Arkova is a compliance audit automation platform in early access, built on top of a production-grade, cryptographically-anchored evidence layer. The audit-automation product — scorecard, gap detection, remediation, regulatory-change alerts, PDF export — is being built and refined with pilot customers.

How much faster is an audit with Arkova going to be vs. the manual process?

Typical compliance audits take weeks: compiling evidence across many tools, mapping it to controls, and producing a report. Arkova is designed to map evidence to the rules in your operating regimes automatically, rank gaps by severity and penalty risk, and produce an audit-ready export. Our pilot target is collapsing weeks of audit prep into hours.

Which regulations are on the roadmap?

US federal (FERPA, HIPAA, SOX, FCRA, GLBA, ADA, FLSA, GINA), EU/UK GDPR, Kenya DPA, Australia APP, Canada PIPEDA, Singapore PDPA, Japan APPI, India DPDP, South Africa POPIA, Nigeria NDPR, Colombia Law 1581, Thailand PDPA, and Malaysia PDPA. Prioritized by pilot-customer footprint.

What will the scorecard show?

A per-jurisdiction posture score and breakdown, a severity-ranked gap list, a prioritized remediation plan, a regulatory-change feed, and an audit-ready export. Designed for GRC leads, CISOs, internal audit, and outside counsel.

Is the evidence chain auditor-grade?

The evidence layer is cryptographic and independently verifiable: every anchor is a SHA-256 fingerprint committed to a public network, and lifecycle events are in an append-only audit log. Our own SOC 2 Type II and ISO 27001 work is in progress.

Is my data safe? Do you see our documents?

No. Documents never leave your device. Fingerprinting is client-side. Only PII-stripped metadata flows to our systems. Even if we were breached, your documents remain private because we never had them.

Join the waitlist on arkova.ai. We reach out to scope pilots — the best fits right now are compliance teams operating across multiple jurisdictions who are tired of the quarterly audit fire drill.

Compliance · DORA

Private Beta · Building

DORA evidence built for the next examination, not the last one.

DORA has been applicable since 17 January 2025. ICT risk-management framework documentation, major-incident reports filed within 4 / 72 / 30-day windows, threat-led penetration tests, and a third-party register that survives vendor exit — all anchored to a public ledger so EBA, ESMA, EIOPA, or your national competent authority can verify the timeline of every claim.

Request Early Access Read the research

What it is

One ICT-resilience rulebook for every EU financial entity.

DORA (Regulation 2022/2554) harmonises ICT risk management across the EU financial sector. Before DORA, ICT resilience was governed by a patchwork of EBA, ESMA, and EIOPA guidelines layered on top of national supervisory practice. DORA replaces that patchwork with a single, directly applicable regulation.

The regulation organises ICT operational resilience into five pillars: risk management, incident reporting, resilience testing, third-party risk, and information sharing. Penalties for non-compliance reach 2% of annual worldwide turnover for entities (€1M for individuals).

Critical ICT third-party providers (designated by the European Supervisory Authorities) come under direct EU oversight — a first in EU financial regulation. Cloud hyperscalers, core-banking SaaS, and trade-execution systems are all candidates.

Five pillars · how Arkova maps to each

DORA's five operational areas, anchored.

ICT Risk Management

Requirement

Comprehensive ICT risk-management framework covering identification, protection, detection, response, recovery, and learning. Annual review by management body. Documented risk-tolerance levels and digital operational resilience strategy.

Arkova

Anchored ICT risk register with versioned receipts. Annual management-body reviews are timestamped to a public ledger so an EBA/ESMA examiner can verify the review actually happened on the date claimed.

ICT-Related Incident Management

Requirement

Single, harmonized process for classifying, managing, and reporting ICT incidents. Major incidents must be reported to the competent authority within strict timelines (initial within 4 hours, intermediate within 72 hours, final within 1 month).

Arkova

Append-only incident log with cryptographic timestamps. Each report-to-authority milestone is anchored — disputes about timing become objectively verifiable.

Digital Operational Resilience Testing

Requirement

Annual testing program for ICT systems. Significant entities must conduct threat-led penetration testing (TLPT) every 3 years using TIBER-EU framework. Test results, remediation actions, and lessons learned must be documented.

