DORA Compliance
Last updated: April 2026
The Digital Operational Resilience Act (DORA) — Regulation (EU) 2022/2554 — establishes a comprehensive framework for ICT risk management, incident reporting, digital operational resilience testing, and third-party risk management for financial entities operating in the EU. This guide explains how FeatureSignals supports DORA compliance as an ICT third-party service provider.
DORA Applicability
DORA applies to financial entities operating in the EU — banks, insurance companies, investment firms, payment providers, and crypto-asset service providers — and the ICT third-party service providers (like FeatureSignals) that support them. DORA went into full effect on January 17, 2025.
The Five Pillars of DORA
DORA is structured around five pillars. FeatureSignals addresses each as it relates to our role as an ICT service provider:
Pillar 1: ICT Risk Management (Articles 5–16)
Financial entities must maintain a comprehensive ICT risk management framework. FeatureSignals supports this by:
| DORA Requirement | FeatureSignals Support |
|---|---|
| ICT risk identification & assessment | Documented architecture, threat model, risk register, dependency vulnerability scanning |
| ICT asset management | Full asset inventory, data flow diagrams, sub-processor disclosure |
| Business continuity | Automated backups, DR runbook, RPO <24h, RTO <30min |
| Backup & restoration | Daily encrypted backups, quarterly restore testing, off-site replication |
| Network security | TLS 1.3, WAF, rate limiting, IP allowlisting, security headers |
| Access control | RBAC, JWT with short TTL, MFA, SSO, API key rotation |
| Cryptography & encryption | AES-256 at rest, TLS 1.3 in transit, bcrypt for passwords, SHA-256 for integrity |
Pillar 2: ICT-Related Incident Reporting (Articles 17–23)
Financial entities must classify and report major ICT-related incidents to regulators within strict timelines. As an ICT provider, FeatureSignals:
- Initial notification:Within 4 hours of classifying an incident as “major”
- Intermediate report: Within 72 hours with impact assessment and remediation status
- Final report: Within 1 month with root cause analysis and preventive measures
- Provides incident data in the format required by DORA regulatory technical standards (RTS)
- Maintains incident records for a minimum of 5 years
Pillar 3: Digital Operational Resilience Testing (Articles 24–27)
Financial entities must test their ICT systems regularly, including threat-led penetration testing (TLPT) for critical entities. FeatureSignals supports resilience testing through:
Self-Hosted Testing
Self-hosted deployments give you full control over resilience testing. Run penetration tests, chaos engineering, and TLPT against your own FeatureSignals instance without needing our approval.
Test Environments
Dedicated staging environments allow you to test failover, backup restoration, and incident response procedures without affecting production traffic.
Automated Testing
CI/CD pipeline with 80%+ test coverage, table-driven tests, and integration tests provides continuous assurance of system reliability.
DR Testing
Quarterly disaster recovery testing with documented results. Restore from backup, verify data integrity, and validate RTO/RPO targets.
Pillar 4: ICT Third-Party Risk Management (Articles 28–44)
DORA introduces a regulatory oversight framework for critical ICT third-party providers. FeatureSignals addresses third-party risk requirements:
| DORA Requirement | FeatureSignals Approach |
|---|---|
| Contractual safeguards | Data Processing Agreement with DORA-aligned terms, SLAs, and termination assistance |
| Sub-processing disclosure | Complete sub-processor list with services, location, and DORA compliance status |
| Audit rights | Right to audit (including joint audits with regulators), SOC 2 evidence packages |
| Exit strategy | Documented exit plan with data export, migration support, and 30-day transition period |
| Security certifications | SOC 2 (planned), ISO 27001 (planned), penetration test reports available under NDA |
Pillar 5: Information Sharing (Article 45)
DORA encourages information sharing on cyber threats and intelligence among financial entities. FeatureSignals supports this by:
- Publishing security advisories for vulnerabilities and incidents
- Maintaining a responsible disclosure program at security@featuresignals.com
- Participating in industry threat intelligence sharing where applicable
- Providing transparent incident post-mortems for major events
Self-Hosting for Maximum DORA Compliance
For financial entities with the strictest DORA requirements, self-hosting FeatureSignals provides the highest level of control:
- Deploy within your own infrastructure and network boundaries
- Full control over resilience testing, backup strategy, and DR planning
- No dependency on external ICT provider availability
- Complete audit trail under your direct control
- Air-gapped deployment supported for the most sensitive environments
DORA Compliance Contact
For DORA compliance inquiries, ICT third-party risk assessments, or to request audit documentation: compliance@featuresignals.com