gbrain: sync converted org-mode brain files

ideas/compliance/dora.org

@@ -0,0 +1,29 @@
+:PROPERTIES:
+:ID:       auto-dora
+:CREATED:  [2026-05-23 Sat]
+:END:
+#+title: DORA (Digital Operational Resilience Act)
+#+filetags: :passepartout:compliance:framework:dora:
+
+** DORA (Digital Operational Resilience Act)
+
+EU regulation (effective January 2025) for the financial sector. Requires:
+ICT risk management, incident reporting, digital operational resilience testing,
+ICT third-party risk management (including contractual access and audit rights
+for critical ICT providers), information sharing, threat-led penetration testing
+(TLPT) for systemic institutions.
+
+Who must comply: 22,000+ financial entities in the EU (banks, investment firms,
+payment processors, crypto-asset providers, insurance companies). Also ICT
+third-party providers deemed critical.
+
+Penalties: Up to 2% of average daily turnover × number of days breached, or
+10M EUR for legal entities. Personal liability for management.
+
+Why it matters: DORA's third-party risk management requirement is a natural gate
+stack use case — every ICT provider access must be gated, logged, and auditable.
+TLPT (threat-led penetration testing) maps to the evaluation harness. First-mover
+advantage is extremely time-sensitive: DORA is already in effect (January 2025).
+Financial institutions are scrambling for compliance tooling. A DORA gate package
+at $50K/yr with zero incremental cost per additional user is an immediate sale.
+