DORA Compliance Credentials
Three tiers of DORA-aligned ICT vendor evidence — independently verifiable through the ECZ-ID Resolver. Choose the tier that matches your supervised-entity footprint, then move into the guided flow. Acquisition is handled in TrustOps. Verification is handled in Resolver. This site explains and routes.
What this is
DORA — the EU Digital Operational Resilience Act — places obligations on financial entities to evidence the operational resilience of their ICT third parties. ECZ-ID DORA credentials convert your existing ICT posture, cyber governance, supply chain evidence, and risk framework into resolver-verifiable credentials that a supervised entity, an auditor, or an oversight body can independently query — without you sending a document.
The site explains what each tier covers and routes you to TrustOps to acquire it. Resolver is where the evidence is later Resolver-checked by counterparties. The site does not issue credentials, host checkout, or perform verification.
Choose a tier
DORA Essentials
ICT vendors entering DORA scope or supplying a small number of supervised financial entities.
Baseline DORA-aligned evidence for ICT arrangement inclusion: cyber resilience, software supply chain, risk policy, and identity continuity — independently queryable in Resolver.
Fits when: You need DORA Article 30 evidence in a form a supervised entity can verify without document exchange.
What is inside
- ·Cyber Resilience Passport™
- ·Software Supply Chain Passport™
- ·Risk Policy Passport™
- ·Identity Continuity Passport™
DORA Managed
ICT vendors with a growing supervised-entity footprint who need DORA evidence kept current between audits.
Everything in Essentials, plus managed evidence refresh workflows, supervised-entity ICT register submission support, and a managed compliance review cycle.
Fits when: Your evidence is already in resolver, but stale evidence between audits is becoming the operational risk.
What is inside
- ·DORA Essentials baseline
- ·Managed evidence refresh workflows
- ·Supervised-entity register submission support
- ·Managed compliance reviews
DORA Enterprise
ICT providers operating at the scale where DORA exposure is a board, audit-committee, insurer, and capital-provider concern.
Everything in Managed, plus critical third-party oversight readiness, multi-entity ICT register operations, board and capital disclosure, and Capital Access Overlay alignment.
Fits when: You need a single resolver entry that supervised entities, regulators, insurers, and capital providers can all query for current-state DORA posture.
What is inside
- ·DORA Managed baseline
- ·Critical third-party oversight readiness
- ·Multi-entity ICT register operations
- ·Board and capital disclosure pack
- ·Capital Access Overlay alignment
How the flow works
- 1Explain. This page sets out what each DORA tier covers and who it fits.
- 2Guided flow. Each tier has a short qualification and breakdown flow on this site.
- 3TrustOps midpoint. Halfway through the flow you are routed into TrustOps to acquire the tier.
- 4Return. When TrustOps completes acquisition it returns you to this site with continuation state, and the flow resumes from the post-acquisition step.
- 5Verification. Counterparties verify your DORA posture independently at resolver.ecocitizenz.org. Verification is not performed on this site.
What this site does not claim
- · This site does not issue regulator certifications.
- · This site does not perform supervisory assessment.
- · This site does not host checkout or take payment for credentials.
- · This site does not verify credentials — Resolver does that, independently.
- · DORA tiers describe ECZ-ID credential coverage, not regulator endorsement.
Formal governance and specifications are published at ecocitizenz.org. DORA itself is EU regulation; ECZ-ID provides resolver-verifiable evidence, not regulatory authority.
Looking at SBOM as well?
If your software supply chain is also under regulated or enterprise scrutiny, the DORA + SBOM Enterprise Suite combines DORA Enterprise and SBOM Enterprise into a single resolver-backed programme.