# DORA mapping
EU Regulation 2022/2554 — **Digital Operational Resilience Act**. Applies to financial entities and their critical ICT third-party providers. Edge is deployed *by* the financial entity, so the mapping below answers "which DORA articles does an Edge deployment help the entity satisfy."
## Coverage matrix
| Article | Topic | How Edge contributes | Where |
| ---------------- | ------------------------------------ | ------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------ |
| **Art 6** | ICT risk-management framework | Edge is a documented, versioned, signed component of the framework | [Architecture overview](/architecture/overview.md), [Stack](/architecture/stack.md) |
| **Art 8(2)(b)** | Protection of ICT systems | Separation of secrets from source; pre-commit + CI gates | [Security boundaries](/architecture/security.md), [Gate 01](/banking-readiness/gate-01-secret-management.md) |
| **Art 9** | Protection and prevention | RBAC, workspace isolation, CODEOWNERS | [Gate 06](/banking-readiness/gate-06-access-control.md) |
| **Art 10** | Detection | Structured logs, health probes, optional Langfuse trace export | [Monitoring](/operations/monitoring.md), [Gate 05](/banking-readiness/gate-05-observability.md) |
| **Art 11(2)(b)** | Operational resilience testing | Reproducible provisioning from artifacts; SBOM + provenance | [Container security](/banking-readiness/gate-04-container-security.md), [On-prem](/deployment/on-prem.md) |
| **Art 11(2)(c)** | Backup and restoration testing | Quarterly restore drill from off-site bucket | [Backup & recovery](/operations/backup-recovery.md) |
| **Art 13** | Detection mechanisms | Anomaly detection on eval scores; alert thresholds | [Monitoring](/operations/monitoring.md) |
| **Art 17** | ICT-related incident management | Severity ladder, runbook, post-mortem template | [Incident response](/operations/incident-response.md) |
| **Art 19** | Major ICT-related incident reporting | Pre-staged contact list; communication cadence | [Incident response](/operations/incident-response.md) |
| **Art 28** | ICT third-party risk | Edge as an ICT third-party: published contract (this site), exit plan, signed images, SBOMs | This whole site |
## What Edge does **not** cover
| Article | Why not |
| --------------------------------------------- | ------------------------------------------------------------------------------------ |
| **Art 24-25** (TLPT — Threat-Led Pen Testing) | Out of scope for a component; the financial entity arranges TLPT at the system level |
| **Art 26-27** (Sub-contracting chains) | Edge has no sub-contractors; the financial entity's vendor diligence applies |
| **Art 30** (Contractual provisions) | Negotiated bilaterally; this site can serve as the technical schedule |
## DORA Art 19 reporting wiring (planned — Gate 13)
Today the operator wires their incident-reporting pipeline manually. Gate 13 (Phase 2) adds a structured incident-report exporter:
```mermaid
flowchart LR
PB[(admin_actions
+ postmortems/)] -->|export| Exporter[DORA Art 19
report builder]
Exporter -->|XBRL / structured| Authority[ESAs JIT-CIRCL]
```
Target: Q4 2026.
## Exit plan (Art 28(2)(c))
| Trigger | Action | Time |
| ------------------------- | --------------------------------------------------------------------------- | ---- |
| Bilateral termination | Operator switches CI off; image pull from GHCR ceases | 0 d |
| Vendor unable to continue | Source available on GitHub under MIT; bank forks | 7 d |
| Data extraction | All tenant data lives in `pb_data` SQLite — `sqlite3 .dump` to portable SQL | 1 d |
| Cryptographic deletion | Bank discards encryption key on Vault; data is unrecoverable | 1 d |
The exit plan is intentionally simple: Edge is a single-container deployment with a single data file. There is no lock-in.
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.edge.nyami.fr/compliance/dora.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.