DORA — Digital Operational Resilience Act
Last updated: 24 May 2026 · 6 min read
In force since 17 January 2025. ICT risk management + audit trails for EU financial entities. Audact’s evidence chain is designed to deliver DORA-ready audit exports.
In force since 17 January 2025
Direct applicability — no transposition required.
EU financial entities + critical ICT providers
Banks, insurers, CASPs, payment firms, investment firms.
Supervisory powers + national penalty regimes
Critical ICT providers face periodic penalties up to 1% of average daily worldwide turnover.
Multi-Regulation Bundle API (API 06) — roadmap
Planned signed audit export including AI ICT incidents.
What DORA requires
Regulation (EU) 2022/2554 — the Digital Operational Resilience Act — harmonises ICT risk management across the EU financial sector. In-scope entities must maintain documented risk frameworks, run regular resilience testing, classify and report major ICT incidents within strict timelines, and keep tamper-evident records that demonstrate operational integrity to competent authorities. Critical third-party ICT providers fall under direct EU oversight.
When AI voice agents or chatbots are used in regulated workflows — KYC calls, claims intake, mortgage qualification, payment dispute triage — every interaction is part of the firm’s ICT estate and must be evidenced accordingly.
How Audact covers DORA
Every AI interaction handled by Audact is written to the same signed Merkle-anchored Evidence Chain that backs Article 50 attestation. The planned Multi-Regulation Bundle API (API 06) is designed to produce a single DORA-ready export covering:
- ICT incident records — classification, severity, timestamps and remediation steps, aligned to the DORA reporting taxonomy.
- Resilience attestations — uptime, failover behaviour, regional residency and third-party dependencies (Telnyx, LiveKit, Deepgram, ElevenLabs).
- Tamper-evident audit trail — every consent, disclosure, policy verdict and transcript hash, designed to be exportable for supervisory inspection.
Auditors and competent authorities are intended to be able to verify the Evidence Chain independently — no contact with Audact required.
Frequently asked questions
When did DORA take effect?
DORA has been directly applicable across the EU since 17 January 2025. There is no grace period — financial entities and their critical ICT third-party providers are already in scope.
Who must comply with DORA?
Banks, insurers, payment institutions, e-money firms, crypto-asset service providers, investment firms and other EU financial entities, plus any ICT third-party service provider designated as critical by the European Supervisory Authorities.
What does DORA require for AI-mediated interactions?
DORA requires documented ICT risk management, tested incident response, tamper-evident audit trails, and the ability to demonstrate operational resilience to regulators on request — including for AI voice agents and chatbots used in customer interactions.
How does Audact help with DORA?
Audact’s planned Multi-Regulation Bundle API (API 06) is designed to produce signed, auditor-ready evidence exports covering ICT incident records, AI interaction logs, policy verdicts and uptime attestations.
Next steps
The sandbox and a sample DORA evidence export are on the roadmap. Read the planned multi-regulation API spec, or talk to us about early access.
Disclaimer: This page is for informational purposes only and does not constitute legal advice. Consult qualified legal counsel for your specific compliance obligations.