DORA — Digital Operational Resilience Act.
Issuer: European Union — Regulation (EU) 2022/2554 · Year: 2022 (effective 2025-01-17) · Source: official text →
Scope: Financial entities in the EU — credit institutions, payment institutions, e-money institutions, investment firms, insurance, crypto-asset providers, central counterparties, central securities depositories, trading venues. Plus their ICT third-party service providers.
What KYE Protocol™ supplies
DORA imposes operational resilience requirements across five pillars: ICT risk management, ICT-related incident reporting, digital operational resilience testing, ICT third-party risk, and information sharing. KYE Protocol™ supplies the audit-chain + replay-proof primitives that DORA Articles 11, 17, 24, 28, 30 require.
Per-clause control mapping
| DORA clause | KYE Protocol™ binding |
|---|---|
| Art. 5–11 — ICT risk management framework | Audit Chain (per-tenant, 3-tier WORM) + Reconciliation Engine — declared-vs-deployed bijection across configuration state. |
| Art. 12–13 — ICT-related incident reporting | Drift cascade + audit-chain event emission — every incident is a signed event with replayable lineage. |
| Art. 17–22 — Major ICT-related incident classification | Closed action-kind enum + risk-level enum on every event_index entry; framework_refs binds to DORA classification. |
| Art. 24–27 — Digital operational resilience testing | Conformance Pack — 133 black-box fixtures + signed conformance-report.v1 envelope replayable by regulator. |
| Art. 28–30 — ICT third-party risk | Sub-processor manifest (kye.subprocessor.v1) + delegation chain with KYE Cascade Revocation™ — third-party authority bounded + revocable. The cascade ordering and propagation construction is part of the patent track and is not disclosed in this repository. |
| Art. 40 — Information sharing | Open Apache 2.0 vocabulary + schemas + OpenAPI — cross-entity exchange of audit-chain events under the canonical envelope. |
Every binding above resolves to a canonical KYE Protocol™ artefact (engine, schema, audit event, or patent claim). The full per-control register is published in the conformance repo at github.com/KYE-Protocol/app/tree/main/internal.
What an auditor / regulator gets
- Replay Proof™ — re-derive any decision offline using only the publisher’s published JWKS. No back-channel to KYE™ project.
- Evidence Pack™ — sealed, signed, replayable container of decisions + bound rules + audit-chain anchors.
- Conformance Pack — 133-fixture black-box test suite; signed
kye.conformance_report.v1envelope. - Audit Chain — per-tenant WORM-anchored audit chain; the specific multi-tier immutability construction is part of the patent track and is not disclosed here.
- Compliance Attestation — per-framework signed
kye.compliance.attestation.v1envelopes (90-day cadence).
Adjacent paths
- All frameworks — the framework catalogue (this is a deep-dive).
- For regulators — what supervisors see.
- For auditors · Onboard your firm
- Whitepaper — the technical foundation.
- Apply for a regulated-pilot — banking-grade scoped engagement.