Vornin
Start free
DORA · EU 2022/2554 · Live since 17 Jan 2025

Prove DORA compliance with audit-grade evidence.

The Digital Operational Resilience Act (DORA) expects a documented vulnerability management programme, regular resilience testing, and proof of remediation. Vornin scans, auto-maps each finding against DORA, and creates a tamper-evident record chain, for financial entities and their ICT suppliers alike.

Read-only access · Working scan data deleted after each scan · EU-hosted

The problem

The compliance isn't the hard part. Proving it is.

DORA calls it ICT risk management; your team calls it staying secure and proving it on demand. The controls are the doable part. The hard part is an audit trail that still holds up when an assessor asks whether the records were edited after the fact.

Who Vornin is for

Built for the teams who have to show their work.

Vornin fits some teams better than others. Financial entities and their ICT suppliers in DORA scope are the core fit.

A fit if you are

  • An in-scope financial entity answering a supervisor: a bank, insurer, payment or e-money firm, investment firm, or crypto-asset service provider. Vornin maps each finding to the DORA article it satisfies and keeps the evidence current.
  • An ICT supplier whose financial-entity customers push DORA obligations down by contract. Vornin produces the audit-ready evidence pack their vendor reviews ask for.
  • A lean IT or security team that has to prove a vulnerability management programme exists, not just a scan now and then. Vornin runs it continuously and records the proof.
  • Bound by EU data residency, including BaFin and BAIT-aligned reviews that expect tooling hosted in the EU. EU data residency is standard with Vornin.

Not the right fit yet if

  • You need threat-led penetration testing. TLPT under Article 26 is a specialist red-team engagement. Vornin runs the Article 25 vulnerability-assessment baseline beneath it, not the TLPT itself.
  • You are outside DORA scope with no financial-entity customers asking for evidence. Vornin covers other compliance frameworks such as NIS2 or ISO 27001.
  • You want a consultancy to run the programme for you. Vornin is the tooling your team operates, not a managed compliance service.
  • You require on-premise or self-hosted deployment. Vornin is created and hosted in the EU, an EU platform by design.
How it works

Four jobs DORA needs done. One platform.

Four pillars cover the DORA work: asset inventory, resilience testing, control mapping, and tamper-evident proof. Each is tied to the article it answers.

See what you actually expose.

Continuous discovery maps your subdomains, services, and certificates into a live asset register, the inventory DORA expects you to keep current.

DORA Art. 8

Test on a schedule, not once a year.

Fifteen scanner engines run web, infrastructure, code, and cloud checks on repeat, deduplicated and SLA-tracked, with scan-to-scan comparison.

DORA Art. 24-25

Map every finding to the article it touches.

Each result is tied to the DORA control it answers, alongside eight other frameworks, from a single scan and one source of truth.

DORA Art. 5-16

Prove the record was never edited.

Every status change is hashed into a per-tenant chain an assessor can re-verify, so the evidence answers the question before it is asked.

DORA Art. 5
The workflow

Two audiences, one programme, one evidence trail.

A supervisor's request and a customer's vendor review run the same pipeline and land as the same audit-ready evidence. Two audiences, one source of truth.

Who feeds it
Financial entityIn DORA scope, answering a supervisor.
ICT supplierPulled in by a customer's vendor review.
Vornin
01 Scan every surface 02 Map to the article 03 Seal the record
What comes out
Auditor packPer-finding ZIP plus tenant-wide PDF.
Compliance scoreLive, with a named coverage-gap report.
Verifiable chainSHA-256, re-checkable on demand.
Named in the law. DORA Article 25 names vulnerability assessments and scans directly.
Tamper-evident. Every status change is hashed into a SHA-256 chain you can re-verify.
One scan, nine frameworks. DORA, NIS2, ISO 27001 and six more from the same finding.
EU-hosted, read-only. Working scan data is deleted after each scan.
Control map

DORA articles, mapped to what an assessor sees.

Read from the law outward: the DORA article first, then the control Vornin runs, then the artefact an assessor receives. Article 25 even names vulnerability assessments and scans directly, so the scanning is in the text, not our interpretation.

See the full article-by-article mapping
DORA requirement What Vornin runs Evidence it produces
Art. 8Identification of ICT risk See everything you expose. Continuous attack surface discovery: subdomains, exposed services, certificates, and detected technologies. Asset register with status history, feeding the ICT risk register.
Art. 24–25Digital operational resilience testing Test on a schedule, not once a year. 15 scanner engines across web, infrastructure, code, and cloud, deduplicated and SLA-tracked, with scan-to-scan comparison. Per-finding auditor pack ZIP plus comparison reports proving testing recurs, not ad hoc.
Art. 9Protection and cryptography Catch weak encryption before an assessor does. SSL/TLS scanning for weak ciphers, deprecated protocols, expiring certificates, and missing HSTS. Encryption findings with severity and remediation deadlines.
Art. 28ICT third-party risk Prove your own supply chain is clean. Dependency scanning with reachability filtering, plus a CycloneDX software bill of materials. SBOM.cdx.json export and SCA findings mapped to the control.
Art. 5–6Framework effectiveness Show the programme works, not just that it exists. Live per-framework compliance score, a 90-day trend, and a coverage-gap report naming untested controls. Score export plus the gap report for the management-body review.
Art. 5Audit-ready evidence Hand over proof, not promises. Every status change is hashed into a per-tenant chain a supervisor can re-verify. Per-tenant audit chain and per-finding ZIP with chain verification baked in.

