DORA
EU Digital Operational Resilience Act
Overview
The EU Digital Operational Resilience Act (DORA) requires financial entities to manage ICT risks, test operational resilience, and report major ICT incidents. IOF is formalising its ICT risk register, third-party provider (TTP) monitoring framework, and incident classification thresholds to DORA Article 3 definitions. Target compliance: 2026 Q4.
Scope
Applies to IOF as a technology provider to EU-regulated financial institutions. In-scope obligations include ICT risk management (Chapter II), incident reporting (Chapter III), digital operational resilience testing (Chapter IV), and ICT third-party risk management (Chapter V).
Key Controls
- ICT risk register with DORA-aligned risk categories (in progress)
- Third-party ICT provider monitoring (AWS, Cloudflare, Clerk, Stripe)
- Major incident classification thresholds (Art. 3 criteria)
- Incident reporting pipeline to competent authority
- Threat-Led Penetration Testing (TLPT) plan (2026 Q3)
- Business continuity and disaster recovery procedures
- Sub-contractor oversight in ICT contracts
Certification & Audit
EU competent authority (EBA/ESMA/EIOPA joint supervisory framework)
Target full DORA compliance: 2026 Q4
Evidence Bundle
Evidence bundle available on request
Contact compliance@islamicopenfinance.com to request the evidence pack for this framework. We typically respond to audit requests within two business days.