How V-PROOF Helps V-PROOF DORA Compliance and the Financial Sector
DORA and the Financial Sector: What the Regulation Requires and How V-PROOF Evidence
Regulation (EU) 2022/2554 has been fully in effect since January 2025. More than 22,000 European financial institutions must demonstrate verifiable IT controls. The question is no longer whether to comply—but how to prove compliance to the regulator.
Key Points
- DORA is mandatory as of January 17, 2025, for all financial institutions regulated in the EU, with no additional grace period.
- Articles 9, 10, 11, and 17 require verifiable technical records of ICT controls, anomaly detection logs, and incident classification—not mere statements.
- The EBA, ESMA, and EIOPA have published the Regulatory Technical Standards (RTS) and Guidelines that specify what documentation they will require during inspections.
- V-PROOF immutable cryptographic evidence for DORA controls on an asset-by-asset basis, with timestamp that can be verified by any regulator.
- The convergence of DORA and EU AI Act a dual obligation for entities that use AI in financial decision-making: V-PROOF both with a single integration.
- As a provider with its registered office in Spain, V-PROOF is V-PROOF subject to the CLOUD Act—an essential safeguard for entities whose data is subject to European sovereignty.
What is DORA, and why is it different from any previous regulation?
The Digital Operational Resilience Act is not just another voluntary cybersecurity framework. It is a directly applicable European regulation that establishes legally binding requirements for digital operational resilience in the financial sector—and requires technical evidence, not just documented policies.
Published in the Official Journal of the EU on December 27, 2022 (Regulation (EU) 2022/2554), DORA entered into force on January 16, 2023, and has been fully applicable since January 17, 2025. There is no extension. National supervisory authorities—under the coordination of the EBA, ESMA, and EIOPA—began inspections in the first half of 2025.
The regulation affects a very broad range of entities: banks, savings banks, credit unions, investment firms, alternative investment funds and UCITS, pension fund managers, insurance and reinsurance companies, crowdfunding platforms, crypto-asset issuers under MiCA, and third-party ICT providers that offer critical services to the financial sector. In total, more than 22,000 entities in the EU.
The Structural Difference of DORA
Previous cybersecurity frameworks (ISO 27001, ENS, and even NIS) were based on self-declaration of controls. DORA stipulates that supervisors will verify this operational resilience through on-site and remote inspections. The difference is not philosophical—it is legal: noncompliance can result in fines of up to 2% of annual global revenue, and for responsible individuals, up to 1 million euros.
The regulation is structured around five pillars: ICT risk management (Arts. 5–16), reporting of serious incidents (Arts. 17–23), digital operational resilience testing (Arts. 24–27), ICT third-party risk management (Arts. 28–44), and the exchange of information on cyber threats (Arts. 45–46). V-PROOF directly V-PROOF the first three.
The DORA Timeline: Where We Stand Now
Articles that require technical evidence—and what specific records they request
DORA does not require statements of intent. The Regulation and the resulting RTS specify the types of technical records that supervisory authorities will request during an inspection. These are the articles directly covered by the V-PROOF architecture:
Art. 17 — Classification of Serious Incidents
Article 17 and the related RTSs establish specific criteria for classifying ICT incidents as serious (impact on customers, duration, geographic scope, impact on reputation). Organizations must maintain a classified incident log with evidence of the classification applied. V-PROOF the classification of each incident to be stamped with timestamp , creating an immutable record that verifies when the incident was identified, how it was classified, and who made the decision.
V-PROOF Coverage V-PROOF DORA
| DORA Article | Obligation | Coverage | V-PROOF Module |
|---|---|---|---|
| ICT Risk Management — Articles 5–16 | |||
| Art. 9Protection and Prevention | Verifiable records of implemented ICT controls | ✓ Complete | V-Seal |
| Art. 10 Detection | Immutable logs of anomalous activity and IT incidents | ✓ Complete | V-Seal |
| Art.11 Response and Recovery | Evidence of response procedures and recovery exercises | ✓ Complete | V-Seal |
| Art.12 Backup Policy | Verifying the Integrity of Backups | ◐ Midterm | V-Seal |
| Art. 13Learning and Development | Traceability of Changes in Critical ICT Systems | ✓ Complete | Git Integration |
| Incident Reporting — Articles 17–23 | |||
| Art.17 Classification of Incidents | Immutable Record of Serious ICT Incident Classification | ✓ Complete | V-Seal |
| Articles 19–20:Notification to Supervisors | Initial, interim, and final notifications to EBA/ESMA/EIOPA | — Customer Responsibility | Internal Regulatory Process |
| Resilience Tests — Articles 24–27 | |||
| Articles24–25: Basic Tests | Evidence of periodic resilience testing (vulnerability assessments, penetration tests) | ◐ Midterm | V-Seal |
| Art.26 TLPT | Certified Threat-Led Penetration Testing | — External Certified Executors | Outside the scope of V-PROOF |
| DORA + EU AI Act Convergence EU AI Act For Entities That Use AI in Financial Decisions | |||
| DORA, Art. 9+ EU AI Act . 14 | Verifiable Human Oversight in High-Risk Financial AI Systems | ✓ Complete | AI Orchestrator V-Proof |
| DORA, Art. 13+; EU AI Act . 12 | Logging of AI Model Events in Critical Financial Environments | ✓ Complete | AI Orchestrator |
◐ Partial = V-PROOF the evidence of the process; the operational action (performing the backup, contracting the penetration test) is the responsibility of the entity.
