search
LoginStart for Free

DORA Compliance Package

Last updated: 2025‑04‑01

hashtag
1 Introduction

ilert GmbH is a B2B SaaS provider of incident management and alerting solutions. This document is a self‑contained dossier demonstrating ilert GmbH’s alignment with Regulation (EU) 2022/2554 on Digital Operational Resilience for the Financial Sector ("DORA"). It applies to all EU financial‑sector entities (banks, insurers, investment firms, PSPs, etc.) that rely on ilert’s SaaS platform. ilert reviews and, where necessary, revises this package at least annually and whenever new regulatory guidance is issued.

hashtag
Key Facts

Topic
Statement

Legal status

GmbH (German private limited‑liability company)

Senior accountability

CEO is executive owner of digital resilience; CTO leads the ISO 27001 ISMS and reports quarterly to the Board.

Data hosting

Active/active AWS eu‑central‑1 (Frankfurt) & eu‑north‑1 (Stockholm)

Certifications

ISO/IEC 27001:2022 (scope: SaaS platform + support scope)

DORA “critical” status

Not designated as critical ICT third‑party

GDPR

Data Processor under Art. 28; DPA

Continuous improvement

Next DORA compliance review scheduled Q1 2026; regulatory monitoring performed monthly

This package concisely maps ilert’s controls to the core obligations for third‑party ICT service providers under DORA. It is uniform for all customers and suitable for inclusion in due‑diligence files.

hashtag
2 Compliance with Core DORA Requirements

DORA Theme
ilert Control Summaries

ICT risk management & governance (Arts. 5‑6)

ISO 27001 ISMS; quarterly KPI review by management; annual risk assessment.

Incident detection & reporting (Arts. 10‑11)

24×7 monitoring & on‑call SRE; “Major ICT Incident” = Art. 3(8) DORA. Initial customer notice ≤ 4 h with nature, impact, mitigation. Updates every ≤ 4 h on https://status.ilert.com; post‑incident report within 5 business days.

Digital operational‑resilience testing (Art. 15 & Arts. 24‑27)

Annual external penetration test; quarterly vulnerability scans; full cooperation in client‑led TLPT & cyber exercises.

Information sharing (Art. 45)

Critical threat advisories forwarded to customers within 24 h.

Third‑party contractual clauses (Art. 30)

Standard DORA Addendum: audit & access; subcontractor conditions; security & training participation; TLPT cooperation; material‑developments notice; exit & transition.

Business continuity & DR (Arts. 11‑12)

Active/active Frankfurt + Stockholm; RPO ≤ 15 min & RTO ≤ 60 min; quarterly fail‑over tests; 30‑day data retention post‑termination + export within 10 business days.

hashtag
3 Allocation of Responsibilities

Area
ilert (Vendor)
Financial‑entity Customer

Risk management

Operate ISO 27001 ISMS

Assess ilert via vendor‑risk programme

Incident handling

Detect → contain → notify ≤ 4 h; assist with RCA & regulator queries

Classify impact, file DORA incident reports

Audits

Provide ISO certificate & pen‑test summary; allow 1 remote audit/yr free; on‑site audits at agreed cost

Initiate & evaluate audits

Exit plan

30‑day data export (JSON/CSV)

Maintain contingency / migration plan

hashtag
4 Key Measures Ensuring Ongoing Compliance

  1. Security & Governance

    • MFA enforced; encryption in transit (TLS 1.2+) & at rest (AWS KMS).

    • Quarterly security awareness training for all staff.

  2. Incident Response & Notification

    • Dedicated on‑call team with automatic escalation; initial notification by email/API/SMS within 4 h and continuing updates via https://status.ilert.com (public status page). A live conference bridge is opened for priority‑1 incidents upon customer request.

    • Assistance during incidents (forensic data, logs, statements).

  3. Business Continuity & Disaster Recovery

    • Active/active architecture across AWS eu‑central‑1 (Frankfurt) and eu‑north‑1 (Stockholm); automated multi‑region replication; quarterly fail‑over tests.

  4. Risk Assessments & Audits

    • Annual ISO surveillance audit; SOC 2 Type II roadmap 2026.

    • Customer audit window: 10 business days’ notice; one audit per year without fee.

hashtag
5 Supporting Documentation (Available on Request)

Document
Purpose

ISO 27001 Certificate & SoA

Independent verification of ISMS

Information‑Security Policy

Detailed control descriptions

Incident‑Response Plan

Process, roles, templates

BCP/DR Plan

Recovery architecture & test results

Pen‑Test Executive Summary

Latest external test outcomes

Sub‑processor List

Names, roles, data‑location

Contact: [email protected] © 2025 ilert GmbH – All rights reserved

PreviousPrivacy Policy (Platform)NextDORA Addendum

Last updated

Was this helpful?