The EU Digital Operational Resilience Act — applies directly to financial entities and designates critical ICT third-party providers as supervised.
Banks, insurers, investment firms, payment institutions, crypto-asset service providers, plus critical ICT third-party providers.
Administrative penalties per Member State; critical third parties up to 1% global daily turnover per day of non-compliance.
These are the obligations a regulated entity owes — the things an assessor or supervisor will ask about.
ICT risk management framework with board accountability.
Major ICT incident reporting per Commission Delegated Regulation thresholds (24/72/30 milestones).
Threat-Led Penetration Testing (TLPT) every three years for significant entities (TIBER-EU compatible).
ICT third-party risk register including all contracts and subcontracting chains.
Critical ICT providers subject to EU oversight framework (lead overseer model).
Information and intelligence sharing within and across financial sector communities.
Each requirement above is bound to live telemetry — not screenshots. The mapping below is what your auditor or regulator sees.
ICT risk register with subcontracting chain visualisation.
Major incident classification engine with Commission Delegated Regulation thresholds.
TLPT scoping and evidence repository with TIBER-EU alignment.
Critical ICT third-party register with renewal cadence.
Intelligence sharing pipeline via STIX/TAXII connectors.
Each evidence artifact is signed and timestamped. Auditors can verify integrity without trusting Safeguard.
ICT risk management framework documentation.
Major incident report — pre-populated per ESMA/EBA/EIOPA template.
TLPT evidence package.
Register of all ICT contracts and subcontractors.
These frameworks share substantial control overlap with DORA. Customers running one assessment typically satisfy the others with the same evidence base.
European Union
The expanded EU network and information security directive, covering essential and important entities across 18 sectors.
APAC
Singapore MAS Technology Risk Management Guidelines — the gold standard for APAC financial-sector cyber and operational risk.
United Kingdom
The PRA's supervisory statement on operational resilience for UK banks, insurers, and PRA-designated investment firms.
APAC
APRA's prudential standard on information security for ADIs, insurers, and superannuation funds.
India
RBI's cybersecurity framework spanning circulars for banks, urban co-operatives, NBFCs, and payment system operators.
Bring the framework. We'll walk the controls with you — section by section, evidence packet by evidence packet, with the regulators you actually have to answer to.