New

Now in Claude, ChatGPT, Cursor & more with our MCP server

Koji
ProductPricingEnterpriseAbout
Back to Koji
Koji Compliance

DORA (EU financial services)

Koji's posture on the EU Digital Operational Resilience Act for financial-services customers. The DORA ICT third-party risk obligations cascade to Koji as a vendor; this page describes what we provide.

Last updated: May 2026Applies to: EU financial entities in scope of DORA
Short answer: Koji sits below the thresholds for classification as a critical ICT third-party service provider under DORA. For financial-entity customers, Koji's standard DPA combined with a DORA-specific contract addendum addresses the supply-chain obligations Article 28 cascades from in-scope financial entities to their ICT service providers. The addendum is prepared as part of enterprise contracting for financial- services customers.

What DORA is

DORA (Regulation (EU) 2022/2554) is the EU's Digital Operational Resilience Act for the financial sector. It became applicable on 17 January 2025. DORA imposes a unified framework on financial entities (banks, investment firms, insurers, crypto-asset service providers, and many more) covering ICT risk management, ICT incident reporting, digital operational resilience testing, third-party risk management, and information sharing.

The third-party risk-management chapter is what reaches into the vendor relationship. Financial entities must manage ICT risk arising from third-party ICT service providers via contractual arrangements that meet Article 30's mandatory clauses.

Koji's classification under DORA

DORA distinguishes ICT third-party service providers from "critical" ICT third-party service providers, with the critical designation triggering direct oversight by the European Supervisory Authorities (the ESAs). Koji's customer base, revenue, and service profile place us outside the critical category. Koji is an ordinary ICT third-party service provider to in-scope financial entities.

That status matters for two reasons: (1) Koji is not subject to the ESA's direct oversight regime, and (2) the contractual obligations between Koji and the customer financial entity are governed by Article 28 (general TPP risk-management requirements), not Article 30 (the critical-TPP-specific oversight regime).

Article 28 contract requirements Koji addresses

Article 28 DORA cascades a defined set of contract clauses to every ICT third-party service provider supporting an in-scope financial entity. Koji addresses these through a DORA addendum prepared alongside the standard DPA for financial-services customers. The substantive elements:

  • Description of services: The platform features, regions, and data categories used by the financial entity, written into the contract.
  • Locations of service delivery: Service regions documented explicitly. Customer chooses EU or US residency.
  • Data location and processing: Storage and processing regions documented. Sub-processors and their regions documented in the sub-processor register.
  • Service-level agreements: Availability, performance, and recovery objectives written in. RTO 4 hours, RPO 1 hour by default; tighter SLAs available per contract.
  • Termination rights: Customer right to terminate on Koji's material breach, on regulatory requirement, or on findings from supervisor-led inspection.
  • Exit strategy and data portability: Mechanisms to migrate or terminate without operational disruption. Structured export (CSV, JSON) supported in- product; supplemental exit assistance available under the enterprise contract.
  • Cooperation with financial regulators: Koji commits to cooperate with the customer's competent authority and resolution authority on request.
  • Audit and inspection rights: Customer or customer-appointed third-party auditor can audit Koji's DORA-relevant controls on reasonable notice, in addition to the audit rights in the standard DPA.
  • Sub-contracting controls: Sub-processors notified thirty days in advance; objection rights apply.
  • ICT incident reporting: Koji notifies the customer of ICT-related incidents affecting their service without undue delay and within seventy-two hours, on a timeline compatible with the customer's own DORA-mandated incident-reporting window to their competent authority.

DORA threat-led penetration testing (TLPT)

Some financial entities are required under DORA to conduct threat-led penetration testing (TLPT) of their critical services. Where Koji forms part of an in-scope critical service, Koji cooperates with TLPT activities conducted by the customer's appointed testing provider, on agreed scope and timing.

DORA threat intelligence sharing

DORA encourages financial entities to participate in cyber threat intelligence sharing arrangements. Where the customer opts in, Koji shares relevant indicators of compromise and threat intelligence affecting our shared service surface.

Documents Koji provides to DORA-regulated customers

  • DORA-specific contract addendum to the standard DPA
  • Mapping of Koji controls to Article 28 contract clauses
  • Documented exit strategy and data-portability plan
  • Sub-processor register at /compliance/sub-processors with thirty-day change notification
  • Pre-filled CAIQ Lite / SIG Lite questionnaire responses covering most DORA Article 28 questions
  • On-request: documented support for the customer's annual digital operational resilience reporting to the competent authority

How to engage

If your financial entity is in DORA scope and you are evaluating Koji, email [email protected] with the subject "DORA request". We respond within one business day with the proposed DORA addendum and supporting documentation scoped to your engagement.

Related coverage

Questions about this document? Contact compliance.Back to compliance hub