What regulations does Regulatory Signals cover?

Regulatory Signals continuously monitors GDPR, CCPA/CPRA, the EU AI Act, ePrivacy/cookies rules, and a growing catalog of global privacy and AI obligations. New regulations are added as they are enacted.

How often does Regulatory Signals re-scan my site?

Continuous monitoring runs on a configurable cadence — typically daily for Professional and Enterprise plans, and weekly for Starter. Ad-hoc re-scans can be triggered at any time from the dashboard.

Is my scan data encrypted?

Yes. Data is encrypted in transit using TLS 1.2+ and at rest using AES-256. Scan artifacts are stored with per-tenant isolation and role-based access controls.

Does Regulatory Signals provide legal advice?

No. Regulatory Signals provides automated compliance monitoring, detection, and evidence. Output is intended to assist qualified privacy, security, and legal professionals. It is not a substitute for legal advice.

Can I export compliance evidence for auditors?

Yes. All scans generate an exportable audit trail including timestamped findings, raw evidence, and remediation status — suitable for internal audits, DPIAs, and external assessments.

How does the EU AI Act readiness check work?

The free AI Act check classifies your system into prohibited, high-risk, limited-risk, or minimal-risk categories using Article 6/Annex III criteria, then surfaces the specific obligations that apply.

Do you offer a free trial or free scan?

Yes. You can run a free compliance scan on the homepage and use the AI Act readiness tool at no cost. Paid plans add continuous monitoring, alerting, and evidence export.

DORA Enforcement: 17 January 2025

4 DORA documents generated from your codebase

FCA, BaFin, and AMF want your ICT Risk Framework, Incident Reporting Protocol, TLPT Plan, and Third-Party Risk Register. Stop building them manually.

Get the DORA Pack — €4,990 Scan your repo first

€499/mo monitoring add-on available · Not legal advice · Review with qualified counsel before regulatory submission

17 Jan 2025

DORA full enforcement date across EU member states

FCA · BaFin · AMF

National competent authorities supervising in-scope FinTechs

4h reporting window

Art 19 major incident initial notification to competent authority

What's in the DORA Pack

4 named documents. Evidence sourced from your GitHub repo scan, never fabricated.

ICT Risk Management Framework

Art 5-15

Board accountability statement (Art 5(2)), ICT asset inventory from scanned repos (Art 8), and risk controls bucketed by severity — HIGH/MEDIUM/LOW — with evidence and remediation actions per finding.

Major Incident Reporting Protocol

Art 17-23

DORA Art 19-20 mandatory reporting timeline (4h / 72h / 1 month), incident classification table (MAJOR / SIGNIFICANT / MINOR by severity), and incident response policy excerpts. Reporting ladder is always present — not inferred from scanner.

Resilience Testing & TLPT Plan

Art 24-27

TIBER-EU aligned TLPT scope (one entry per scanned ICT system), Red Team Charter stub (Art 26(3)), critical vulnerability findings with remediation roadmap, and significant findings for the testing governance record.

Third-Party ICT Risk Register

Art 28-44

Named ICT provider register per Art 28(3)(b), criticality assessment for high-severity providers, contractual arrangement excerpts, concentration risk analysis (Art 29), and a data-source note if repo audit is required to populate vendor entries.

No fabricated content

Evidence-sourced, not hallucinated

When evidence is missing — for example, no third-party vendor findings in your scan — the document renders an amber callout: “Evidence not available — questionnaire required.” We never invent ICT controls or risk indicators to fill a page. The DORA Art 19-20 reporting timeline is always present as static regulatory text — not inferred from scanner severity levels.

Cover + 4 DORA documents + Appendix A/B/C · Average 8-12 pages

Common objections

We already have a DORA consultant engaged.

Use the pack to cut their scoping time. Hand them a pre-populated evidence binder instead of a blank questionnaire. Most engagements charge by the hour.

Our CTO says we're not in scope.

If you hold an EMI licence, payment institution authorisation, or investment firm licence in the EU or UK, you are in scope. DORA Art 2 defines scope by licence type, not by company size or tech maturity.

€4,990 is expensive for a document generator.

A DORA readiness assessment from a Big 4 firm costs €30,000–€80,000. The pack is not a replacement — it is the evidence layer you bring to that engagement so you are not paying €350/hour to answer basic scanner questions.

We need the TLPT to be TIBER-EU certified.

The pack generates the TLPT Plan and Red Team Charter stub (Art 26(3)). The actual TLPT exercise must be conducted by an accredited provider. The pack tells you what to give them on day one.

Frequently asked questions

When did DORA enforcement start?

DORA (Regulation EU 2022/2554) entered full enforcement on 17 January 2025 across all EU member states. UK equivalents under the FCA's operational resilience framework have been in force since March 2022, with full compliance required from March 2025.

Which regulators enforce DORA for FinTechs?

In the EU: EBA (banking), ESMA (investment firms), EIOPA (insurance), and national competent authorities — including BaFin (Germany), AMF (France), DNB (Netherlands), and CSSF (Luxembourg). In the UK: FCA under operational resilience rules (PS21/3). Most Series A-B FinTechs are in scope if they hold an EMI licence, payment institution authorisation, or investment firm licence.

What are the four DORA documents in this pack?

1. ICT Risk Management Framework (Art 5-15): board accountability, asset inventory, risk controls by severity. 2. Major Incident Reporting Protocol (Art 17-23): classification criteria, the 4h/72h/1-month reporting ladder, competent authority notification procedures. 3. Resilience Testing & TLPT Plan (Art 24-27): TIBER-EU aligned scope, Red Team Charter stub, vulnerability findings. 4. Third-Party ICT Risk Register (Art 28-44): named provider register per Art 28(3)(b), criticality assessment, contractual arrangement excerpts, concentration risk analysis.

How long does it take to generate the DORA pack?

Scan and pack generation takes under 10 minutes. Paste your GitHub repo URL, run the AI scan, then download the 4-document PDF. You complete the compliance questionnaire to fill any amber 'evidence not available' sections — typically another 30-60 minutes.

Is the €4,990 pack a replacement for a DORA consultant?

No — and we say so explicitly in the document. The pack generates auditor-ready evidence from your codebase so you spend less time on questionnaire prep. Most FinTechs use it to cut the scoping phase of a DORA engagement from weeks to days.

Your regulator isn't waiting

DORA enforcement started January 2025. The pack takes under 10 minutes to generate. €4,990 one-time · €499/mo for continuous ICT monitoring and regulatory change alerts.

Get the DORA Pack — €4,990 Have questions? Contact us →

This document is an automated compliance analysis. It does not constitute legal advice. Review with qualified DORA counsel before regulatory submission.