IKT Asset

Regulation as a living information network

DORA, NIS 2 and EU AI Act for financial institutions: understandable, auditable and connected.

RGRegulationDORA, NIS 2, EU AI Act and moreIRRegisterExplore information networkAINewsfeedAI updates with source verification
DORA

Digital Operational Resilience Act

DORA harmonises digital operational resilience for EU financial institutions, focusing on ICT risk management, incident reporting, resilience testing, information sharing and ICT third-party risk.

Application17 Jan 2025

Scope

  • Financial institutions and group governance
  • ICT services for critical or important functions
  • Critical ICT third-party providers under EU supervisory framework

Core obligations

  • Document and annually improve ICT risk management
  • Operate reporting processes for major ICT incidents
  • Maintain resilience tests and lessons learned
  • Maintain information register for ICT third-party contracts

Register objects

  • Critical function
  • ICT service
  • Provider
  • Contract
  • Subcontractor
  • Exit plan
  • Control evidence

Information network

From legal text to an auditable group landscape.

An information network connects critical functions, business processes, applications, data, infrastructure, providers, contracts, controls, risks, incidents and AI systems — making visible which regimes affect which services, supply chains and evidence.

Informationsverbund ObjektmodellDORANIS 2EU AI ActKritischeFunktionProzessAnwendungDatenProviderVertragKontrolleAI-System

Information register

Required objects and relations for a financial group.

The register is not just a DORA contract directory. It is the reliable data core for supervision, outsourcing, IT architecture, risk analysis, evidence and AI governance.

Open full catalog

Critical or important function

funktionDORANIS 2

Function whose failure could materially impair financial performance, continuity, customer service or market integrity.

Minimum attributes

  • Criticality
  • Impact tolerance
  • RTO
  • RPO
  • BIA result
  • Owner

Relations

  • fulfilled by process
  • depends on ICT service
  • affected by incident

Evidence

  • BIA
  • Resilience strategy
  • Function test
RelationMeaningTypical evidence
Function is fulfilled by processOperationalises critical or important functions.Process landscape, BIA, responsible parties
Process uses applicationShows ICT dependency and failure impact.CMDB, service catalogue, architecture review
Application processes dataLinks protection requirements, data flows and AI use.Data catalogue, processing register, classification
ICT service is delivered by providerCreates third-party and concentration view.Provider file, service description, SLAs
Provider is governed by contractAnchors DORA register, exit, audit and reporting obligations.Contract clauses, subcontractor list, exit plan
Control mitigates riskEvidence measures against cyber, ICT and AI risks.Control test, control owner, findings
AI system uses model and datasetCreates traceability for EU AI Act obligations.Model card, data sheet, monitoring log
Incident affects function and providerSupports reporting decisions and lessons learned.Incident record, timeline, RCA, communication
DraftExpert reviewLegalApprovalPublished
Outsourcing register: criteria updateGuideDORAIn review
Incident classification standardStandardDORA / NIS 2Draft
AI system risk assessmentProcessEU AI ActApproved
Third-party security requirementsTemplateDORAPublished

AI-generated newsfeed

Relevant updates, automatically summarised and professionally approved.

The newsfeed prioritises official sources, links announcements to objects and obligations, and generates impact hints for owners in the group. Every AI summary remains source-bound and subject to review.

Enterprise-ready capabilities

What a group-capable platform should additionally deliver.

Productive use requires capabilities beyond presentation: permissions, evidence, interfaces, reports, quality assurance and robust AI governance.

01

SSO, roles and tenants

Azure AD/Entra ID, SCIM, group tenants, need-to-know views, four-eyes approvals.

02

Evidence vault

Versioned evidence, sign-off, retention, hashes, export packages for supervision and audit.

03

Obligation mapping

Obligation library, control mapping, gap assessment and mapping to ISO 27001, COBIT, MaRisk and BAIT successors.

04

Integration hub

Connections to CMDB, GRC, ITSM, contract management, IAM, DMS, SIEM and data catalogue.

05

DORA register export

Quality rules, template mapping, group views, provider deduplication and machine-readable exports.

06

AI governance layer

Prompt and source logs, human-in-the-loop, bias/robustness evidence, model cards and audit logs.

07

Board & supervisory reports

Management dashboards, heatmaps, deadline calendar, control status and regulatory decision notes.

08

Resilience calendar

Tests, TLPT, exit exercises, BIA reviews, incident learnings and control audits in one plan.

Phase 1

Knowledge and register model

Define regimes, objects, relations, minimum attributes and source library.

Phase 2

Editorial and governance

Introduce roles, reviews, approvals, versioning, audit trail and publication logic.

Phase 3

AI news & impact engine

Source monitoring, summarisation, relevance score, owner notification and human review.

Phase 4

Enterprise integrations

Connect CMDB, GRC, contract management, DMS, SIEM, ITSM and reporting pipelines.