Compliance · DORA
DORA and email resilience for financial services.
The Digital Operational Resilience Act has been in force since 17 January 2025. For your email layer that means: protective measures, reporting, third-party risk management — documented in an auditable way.
DORA · ICT risk register
TLS enforcement documented
- Mode
- enforce
- Cert expires
- Aug 9, 2026 (82 days)
- Self-check
- ✓ today 13:14
- Audit log
- Export available
_mta-sts.demo-kunde.at TXT "v=STSv1; id=20260318094215Z"
Context
DORA and the email channel
The Digital Operational Resilience Act (DORA) is an EU regulation (2022/2554) binding on financial services firms since 17 January 2025. Unlike NIS2, DORA is directly applicable — no national transposition required. Breaches can attract fines of up to EUR 10M.[1]
DORA is sector-specific and addresses operational resilience against ICT failures and cyber attacks. Email plays a central role here, since it is critical to many financial processes — customer communications, internal approvals, supervisory reporting. Three articles are particularly relevant for the email layer:
- Art. 6 & 9 (encryption): Mandatory policies for the encryption of data at rest and in transit. In the email context this means a two-track approach: MTA-STS/DANE for transport and S/MIME as end-to-end encryption for sensitive financial data.[1]
- Art. 15 (detection of anomalous activities): Mechanisms for detecting unauthorised access. DMARC aggregate reports (RUA) are the primary instrument for detecting domain spoofing attempts.
- Art. 19 (reporting obligation): Serious cyber incidents must in part be reported to the supervisor within 4 hours. Preventive email authentication stops exactly the incidents that start this clock.[1]
Mailantis is not a complete DORA package — we specifically address email authentication and resilience as one building block within your ICT risk management framework. The overview below shows which DORA articles Mailantis supports and where additional measures are required.
Mapping table
DORA article ↔ Mailantis contribution
| Article | Requirement (short form) | Mailantis contribution | Status |
|---|---|---|---|
| Art. 8 | ICT risk management framework | Risk score per domain, continuous assessment | supported |
| Art. 9 | Protective measures for ICT systems | SPF/DKIM/DMARC/MTA-STS actively monitored and enforced | met |
| Art. 10 | Incident detection | Anomaly detection, spoofing detection, alerting | met |
| Art. 11 | Response and recovery | Alert engine with PagerDuty/Slack, escalation tiers | met |
| Art. 12 | Learning and evolution | Trend reports, audit log for post-mortems | met |
| Art. 17 | Incident classification and reporting | Severity levels in alerts, triggers for internal reporting paths | supported |
| Art. 25-27 | Resilience testing, penetration testing | SelfCheck as a continuous testing tool | partial |
| Art. 28-30 | Third-party ICT risk management | DPA downloadable, EU hosting, SOC report on request | met |
Note: DORA requires a complete ICT risk management framework that goes well beyond the email layer (backup, BCM, penetration testing, outsourcing contracts and much more). Mailantis is one building block, not a complete package. For third-party assessments (Art. 28), the DPA and processing list are available on request.
FAQ
Common DORA questions
What does DORA regulate?
The Digital Operational Resilience Act (EU 2022/2554) requires operational resilience against IT outages and cyber attacks from financial firms — banks, insurers, investment firms, crypto-asset service providers. In force since 17 January 2025.
Who is subject to DORA?
Banks, insurers, pension funds, investment firms, payment service providers, crypto-asset service providers, and their critical IT service providers (TPPs — third-party providers). Some relief for micro and small enterprises.
Where does DORA hit the email layer?
Art. 8 (ICT risk management), Art. 9 (protective measures), Art. 11 (continuity), Art. 17 (incident classification) and Art. 28-30 (third-party risk). Email is explicitly a critical communication channel.
Is Mailantis a "critical third-party provider" under DORA?
Mailantis itself does not automatically qualify as "critical" under the ESA designation. As a financial services firm, however, you would likely treat us as an "ICT third-party provider" to be included in your vendor risk management. DPA and SOC reports are available on request.
How do audit reports help?
Mailantis delivers PDF reports with DMARC/SPF/DKIM/MTA-STS status, policy history and configuration snapshots. These reports are suitable as evidence for internal audits and supervisory audits (FMA, BaFin).
Sources
[1] Synthesis of: BaFin — DORA overview; EIOPA — Digital Operational Resilience Act; DLA Piper — "Seconds matter: Understanding DORA's real-time response requirements" (2025); European Commission — RTS on ICT Risk Management Framework. As of May 2026.
DORA-compliant email resilience.
DPA downloadable, EU hosting, reports ready for your next supervisory audit.