The Convergence of DORA and the EU AI Act: The Risk No One Is Accounting For
There is a regulatory overlap that very few financial institutions have correctly identified: those that use AI systems in financial decision-making are subject to both DORA and the EU AI Act. And neither regulation accepts compliance with the other as sufficient.
Credit scoring models, fraud detection systems, algorithmic trading algorithms, and risk assessment systems that use machine learning are high-risk AI systems under Annex III of EU AI Act. This means that, in addition to the DORA requirements for operational resilience, these entities must comply with Articles 9, 12, 13, 14, and 16 of EU AI Act: AI system risk management, event logging, traceability of training data, verifiable human oversight, and technical documentation.
One integration, two regulatory frameworks
V-PROOF the only infrastructure that meets both requirements simultaneously. The AI Orchestrator module generates cryptographic evidence of the entire lifecycle of ML models—from training data to every decision in production—meeting both the traceability requirements of DORA (Art. 13) and the event logging requirements of the EU AI Act Art. 12) through a single integration. The V-Proof module records human intervention in every critical decision made by the system, simultaneously addressing Article 14 of EU AI Act DORA’s audit trail requirements.
The EBA has already published specific guidelines on the use of AI models in the financial sector that reinforce this convergence. Institutions that lack verifiable technical evidence of how their AI models operate—not just internal policies, but cryptographically verifiable records—face a dual regulatory risk: penalties under DORA for a lack of IT traceability and penalties under the EU AI Act a lack of verifiable AI governance.
Why the ICT Provider's Registered Office Matters Under DORA
DORA introduces a new concept in financial regulation: the risk of concentration among third-party ICT providers. Articles 28–44 require financial institutions to assess the legal risks associated with their ICT providers, including the risk that third-party jurisdictions may gain access to the data managed by those providers.
Here, the CLOUD Act (18 U.S.C. § 2713) creates a specific regulatory friction: any U.S.-based ICT provider can be compelled by a U.S. court order to hand over European customer data, regardless of where that data is stored. This includes large U.S.-based GRC and AI Governance platform providers operating in the European market.
V-PROOF legally headquartered in Spain. It cannot be subject to any U.S. court order. Its European financial clients have the legal assurance that their DORA compliance records remain under EU sovereignty—not just technically, but legally.
V-PROOF DORA
Strengths, Regulatory Use Cases, and Scope Limitations
- Immutable records of implemented ICT controls, verifiable by any supervisor without access to internal systems Art. 9 — Protection and Prevention
- Event logs with timestamp : integrity is cryptographically verifiable—any tampering results in a hash divergence Art. 10 — Detection
- Sealed evidence of response and recovery tests: date, participants, systems, and results with verifiable human approval Art. 11 — Response and Recovery
- Commit-by-commit code traceability for critical financial systems — an immutable history for IT evolution audits Art. 13 — Git Integration
- Supplier with legal headquarters in Spain: Without the CLOUD Act, European sovereignty is guaranteed for financial compliance records Articles 28–44 · Risk Posed by ICT Providers
- Dual coverage under DORA and EU AI Act a single integration for entities using AI models in financial decision-making Regulatory Convergence 2025–2027
- Banks, savings banks, and credit unions subject to full DORA compliance starting in January 2025 Credit institutions — Arts. 5–16
- Investment firms and fund managers (UCITS, AIFs) that use cloud-based ICT providers or AI models ESMA scope — Art. 2.1
- Fintechs and neobanks with automated decision-making systems (scoring, fraud detection, KYC) subject to simultaneous DORA and AI Act requirements DORA + EU AI Act Convergence
- ICT providers of critical services to the financial sector who want to demonstrate their resilience to clients and regulators Articles 28–44 · CTPP framework
- CISOs and CROs preparing technical documentation for inspections by the Bank of Spain, the CNMV, or the DGSFP in 2026 Regulatory Inspections · 2026
- TLPT Advanced Penetration Testing (Art. 26): Requires testers certified under the TIBER-EU framework. V-PROOF certify the results, but does not perform the tests. Art. 26 — TLPT
- Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP): The organization is responsible for their design. V-PROOF that they exist and are tested. Art. 11 — Continuity
- Formal notification of serious incidents to the EBA, ESMA, or EIOPA (Arts. 19–20): internal regulatory process. V-PROOF a time-stamped record of the classified incident. Arts. 19–20 — Notification
- SIEM, EDR, and operational cybersecurity tools: V-PROOF replace active threat detection—it generates immutable evidence of the events detected by those tools. Art. 10 — Scope Limitation
Does your organization have the records that a regulator would require tomorrow?
V-PROOF a 48-hour strategic assessment that maps the DORA requirements applicable to your organization, identifies existing gaps in technical evidence, and defines the necessary scope of integration.
Request a DORA Strategic AssessmentSources and Regulatory References
- Regulation (EU) 2022/2554 of the European Parliament and of the Council of December 14, 2022 — EUR-Lex CELEX:32022R2554
- EBA — Final Report on Draft RTS on the ICT Risk Management Framework (Batch 1), January 2024 — eba.europa.eu
- EBA — Final Report on Draft RTS under DORA (Batch 2), July 2024 — eba.europa.eu
- ESMA — Guidelines on the DORA ICT Risk Management Framework for Investment Firms — esma.europa.eu
- Bank of Spain — Supervisory Report on DORA, First Quarter of 2025 — bde.es
- EBA — Opinion on the Use of Machine Learning for Internal Ratings-Based Models (Convergence of the AI Act and DORA) — eba.europa.eu
- ENISA — DORA Supervisory Convergence Report, 2025 — enisa.europa.eu
