# DORA Compliance Package **Last updated: 2025‑04‑01** ## 1 Introduction **ilert GmbH** is a B2B SaaS provider of incident management and alerting solutions. This document is a self‑contained dossier demonstrating ilert GmbH’s alignment with **Regulation (EU) 2022/2554 on Digital Operational Resilience for the Financial Sector ("DORA"**). It applies to all EU financial‑sector entities (banks, insurers, investment firms, PSPs, etc.) that rely on ilert’s SaaS platform. ilert reviews and, where necessary, revises this package at least annually and whenever new regulatory guidance is issued. ### Key Facts | Topic | Statement | | ---------------------- | ---------------------------------------------------------------------------------------------------------------------- | | Legal status | GmbH (German **private limited‑liability company**) | | Senior accountability | **CEO** is executive owner of digital resilience; **CTO** leads the ISO 27001 ISMS and reports quarterly to the Board. | | Data hosting | **Active/active AWS eu‑central‑1 (Frankfurt)** & **eu‑north‑1 (Stockholm)** | | Certifications | ISO/IEC 27001:2022 (scope: SaaS platform + support scope) | | DORA “critical” status | Not designated as critical ICT third‑party | | GDPR | Data Processor under Art. 28; [DPA](https://docs.ilert.com/trust-center/legal/data-processing-agreement) | | Continuous improvement | Next DORA compliance review scheduled **Q1 2026**; regulatory monitoring performed monthly | This package concisely maps ilert’s controls to the **core obligations for third‑party ICT service providers** under DORA. It is **uniform** for all customers and suitable for inclusion in due‑diligence files. ## 2 Compliance with Core DORA Requirements | DORA Theme | ilert Control Summaries | | ------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | **ICT risk management & governance** (Arts. 5‑6) | ISO 27001 ISMS; quarterly KPI review by management; annual risk assessment. | | **Incident detection & reporting** (Arts. 10‑11) | 24×7 monitoring & on‑call SRE; “Major ICT Incident” = Art. 3(8) DORA. Initial customer notice ≤ 4 h with nature, impact, mitigation. Updates every ≤ 4 h on ; post‑incident report within 5 business days. | | **Digital operational‑resilience testing** (Art. 15 & Arts. 24‑27) | Annual external penetration test; quarterly vulnerability scans; full cooperation in client‑led TLPT & cyber exercises. | | **Information sharing** (Art. 45) | Critical threat advisories forwarded to customers within 24 h. | | **Third‑party contractual clauses** (Art. 30) | Standard **DORA Addendum**: audit & access; subcontractor conditions; security & training participation; TLPT cooperation; material‑developments notice; exit & transition. | | **Business continuity & DR** (Arts. 11‑12) | **Active/active Frankfurt + Stockholm**; RPO ≤ 15 min & RTO ≤ 60 min; quarterly fail‑over tests; 30‑day data retention post‑termination + export within 10 business days. | ## 3 Allocation of Responsibilities | Area | ilert (Vendor) | Financial‑entity Customer | | ----------------- | ------------------------------------------------------------------------------------------------------- | ------------------------------------------- | | Risk management | Operate ISO 27001 ISMS | Assess ilert via vendor‑risk programme | | Incident handling | Detect → contain → notify ≤ 4 h; assist with RCA & regulator queries | Classify impact, file DORA incident reports | | Audits | Provide ISO certificate & pen‑test summary; allow 1 remote audit/yr free; on‑site audits at agreed cost | Initiate & evaluate audits | | Exit plan | 30‑day data export (JSON/CSV) | Maintain contingency / migration plan | ## 4 Key Measures Ensuring Ongoing Compliance 1. **Security & Governance** * MFA enforced; encryption in transit (TLS 1.2+) & at rest (AWS KMS). * Quarterly security awareness training for all staff. 2. **Incident Response & Notification** * Dedicated on‑call team with automatic escalation; **initial notification by email/API/SMS** within 4 h and continuing updates via (public status page). A live conference bridge is opened for priority‑1 incidents upon customer request. * Assistance during incidents (forensic data, logs, statements). 3. **Business Continuity & Disaster Recovery** * **Active/active architecture across AWS eu‑central‑1 (Frankfurt) and eu‑north‑1 (Stockholm)**; automated multi‑region replication; quarterly fail‑over tests. 4. **Risk Assessments & Audits** * Annual ISO surveillance audit; SOC 2 Type II roadmap 2026. * Customer audit window: 10 business days’ notice; one audit per year without fee. ## 5 Supporting Documentation (Available on Request) | Document | Purpose | | --------------------------- | ------------------------------------ | | ISO 27001 Certificate & SoA | Independent verification of ISMS | | Information‑Security Policy | Detailed control descriptions | | Incident‑Response Plan | Process, roles, templates | | BCP/DR Plan | Recovery architecture & test results | | Pen‑Test Executive Summary | Latest external test outcomes | | Sub‑processor List | Names, roles, data‑location | *** > **Contact:** © 2025 ilert GmbH – All rights reserved