Arkova

TLPT scope, methodology, findings, and remediation evidence anchored. Three-year cycle reconstructable on demand without trusting your testing-vendor archive.

ICT Third-Party Risk Management

Requirement

Comprehensive register of all ICT third-party arrangements. Pre-contractual due diligence. Mandatory contractual provisions. Ongoing monitoring. Concentration-risk assessment. Critical ICT TPPs come under direct EU oversight.

Arkova

Third-party register with anchored due-diligence packets per vendor. Contract versions, audit reports, and exit-plan rehearsals all on-ledger. Survives the third party itself going under.

Information Sharing

Requirement

Voluntary cyber-threat information sharing among financial entities. Trusted communities. Anonymization where appropriate. Compatible with GDPR and competition law.

Arkova

Information-sharing attestations cryptographically signed. Counterparties can verify the integrity of shared threat indicators without trusting a centralized intermediary.

Implementation timeline

Five dates that matter.

14 Dec 2022Done

Adopted by EU Council

DORA finalised after trilogue. Two-year implementation runway begins.

16 Jan 2023Done

Entered into force

Regulation 2022/2554 published in the Official Journal.

17 Jan 2025Done

Applicable

DORA becomes binding on ~20 categories of EU financial entities. Penalties up to 2% of annual worldwide turnover (or €1M for individuals) for non-compliance.

2025–2026In progress

Continuous compliance + RTS finalisation

Final batches of Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS) under finalisation. First incident-reporting cycles. Initial competent-authority examinations.

2027+Upcoming

TLPT three-year cycle

Significant entities complete first three-year threat-led penetration testing cycle under TIBER-EU framework.

Who's in scope

~20 financial-entity categories, plus critical ICT TPPs.

DORA applies to substantially every regulated financial entity operating in the EU. The scope is broader than any prior single ICT-resilience regulation:

·Credit institutions

·Payment institutions

·Electronic money institutions

·Investment firms

·Crypto-asset service providers (under MiCA)

·Central securities depositories

·Central counterparties

·Trading venues

·Trade repositories

·Managers of alternative investment funds

·Management companies (UCITS)

·Data reporting service providers

·Insurance and reinsurance undertakings

·Insurance intermediaries

·Institutions for occupational retirement provision

·Credit rating agencies

·Administrators of critical benchmarks

·Crowdfunding service providers

·Securitisation repositories

·ICT third-party service providers (where designated as critical)

Microenterprises (≤10 employees, ≤€2M turnover or balance sheet) face proportionate requirements — not the full regime. Significance criteria for TLPT requirements are set in the relevant RTS.

What a DORA examiner asks for

Six evidence categories every examination needs.

ICT risk management framework + management-body approval. Documented framework approved at least annually by the management body. Risk-tolerance levels, digital operational resilience strategy, and review minutes.
Incident classification and reporting log. All ICT incidents classified by severity. Major incidents reported to the competent authority within initial 4-hour, intermediate 72-hour, and final 1-month windows. Proof of timing is critical — DORA explicitly penalises late reporting.
ICT third-party register and contractual evidence. Single register of all ICT third-party arrangements. Pre-contractual due diligence, mandatory contractual provisions (audit rights, exit plans, sub-outsourcing), and ongoing-monitoring records.
Operational resilience test results. Annual program of vulnerability scans, scenario-based tests, network security assessments. For significant entities: TLPT (TIBER-EU) every 3 years.
Business continuity + disaster recovery plans. Tested annually. RTO/RPO targets per critical function. Backup and recovery procedures. Cross-border continuity arrangements where applicable.
Information-sharing attestations. Records of cyber-threat information shared with other financial entities through trusted communities, including legal-basis documentation under GDPR.

Build a DORA evidence layer that survives every vendor exit.

If you're a financial entity preparing for a DORA examination and want ICT-resilience evidence with verifiable timestamps, we'd like to discuss an early-access pilot.

Arkova is in private beta. Features described on this page are being built and refined with pilot customers right now. Some controls and integrations are live today; others are in active development. Talk to us about the parts most relevant to your workload.

Request Early Access

Or read The State of Compliance in 2026 for the broader regulatory picture.