The governance, incident-reporting, and third-party contractual controls are organisational, not scanner-testable. Vornin tracks those through the manual attestation workflow with sign-off history and keeps them out of the auto-tested score, so what you put in front of an assessor is verifiable. Read the full DORA compliance guide →

The artefact

Proof you can hand over. And they can re-check it.

DORA evidence has to survive scrutiny, from a supervisor, an internal ICT audit, or a customer checking its suppliers. Every artefact below comes from one source of truth, hosted in the EU.

§ 01Chain

Tamper-evident by default.

Every status change, from the UI, the API, or a background job, is hashed into a per-tenant SHA-256 chain. Alter one event and every event after it breaks. Verification runs on demand and ships inside the pack.

§ 02Pack

One ZIP per finding.

A finding-CVE-evidence.zip carries the scan output, the full status history, the remediation log, the compliance mappings, and the chain-verification result. That is the artefact an assessor opens.

§ 03PDF

One PDF for the whole estate.

A tenant-wide auditor PDF renders every chain into a single programme summary for an external assessor or a customer's vendor review. Business and above.

§ 04Mapping

Cross-referenced to DORA.

A compliance-mappings.json export ties each finding to the DORA article it touches, alongside the eight other frameworks Vornin maps from the same finding.

§ 05History

What was tested, and when.

Date-stamped scan history answers Article 25's recurring-testing requirement without reconstructing anything. The record already exists by the time an assessor asks for it.

Get the tamper-evident audit trail and tenant-wide auditor pack on Business and up. Attestation tracking starts on Team. Compare tiers →

Questions buyers ask

DORA, answered.

The questions that decide whether a tool counts when a financial entity or its ICT supplier scopes DORA.

Who does DORA apply to, and does it reach us as a supplier?

DORA applies directly to roughly 20 categories of EU financial entity: banks, insurers, investment firms, payment and e-money institutions, crypto-asset service providers, and more. It also reaches ICT third-party providers through Article 28: if you sell software or cloud services to a regulated financial entity, its DORA obligations flow down to you by contract. So this page speaks to two audiences, the financial entity answering a supervisor and the supplier answering a financial-entity customer.

What is the difference between DORA and NIS2?

DORA is sector-specific to financial services and overrides NIS2 where the two overlap for in-scope financial entities, under the lex specialis principle. NIS2 is broader and covers 18 sectors. The vulnerability management controls are similar, so one scanning and evidence programme can serve both. Vornin maps findings to DORA and NIS2 from the same source of truth.

Does DORA require penetration testing?

Threat-led penetration testing under Article 26 is the advanced tier, carried out at least every three years and only by entities that competent authorities designate as significant. Vulnerability assessments and scans under Article 25 are the baseline every in-scope entity needs, and the prerequisite for the advanced testing. Vornin runs that Article 25 baseline on a schedule and keeps the documented evidence that it happened.

What counts as evidence for a DORA ICT risk assessment?

Timestamped, reproducible documentation of what was scanned, what was found, what was remediated, and when. Screenshots and spreadsheets fail the assessor's real question, were these edited after the fact. Vornin produces this as a per-finding auditor pack with a tamper-evident chain verification result baked in, so the record proves it was never rewritten.

Does DORA apply to SaaS and cloud suppliers?

Yes, if you supply ICT services to in-scope financial entities and are classified as an ICT third-party provider under Article 28. Your financial-entity customers must manage, monitor, and document you, so they push the requirements down through contracts, security questionnaires, and proof-of-remediation requests, often before a deal closes. A per-finding auditor pack answers those requests instead of stalling the deal.

Is there a DORA compliance certification?

No formal DORA certification exists. Compliance is demonstrated through an ICT risk-management framework, resilience-testing evidence, and documentation that a competent authority such as BaFin or the Central Bank of Ireland can request. So the question is not whether you are certified, it is whether you can produce the evidence on demand. That is what Vornin keeps current.

Get the tamper-evident audit trail and tenant-wide auditor pack on Business and up. Attestation tracking starts on Team. Compare tiers →

Scan. Resolve. Prove.

Start your DORA evidence trail today.

Prove your DORA compliance. Vornin maps every finding to the ICT-risk and resilience-testing control it touches and exports tamper-evident audit evidence. Every scan from day one becomes part of the trail.

Read-only access · Working scan data deleted after each scan · EU-hosted