DORA Compliance
DORA Operating Layer:
Operative Nachweisautomatisierung
Most DORA tools stop at threat intelligence. Real DORA compliance demands operational evidence across 6 layers. Here is how FeedOracle + ToolOracle automate control, evidence, reporting, register and workflow across the full chain.
Published March 19, 2026 · Updated March 20, 2026 · 16 Oracles · 167 MCP tools · 6 operative layers
DORA operating layer
FeedOracle + ToolOracle · 16 Oracles · 167 tools · operative Abdeckung ueber alle zentralen DORA-Bereiche
Governance & reporting28 tools
GovernanceOracle · PolicyOracle · TrainingOracle — board packs, framework review, KPIs, policy lifecycle, training evidence
Art. 5-6, 13(6) · Management body · ICT risk framework · Annual review · RTS 2024/1774 Art. 2(2)
Resilience & recovery10 tools
ResilienceOracle — BIA, RTO/RPO, DR tests, crisis plans, scenario library
Art. 11-12 · BCM · Response & recovery · Del. Reg. 2024/1774
Asset & dependency mapping10 tools
DependencyOracle — asset inventory, blast radius, SPOF, impact simulation
Art. 8 · ICT assets · Business functions · Dependencies
Register & contracts20 tools
RegisterOracle · ContractOracle — RoI, ITS export, CTPP, concentration risk, clause check, exit readiness, CIF analysis
Art. 28-30 · Register of Information · Contractual provisions · ITS 2024/2956
Protection & controls30 tools
ChangeOracle · CryptoOracle · AccessOracle — change governance, encryption policy, key lifecycle, MFA, SoD, access reviews
Art. 9(4)(c-f) · RTS Art. 6-7, 9, 21 · Change management · Encryption · Access control
Third-party risk & AML39 tools
DORAOracle · AMLOracle · InsuranceOracle — provider risk, sanctions (87k names), PEP, KYC, cloud status, NatCat
Art. 28-44 · Third-party risk · AMLR · Insurance resilience
Testing & TLPT10 tools
TLPTOracle — TIBER-EU 8-phase management, red/blue/purple team, finding register, remediation tracking
Art. 24-27 · Digital operational resilience testing · RTS 2025/1190
Threat, incident & sharing35 tools
DORAOracle · IncidentOracle · SharingOracle — CVE/KEV, 4h/72h/1m reporting, MITRE, IoC sharing, STIX export
Art. 6-10 · Art. 17-23 · Art. 24-27 · Art. 45 · ITS 2025/302
FeedOracle: ES256K signing · Polygon + XRPL anchoring · verified PDF reports · 53 compliance MCP tools
GovernanceOracle + PolicyOracle + TrainingOracle — Art. 5-6, 13(6)
register_findinglist_findingsboard_reportframework_reviewcontrol_statusexception_registeraction_trackerkpi_dashboardannual_reviewregister_policypolicy_gap_checkreview_schedulecoverage_mapcompliance_scoreregister_trainingboard_trainingcompliance_checkgap_report
Management body review packs, risk posture KPIs, exception tracking, 12 RTS-required policy types with gap analysis, board ICT training evidence — Art. 5(2), Art. 6(5), Art. 13(6), RTS 2024/1774
ResilienceOracle — Art. 11-12
register_systemset_biarto_rpo_checktest_registerscenario_librarybcm_gap_analysisrecovery_statuscrisis_plan_checkevidence_bundlehealth_check
BIA data collection, RTO/RPO validation, DR test registry, 10 DORA test scenarios, crisis communication plan checks — Art. 11(4-7), Del. Reg. 2024/1774
DependencyOracle — Art. 8
register_assetregister_functionmap_dependencydependency_graphblast_radiusspof_analysiscriticality_scoreasset_inventoryimpact_simulationhealth_check
ICT asset registry, business function mapping, dependency graphs, blast radius on outage, SPOF detection, cascade impact simulation — Art. 8(1-4)
RegisterOracle + ContractOracle — Art. 28-30
register_providervalidate_roiconcentration_riskctpp_checkexport_itsgap_analysisregister_contractclause_checkexit_readinesscif_analysiscontract_scoringsubcontracting_chain
Register of Information (ITS-compliant), CTPP designation scoring, concentration risk, automated review of Art. 30 contractual requirements (standard + CIF), exit plan readiness — Art. 28(3), Art. 30(2-3), ITS 2024/2956
ChangeOracle + CryptoOracle + AccessOracle — Art. 9, RTS Art. 6-7, 9, 21
