0a8e77e949
- Moved everything from ideas/passepartout/ to projects/passepartout/ - Moved legal structures to projects/flags/ - Created missing _index.org files for all subdirectories - Stripped redundant passepartout- prefix from filenames - Rewrote root _index.org as generalized brain index (projects + concepts) - Updated Hugo nav to Projects/Concepts - Updated build script section descriptions - Deleted stale ideas/passepartout-economics.md orphan
1.5 KiB
DORA (Digital Operational Resilience Act)
DORA (Digital Operational Resilience Act)
EU regulation (effective January 2025) for the financial sector. Requires: ICT risk management, incident reporting, digital operational resilience testing, ICT third-party risk management (including contractual access and audit rights for critical ICT providers), information sharing, threat-led penetration testing (TLPT) for systemic institutions.
Who must comply: 22,000+ financial entities in the EU (banks, investment firms, payment processors, crypto-asset providers, insurance companies). Also ICT third-party providers deemed critical.
Penalties: Up to 2% of average daily turnover × number of days breached, or 10M EUR for legal entities. Personal liability for management.
Why it matters: DORA's third-party risk management requirement is a natural gate stack use case — every ICT provider access must be gated, logged, and auditable. TLPT (threat-led penetration testing) maps to the evaluation harness. First-mover advantage is extremely time-sensitive: DORA is already in effect (January 2025). Financial institutions are scrambling for compliance tooling. A DORA gate package at $50K/yr with zero incremental cost per additional user is an immediate sale.