Back to Catalog
Finance Dora Regulatory icon

Finance Dora Regulatory

Verified

by Dryade

enterprise industry-verticals
0.0 (0 ratings) 0 downloads
Subscribe & Install

Requires enterprise tier subscription

Description

DORA (Digital Operational Resilience Act) compliance management: ICT risk assessment, incident reporting, third-party provider oversight, and resilience testing validation

Screenshots

Details

Finance DORA Regulatory Filing

Tier: Enterprise | Type: Tool | Category: Finance | Version: 1.0.0

DORA (Digital Operational Resilience Act) compliance management for financial entities. Validates ICT risk frameworks, automates incident classification, monitors third-party providers, and verifies resilience testing programs against EU Regulation 2022/2554.

1. Overview

Plugin Name: Finance DORA Regulatory Filing Slug: finance-dora-regulatory Required Tier: enterprise Plugin Type: tool (REST API endpoints) Category: Finance / Regulatory Compliance Author: Dryade License: DSUL

What It Does

Manages compliance with the Digital Operational Resilience Act (DORA) for banks, investment firms, insurance companies, and fintech entities. Assesses ICT risk management maturity, classifies incidents by severity with regulatory deadlines, monitors third-party ICT provider compliance, and validates resilience testing programs including TLPT requirements.

Key Capabilities

  • ICT risk management framework assessment (DORA Chapter II)
  • Major ICT incident classification with reporting deadlines (Articles 18-19)
  • Third-party ICT provider register and concentration risk analysis (Chapter V)
  • Digital resilience testing program validation with TLPT gap analysis (Chapter IV)
  • Compliance finding generation with article references and remediation guidance

2. User Stories

Primary User Stories

US-1: ICT Incident Severity Classification

As a CISO, I want to classify ICT incidents by DORA severity criteria so that I can meet regulatory notification deadlines.

Acceptance Criteria:

  • [ ] System applies DORA Article 18 major incident criteria
  • [ ] Reporting deadlines calculated (4h initial, 72h intermediate, 1 month final)
  • [ ] Data breach incidents flagged for dual notification (NCA + DPA)

US-2: Third-Party Provider Oversight

As a risk manager, I want to assess ICT provider concentration risk so that I can comply with DORA Chapter V requirements.

Acceptance Criteria:

  • [ ] Provider register with criticality classification
  • [ ] Concentration risk by jurisdiction identified
  • [ ] Missing exit strategies flagged for critical providers

Edge Cases

  • No ICT systems registered: Returns critical finding for Article 6 non-compliance
  • Zero-impact incident: Classified as minor with no mandatory reporting

3. Architecture

Component Diagram

+------------------+     +------------------+     +------------------+
|   Plugin Router  | --> |  DORA Rule Engine | --> |  Data Provider   |
|  /finance-dora   |     |  routes.py        |     |  (mock / real)   |
+------------------+     +------------------+     +------------------+
                                |
                          +-----v------+
                          |  Demo Data |
                          |  data/*.json|
                          +------------+

Components

| Component | File | Responsibility | |-----------|------|----------------| | Router | routes.py | API endpoints, request validation | | Plugin | plugin.py | Lifecycle, config, data loading | | Data | data/ | Demo DORA compliance datasets |

Dependencies

  • Internal: core.plugins.PluginProtocol, core.plugin_config_store.PluginConfigStore
  • External: None (all rules embedded)
  • Plugin: None

4. API Spec / Agent Capabilities

REST Endpoints

| Method | Path | Description | Auth | |--------|------|-------------|------| | POST | /assess-ict-risk | Assess ICT risk management framework | Yes | | POST | /classify-incident | Classify incident severity and deadlines | Yes | | POST | /check-third-party | Check third-party provider oversight | Yes | | POST | /validate-resilience-testing | Validate resilience testing program | Yes | | GET | /status | Health check | No |

Request/Response Examples

Classify Incident

// Request
{
    "incident_id": "INC-001",
    "incident_type": "system_failure",
    "clients_affected": 50000,
    "duration_hours": 8
}


// Response
{
    "success": true,
    "incident_id": "INC-001",
    "severity": "major",
    "is_major": true,
    "reporting_deadlines": [
        {"stage": "initial_notification", "deadline": "4 hours", "to": "Competent authority"},
        {"stage": "intermediate_report", "deadline": "72 hours", "to": "Competent authority"},
        {"stage": "final_report", "deadline": "1 month", "to": "Competent authority"}
    ]
}

5. Data Flow

Processing Pipeline

1. User request arrives at plugin router
2. Request validated against Pydantic models
3. DORA regulatory rules applied to input data
4. Findings generated with article references and severity
5. Structured response returned with compliance assessment

Data Sources

| Source | Type | Format | Update Frequency | |--------|------|--------|-----------------| | DORA rules | embedded | Python | Per release | | Demo assessments | mock | JSON | Static |

Demo Data Description

The data/ directory contains:

  • sample_ict_risk_assessment.json: ICT system inventory with risk controls (5 systems)
  • sample_incident_report.json: Major incident timeline with reporting status
  • sample_third_party_register.json: ICT provider register with 5 providers
  • sample_resilience_testing.json: Testing program with TLPT details

Total: 4 demo files covering all DORA compliance domains.

