into a DORA-aligned schema.
Stand up reporting
Incident classification + 4h pipeline wired into Slack, PagerDuty, and NCA connectors.
Operationalise third parties
Register of contractual arrangements live, with concentration and exit-plan health scoring.
Evidence on schedule
Quarterly board pack, annual ICT risk framework review, triennial TLPT — all pre-staged.
Frequently Asked Questions
Common questions about DORA and how ComplyBridge supports compliance.
Significance is determined by size, criticality, and interconnectedness. Firms designated as significant face stricter TLPT cadence and intensified supervisory dialogue. ComplyBridge's onboarding includes a significance assessment that tracks how your profile evolves year over year.
Threat-led penetration testing is a scoped red-team engagement against live production systems, commissioned from an accredited tester and scored by the NCA. ComplyBridge runs the end-to-end engagement lifecycle: scoping memo, provider selection, scenario validation, attestation, and remediation tracking.
Yes. The Act is proportional — microenterprises and small/non-complex firms benefit from simplified obligations. ComplyBridge applies the correct proportionality tier automatically based on your entity profile and updates it when the profile changes.
SOC 2 / ISO 27001 platforms verify generic information-security controls. DORA is a supervised EU financial-services regime with specific RTS, ITS, and regulator-facing artefacts — a different obligation set, different reporting pipes, and different audiences. ComplyBridge is built for that.