DORA compliance
Overview of Aira's support for the EU Digital Operational Resilience Act (Regulation 2022/2554) — incident management, ICT third-party risk, resilience testing.
The Digital Operational Resilience Act (Regulation (EU) 2022/2554, in force from 17 January 2025) harmonises ICT risk requirements for every EU financial entity — banks, insurers, investment firms, crypto service providers, payment institutions, and their critical ICT providers. Aira covers the three operational obligations that require continuous evidence:
| Article range | Topic | Aira surface |
|---|---|---|
| 17–19 | ICT-related incidents — detection, classification, reporting | DORA Incidents |
| 24–27 | Digital operational resilience testing (incl. TLPT) | POST /dora/tests |
| 28–44 | ICT third-party risk register + oversight | Third-party risk register |
The remaining DORA articles (1–16 governance, 20–23 information sharing, 45–64 oversight) are organisational requirements that Aira does not attempt to automate — they require policies, committees, and executive decisions that sit outside the API.
Major-incident report signing
Articles 18–19 require a submission to the European Supervisory Authority (ESA) for every major incident. Aira renders the report as a PDF and signs it with the same Ed25519 infrastructure used for EU AI Act reports and action receipts — a regulator can verify the signature offline against the public JWKS.
POST /dora/incidents → open the incident
PUT /dora/incidents/{uuid}/classify → promotes to "major" when
severity is critical/high
GET /dora/incidents/{uuid}/report → signed PDF (generated on first
GET, cached thereafter)SDK shape
from aira import Aira
client = Aira(api_key="aira_live_...")
incident = client.create_dora_incident(
title="Payments API outage",
description="Primary region DB failover failed; 45-minute outage.",
detected_at="2026-04-15T10:00:00Z",
clients_affected_count=1500,
affected_services=["payments-api"],
)
classified = client.classify_dora_incident(
incident.uuid,
severity="critical",
category="system_failure",
)
# Article 19 submission-ready PDF
pdf = client.download_dora_incident_report(incident.uuid)
open(f"dora-{incident.uuid}.pdf", "wb").write(pdf)import { Aira } from "aira-sdk";
const aira = new Aira({ apiKey: "aira_live_..." });
const incident = await aira.createDoraIncident({
title: "Payments API outage",
description: "Primary region DB failover failed; 45-minute outage.",
detectedAt: "2026-04-15T10:00:00Z",
clientsAffectedCount: 1500,
affectedServices: ["payments-api"],
});
await aira.classifyDoraIncident(incident.uuid, {
severity: "critical",
category: "system_failure",
});
const pdf = await aira.downloadDoraIncidentReport(incident.uuid);Feature flag
All DORA endpoints live behind ENABLE_DORA on the backend. When the
flag is off (ENABLE_DORA=false), every /dora/* route returns
404 Not Found so there is no wire-contract drift between managed and
self-hosted deployments that haven't opted in.
Audit trail
Every state transition on an incident, third party, or test goes through
the same audit_service.audit() pipeline as policy decisions — you can
reconstruct who classified which incident when from the audit log.
Further reading
Article 6 explanation envelope
Independently verify a saved Article 6 explanation JSON — offline against the JWKS, or via the public verify endpoint.
DORA incident reporting (Articles 17-19)
How Aira models the DORA incident lifecycle — detection, classification, resolution, and Article 19 ESA-submission PDFs signed with Ed25519.