register_changechange_risk_assessapproval_checkpatch_compliancesod_checkencryption_policy_checkkey_inventorycert_registercert_expiryweak_algo_scantls_checkregister_accountmfa_complianceaccess_reviewprivileged_auditbreak_glass_log
Change governance with SoD and rollback, encryption policy against RTS Art. 6-7, key lifecycle, certificate registry (Art. 7.4), MFA compliance for privileged/remote/CIF access — Art. 9(4)(c-f), RTS 2024/1774
DORAOracle + AMLOracle + InsuranceOracle — Art. 28-44
provider_riskcloud_statussanctions_screenpep_checkkyc_bundlewatchlist_updateadverse_medianatcat_liverisk_scoregleif_lookup
ICT provider risk assessment, live cloud outage monitoring (AWS/GCP/Azure), EU+OFAC+UN sanctions screening (87k names), PEP checks, KYC bundles, NatCat feeds, GLEIF lookup — Art. 28-44, AMLR
TLPTOracle — Art. 24-27, RTS 2025/1190
register_exercisephase_trackerthreat_profileteam_assignmentfinding_registerremediation_planevidence_bundletest_calendartlpt_readinesshealth_check
TIBER-EU 8-phase lifecycle management, red/blue/white/purple team assignment, finding tracking, remediation plans, authority attestation evidence — Art. 24-27, RTS 2025/1190
DORAOracle + IncidentOracle + SharingOracle — Art. 6-27, 45
cve_searchcve_latestkev_listcert_advisoriesbreach_checkmitre_techniqueslog_incidentclassify_incidentmajor_incident_checkinitial_notificationintermediate_reportfinal_reportdeadline_trackershare_iocstix_exportcommunity_status
NVD CVE, CISA KEV, CERT-Bund, MITRE ATT&CK, incident classification against 6 DORA criteria, ITS-compliant reporting with deadline tracking, IoC sharing in STIX 2.1 — Art. 6-23, ITS 2025/302, Art. 45
Why most DORA tools only cover 1 of 8 layers
The majority of compliance vendors build vulnerability scanners and threat intelligence feeds — that is the bottom layer. It is necessary, but DORA demands much more: operational evidence across governance, resilience, dependencies, contracts, protection controls, third-party risk, testing, and incident management.
Without a RegisterOracle that produces ITS-compliant exports for supervisory reporting, without a ContractOracle that reviews contracts against Art. 30 requirements, without an IncidentOracle that classifies incidents against 6 DORA criteria and tracks reporting deadlines — your DORA program has significant gaps.
The protection layer most forget
DORA Art. 9 explicitly requires documented change management policies, encryption policies (RTS Art. 6-7 with key lifecycle management), and access control with MFA for privileged and remote access (RTS Art. 21). The ChangeOracle, CryptoOracle, and AccessOracle automate evidence collection for these requirements — from patch compliance and certificate expiry tracking to segregation of duties checks.
Testing beyond vulnerability scans
Significant financial entities must conduct their first TLPT (Threat-Led Penetration Test) by January 2028. The TLPTOracle manages the full TIBER-EU 8-phase lifecycle — from threat profiling and team assignment through finding registers to authority attestation evidence. Annual testing schedules and compliance gaps are tracked automatically.
The evidence backbone: every claim verifiable
FeedOracle's cryptographic signing layer (ES256K / JWS RFC 7515) runs through all 8 layers. Every data point is signed, timestamped, and anchored on Polygon + XRPL. This is the foundation that makes every layer audit-ready.
Built for AI agents, not just humans
All 167 tools are exposed as MCP (Model Context Protocol) endpoints. AI compliance agents can discover, authenticate, and use them autonomously. The infrastructure is designed for both human compliance teams and autonomous AI systems that need verifiable evidence.
This product provides operational support for DORA-related work processes. It does not constitute legal advice and does not represent an automatic compliance determination.