See what you actually expose.
Continuous discovery maps your subdomains, services, and certificates into a live asset register, the inventory DORA expects you to keep current.
DORA Art. 8The Digital Operational Resilience Act (DORA) expects a documented vulnerability management programme, regular resilience testing, and proof of remediation. Vornin scans, auto-maps each finding against DORA, and creates a tamper-evident record chain, for financial entities and their ICT suppliers alike.
Read-only access · Working scan data deleted after each scan · EU-hosted
DORA calls it ICT risk management; your team calls it staying secure and proving it on demand. The controls are the doable part. The hard part is an audit trail that still holds up when an assessor asks whether the records were edited after the fact.
Vornin fits some teams better than others. Financial entities and their ICT suppliers in DORA scope are the core fit.
A fit if you are
Not the right fit yet if
Four pillars cover the DORA work: asset inventory, resilience testing, control mapping, and tamper-evident proof. Each is tied to the article it answers.
Continuous discovery maps your subdomains, services, and certificates into a live asset register, the inventory DORA expects you to keep current.
DORA Art. 8Fifteen scanner engines run web, infrastructure, code, and cloud checks on repeat, deduplicated and SLA-tracked, with scan-to-scan comparison.
DORA Art. 24-25Each result is tied to the DORA control it answers, alongside eight other frameworks, from a single scan and one source of truth.
DORA Art. 5-16Every status change is hashed into a per-tenant chain an assessor can re-verify, so the evidence answers the question before it is asked.
DORA Art. 5A supervisor's request and a customer's vendor review run the same pipeline and land as the same audit-ready evidence. Two audiences, one source of truth.
Read from the law outward: the DORA article first, then the control Vornin runs, then the artefact an assessor receives. Article 25 even names vulnerability assessments and scans directly, so the scanning is in the text, not our interpretation.
| DORA requirement | What Vornin runs | Evidence it produces |
|---|---|---|
| Art. 8Identification of ICT risk | See everything you expose. Continuous attack surface discovery: subdomains, exposed services, certificates, and detected technologies. | Asset register with status history, feeding the ICT risk register. |
| Art. 24–25Digital operational resilience testing | Test on a schedule, not once a year. 15 scanner engines across web, infrastructure, code, and cloud, deduplicated and SLA-tracked, with scan-to-scan comparison. | Per-finding auditor pack ZIP plus comparison reports proving testing recurs, not ad hoc. |
| Art. 9Protection and cryptography | Catch weak encryption before an assessor does. SSL/TLS scanning for weak ciphers, deprecated protocols, expiring certificates, and missing HSTS. | Encryption findings with severity and remediation deadlines. |
| Art. 28ICT third-party risk | Prove your own supply chain is clean. Dependency scanning with reachability filtering, plus a CycloneDX software bill of materials. | SBOM.cdx.json export and SCA findings mapped to the control. |
| Art. 5–6Framework effectiveness | Show the programme works, not just that it exists. Live per-framework compliance score, a 90-day trend, and a coverage-gap report naming untested controls. | Score export plus the gap report for the management-body review. |
| Art. 5Audit-ready evidence | Hand over proof, not promises. Every status change is hashed into a per-tenant chain a supervisor can re-verify. | Per-tenant audit chain and per-finding ZIP with chain verification baked in. |
The governance, incident-reporting, and third-party contractual controls are organisational, not scanner-testable. Vornin tracks those through the manual attestation workflow with sign-off history and keeps them out of the auto-tested score, so what you put in front of an assessor is verifiable. Read the full DORA compliance guide →
DORA evidence has to survive scrutiny, from a supervisor, an internal ICT audit, or a customer checking its suppliers. Every artefact below comes from one source of truth, hosted in the EU.
Every status change, from the UI, the API, or a background job, is hashed into a per-tenant SHA-256 chain. Alter one event and every event after it breaks. Verification runs on demand and ships inside the pack.
A finding-CVE-evidence.zip carries the scan output, the full status history, the remediation log, the compliance mappings, and the chain-verification result. That is the artefact an assessor opens.
A tenant-wide auditor PDF renders every chain into a single programme summary for an external assessor or a customer's vendor review. Business and above.
A compliance-mappings.json export ties each finding to the DORA article it touches, alongside the eight other frameworks Vornin maps from the same finding.
Date-stamped scan history answers Article 25's recurring-testing requirement without reconstructing anything. The record already exists by the time an assessor asks for it.
Get the tamper-evident audit trail and tenant-wide auditor pack on Business and up. Attestation tracking starts on Team. Compare tiers →
The questions that decide whether a tool counts when a financial entity or its ICT supplier scopes DORA.
DORA applies directly to roughly 20 categories of EU financial entity: banks, insurers, investment firms, payment and e-money institutions, crypto-asset service providers, and more. It also reaches ICT third-party providers through Article 28: if you sell software or cloud services to a regulated financial entity, its DORA obligations flow down to you by contract. So this page speaks to two audiences, the financial entity answering a supervisor and the supplier answering a financial-entity customer.
DORA is sector-specific to financial services and overrides NIS2 where the two overlap for in-scope financial entities, under the lex specialis principle. NIS2 is broader and covers 18 sectors. The vulnerability management controls are similar, so one scanning and evidence programme can serve both. Vornin maps findings to DORA and NIS2 from the same source of truth.
Threat-led penetration testing under Article 26 is the advanced tier, carried out at least every three years and only by entities that competent authorities designate as significant. Vulnerability assessments and scans under Article 25 are the baseline every in-scope entity needs, and the prerequisite for the advanced testing. Vornin runs that Article 25 baseline on a schedule and keeps the documented evidence that it happened.
Timestamped, reproducible documentation of what was scanned, what was found, what was remediated, and when. Screenshots and spreadsheets fail the assessor's real question, were these edited after the fact. Vornin produces this as a per-finding auditor pack with a tamper-evident chain verification result baked in, so the record proves it was never rewritten.
Yes, if you supply ICT services to in-scope financial entities and are classified as an ICT third-party provider under Article 28. Your financial-entity customers must manage, monitor, and document you, so they push the requirements down through contracts, security questionnaires, and proof-of-remediation requests, often before a deal closes. A per-finding auditor pack answers those requests instead of stalling the deal.
No formal DORA certification exists. Compliance is demonstrated through an ICT risk-management framework, resilience-testing evidence, and documentation that a competent authority such as BaFin or the Central Bank of Ireland can request. So the question is not whether you are certified, it is whether you can produce the evidence on demand. That is what Vornin keeps current.
Get the tamper-evident audit trail and tenant-wide auditor pack on Business and up. Attestation tracking starts on Team. Compare tiers →
Prove your DORA compliance. Vornin maps every finding to the ICT-risk and resilience-testing control it touches and exports tamper-evident audit evidence. Every scan from day one becomes part of the trail.
Read-only access · Working scan data deleted after each scan · EU-hosted