6. Security Considerations

Data Handling

  • PII: Yes - Entity names, system identifiers, provider details
  • Encryption: Plugin does not store data; relies on core encryption
  • Data Retention: No persistent storage; all data is request-scoped

External API Keys

| Key | Environment Variable | Required | Purpose | |-----|---------------------|----------|---------| | None | N/A | No | No external APIs in mock mode |

Isolation

  • Plugin runs in sandboxed context via core plugin loader
  • No direct database access -- uses core API only
  • All regulatory rules are stateless and deterministic

Threat Model

  • Malformed input: Pydantic validation rejects invalid requests
  • Incident data sensitivity: No data persisted beyond request lifecycle

7. Test Plan

Test Classes

| Class | Tests | Coverage Target | |-------|-------|----------------| | TestPluginAttributes | Manifest consistency | 100% manifest fields | | TestPluginRouter | Endpoint mounting, responses | All 5 routes | | TestPluginConfig | Config schema, mock/real toggle | Config validation | | TestDemoData | Data presence, loadability | All 4 data files | | TestMarketplace | Marketplace metadata | Slug, category, fields |

Running Tests

cd dryade-plugins
python -m pytest enterprise/finance_dora_regulatory/tests/ -x -v --tb=short

Coverage Target

  • Minimum: 80% line coverage
  • Critical paths: 100% (incident classification, reporting deadlines)

8. Deployment Notes

Requirements

No additional Python packages required beyond core dependencies.

Environment Variables

| Variable | Required | Default | Description | |----------|----------|---------|-------------| | None | No | N/A | No environment variables needed |

Configuration

Default plugin configuration (set via plugin settings UI or API):

{
    "data_source": "mock"
}

Compatibility

  • Min Dryade Version: 1.0.0
  • Python: >=3.11
  • Notes: All DORA rules embedded; no external API dependencies

9. User Guide

Getting Started

  1. Ensure your Dryade instance has an enterprise tier license
  2. Install the plugin via the marketplace or dryade-pm push
  3. Navigate to Plugins > Finance DORA Regulatory in the workbench
  4. Use the API endpoints to assess DORA compliance

Common Workflows

Workflow 1: ICT Incident Response

  1. Submit incident details to /classify-incident
  2. Review severity classification and reporting deadlines
  3. Use deadline timeline to coordinate regulatory notifications

Workflow 2: Annual DORA Compliance Review

  1. Assess ICT risk framework via /assess-ict-risk
  2. Review third-party register via /check-third-party
  3. Validate testing program via /validate-resilience-testing

FAQ

Q: Which financial entities does DORA apply to? A: DORA applies to credit institutions, investment firms, insurance undertakings, payment institutions, crypto-asset service providers, and their critical ICT third-party providers.

Q: What makes an incident "major" under DORA? A: Criteria include: >10,000 clients affected, >100,000 data records compromised, >EUR 1M financial impact, >24h duration, or any data breach with compromised records.

10. Screenshots

Screenshots will be added when UI components are available.

| # | Description | Path | |---|-------------|------| | 1 | ICT risk assessment results | screenshots/ict-risk.png | | 2 | Incident classification | screenshots/incident.png |

11. Changelog

1.0.0 (2026-03-05)

  • Initial release
  • ICT risk management framework assessment
  • Major ICT incident classification with DORA Article 18/19 criteria
  • Third-party provider oversight with concentration risk analysis
  • Resilience testing program validation with TLPT gap analysis
  • 4 demo data files covering all DORA domains

Future Roadmap

  • [ ] Automated regulatory report generation (EBA templates)
  • [ ] Real-time incident monitoring integration
  • [ ] Cross-border notification coordination
  • [ ] DORA RTS/ITS update tracking

Plugin Info

Version 1.0.0
Author Dryade
Tier enterprise
Category industry-verticals
Type backend
Downloads 0
Updated Mar 15, 2026

Tags

enterprisefinancedoraregulatory