How Unless helps you stay DORA‑compliant
As a trusted provider of conversational AI for financial institutions in the European Union, Unless ensures that its products, infrastructure, and governance align with the Digital Operational Resilience Act (DORA) — Regulation (EU) 2022/2554. This regulation establishes a unified resilience framework across the EU financial sector, covering ICT risk management, incident reporting, third‑party oversight, and business continuity. It took effect on 17 January 2025 and is overseen by the European Supervisory Authorities (EBA, ESMA, and EIOPA), in coordination with national regulators such as the Dutch Central Bank (DNB).
DORA compliance support at Unless
| Area | Compliance at Unless | What it means for you |
|---|---|---|
| ICT Risk Management Framework | Unless implements a certified ICT risk management framework aligned with ISO 27001 and ENISA guidance. This includes continuous risk monitoring, change‑based assessments, and independent audits. | You operate on a SaaS platform built and monitored following recognized international information‑security standards required by Article 5 of DORA. |
| Incident Management | Unless uses automated anomaly detection, internal escalation procedures, and real‑time analytics to identify and handle ICT incidents. Customers are informed of any disruptions that may affect service integrity. | You can integrate these updates into your own ICT incident register and reporting workflow. |
| Operational Resilience Testing | The platform undergoes annual penetration tests, scenario‑based resilience assessments, and Threat‑Led Penetration Testing (TLPT) where required. Business continuity and recovery capabilities are tested under DORA Technical Standards set by the ESAs. | You benefit from a continuously validated environment for digital operational testing. |
| Contractual & Third‑Party Management | Unless provides transparent service descriptions, subcontractor disclosure, and detailed Service Level Agreements. Clients retain audit and termination rights. | You can demonstrate clear oversight and accountability for your ICT service providers, fulfilling outsourcing obligations under DORA. |
| Data Security & Encryption | All customer data is encrypted in transit, at rest, and—where possible—during processing. Key management follows ENISA cryptographic safeguards and complies with GDPR. | Your conversational AI data is protected in compliance with DORA and EU data‑protection regulations. |
| Governance & Oversight | Unless has an assigned CISO and a Compliance Committee that review policies semi‑annually. Senior leadership oversees ICT risk management and operational resilience. | You work with a provider that demonstrates active governance and audit readiness under the DORA framework. |
| Critical Provider Readiness | Should Unless be designated as a critical ICT third‑party provider, we maintain EU subsidiaries, cooperation procedures with regulators, and readiness for direct oversight by ESAs as defined in Regulation (EU) 2022/2554 Articles 31–39. | Your operational resilience remains uninterrupted even under regulatory designation of Unless as a critical ICT provider. |
| Information Sharing | Unless participates in European cyber‑threat intelligence exchange programs, ensuring adherence to GDPR and ENISA guidelines on data sharing. | You gain proactive insights into emerging threats relevant to financial AI operations while remaining legally compliant. |
Why this matters
DORA establishes common rules to ensure that financial entities and their technology partners can withstand ICT disruptions and cyberattacks. Through compliance with this regulation and continuous engagement with the European Banking Authority (EBA), European Insurance and Occupational Pensions Authority (EIOPA), and European Securities and Markets Authority (ESMA), Unless ensures that all clients operate within a digitally resilient and regulator‑ready environment.
By partnering with Unless, financial institutions can confidently integrate conversational AI solutions that align with EU operational resilience expectations—supporting both technological advancement and regulatory peace of mind.
