Research DORA with trusted AI

Cite RTS and ITS to the article. ICT risk, incident reporting, and third-party oversight in one search. In force across EU financial services since January 2025.

ICT risk management Major-incident reporting Third-party oversight
Preparing for TLPT or critical-ICT-provider review?

Built for DORA compliance. Ready when the clock starts.

4 hours to file an initial major-incident notification (Article 19)
4 pillars risk, incidents, testing, 3rd parties
64 articles + RTS, ITS, ESA guidelines
20+ entities banks, insurers, CASPs, more
DORA coverage
Regulation text · RTS · ITS · EBA guidelines · ESMA guidelines · EIOPA guidelines · National transposition
How it works

From your documents to a full ICT risk file

Use eulaw.ai alongside your own documentation to build audit-ready DORA evidence. Not a replacement for your resilience programme, but a research accelerator underneath it.

1

Upload

Your ICT risk register, third-party contracts, incident playbooks, or draft TLPT scope, directly into the chat. Documents persist across the whole conversation.

2

Ask

Scope obligations under Articles 5 to 16, classify ICT incidents, map third-party contractual clauses, or compare DORA against NIS2. Cross-referenced to the Act text, every RTS and ITS, and ESA guidelines.

3

Export

A citation-backed compliance report with paragraph-level gaps, obligation by obligation, ready to drop into your ICT risk file or board-level resilience briefing.

DORA Art. 19: major-incident reporting timelines

Under Article 19 of Regulation (EU) 2022/2554 (DORA), financial entities must notify competent authorities of a major ICT-related incident in three stages:

Reporting deadlines

  • Initial notification: within 4 hours of classifying the incident as major, and no later than 24 hours after becoming aware of it
  • Intermediate report: within 72 hours of the initial notification
  • Final report: no later than 1 month after the intermediate report

Classification

"Major" is determined under Article 18 and the Commission Delegated Regulation on classification criteria (transaction volumes, client impact, duration, geographical spread, data losses, economic impact, reputational impact).

Voluntary notification

Significant cyber threats may be reported voluntarily under Article 19(2).

Trusted by financial-services legal and ICT-risk teams across Europe

In-house counsel, compliance officers, and CISOs at banks, insurers, and fintechs rely on eulaw.ai for DORA work where a wrong citation is not an option.

"

The best AI for any research related to EU law and regulations. It always comes up with the best answer.

"

eulaw.ai is the only tool I trust for EU financial regulation. It has cut our compliance research time by at least 30%.

"

eulaw.ai enables us to take on clients from industries and jurisdictions we previously would have had to decline.

"

A single fabricated case citation can lead to professional sanctions. eulaw.ai eliminates this risk by anchoring every response in verified legal sources.

Not a generic AI chatbot.
A research tool built for DORA.

eulaw.ai reads the full DORA Regulation, every Regulatory and Implementing Technical Standard, EBA / ESMA / EIOPA guidelines, and national transposition. Every answer traces back to the exact article, in every EU official language, updated as new ESA guidance publishes. The research assistant in-house counsel, ICT-risk teams, and CISOs reach for when resilience obligations meet real supervisory scrutiny.

Your data never leaves the EU

We built eulaw.ai on sovereign EU infrastructure from day one. Every byte is encrypted in transit and at rest. We run large language models on EU-managed cloud infrastructure. Nothing is sent to public AI APIs, model providers do not receive or store your content, and no customer data is used for training.

Your first DORA citation in 30 seconds.

Free trial · no credit card · cancel anytime.