BIPI is a Chennai-based engineering company that operates the control layer for modern digital infrastructure. We design and run cybersecurity defence, agentic AI systems, digital engineering, growth automation, and continuous compliance as one platform, so organisations can detect signals, decide in real time, and deliver continuously.

What cybersecurity services does BIPI offer?

Web, mobile, network, and API penetration testing (VAPT), red team engagements, cloud security architecture, Zero Trust deployments, 24/7 SOC operations, and detection engineering. We work with financial services, SaaS, and regulated mid-market companies across India, APAC, EMEA, and North America.

What AI services does BIPI build?

Custom AI agents, LLM integrations, autonomous decision systems, and AI Ops intelligence layers. Our agents are scoped, observable, and audited end-to-end. We do not ship demos. We ship production agents that take real action across your existing systems.

Which compliance frameworks does BIPI support?

ISO 27001:2022, SOC 2 Type II, PCI DSS, GDPR, and India's DPDPA. We treat compliance as an engineering program, not a paper exercise: continuous evidence generation, exception tracking, and 72-hour breach-readiness.

BIPI Private Limited is headquartered in Chennai, Tamil Nadu, India, and serves clients across APAC, EMEA, and North America.

How do I contact BIPI?

Email info@bipi.in for new engagements or careers@bipi.in for jobs. You can also use the contact form at bipi.in/contact. We respond within one business day.

BIPI

DORA in Practice: What EU Financial Entities and Their ICT Suppliers Owe

Compliance

The Digital Operational Resilience Act took effect in January 2025. ICT risk management, incident reporting, third-party register, and threat-led penetration testing reshape obligations for both financial entities and their critical suppliers.

By Arjun Raghavan, Security & Systems Lead, BIPI · June 28, 2024 · 8 min read

#dora#eu#financial#compliance

The Digital Operational Resilience Act applied from January 17, 2025, after a two-year transition period. By the time enforcement started, the European Supervisory Authorities had published over a dozen technical standards and guidelines. We have helped two banks, an insurance group, and three SaaS providers in the financial services supply chain prepare for DORA. The reality on the ground is messier than the regulation reads.

Who is in scope

DORA covers EU financial entities: credit institutions, payment institutions, electronic money institutions, investment firms, crypto-asset service providers, central securities depositories, central counterparties, trading venues, trade repositories, alternative investment fund managers, management companies, insurance and reinsurance undertakings, intermediaries, institutions for occupational retirement provision, credit rating agencies, administrators of critical benchmarks, crowdfunding service providers, and securitisation repositories. The list is exhaustive on purpose.

But DORA also extends to ICT third-party service providers that serve those entities. If you are a SaaS company providing services to an EU bank, you are inside the regime indirectly through contractual flow-down. If you are designated a Critical Third-Party Provider by the ESAs, you are inside directly under the oversight regime.

ICT risk management framework

Article 6 requires financial entities to have a sound, comprehensive, and well-documented ICT risk management framework. The technical standards published in 2024 specified what this looks like: identification and classification of ICT-supported business functions, protection and prevention controls, detection mechanisms, response and recovery, learning and evolving, and communication.

For a mid-sized insurance group we work with, this required consolidating four separate frameworks (ISO 27001, NIST CSF, internal risk taxonomy, and a legacy operational resilience framework) into a single DORA-aligned model. The work took 11 months. Most of it was reconciling different vocabularies for the same concepts and getting the board to approve the consolidated framework.

Incident reporting: the new clocks

DORA introduces a tiered incident reporting regime. Major ICT-related incidents must be reported to the relevant competent authority via initial notification within 4 hours after classification, intermediate report within 72 hours, and final report within one month. The classification criteria are quantitative: number of clients affected, duration, geographical spread, data losses, criticality of services, economic impact.

The 4-hour clock is the operational change. For an institution that previously had a 24 or 72 hour internal reporting target, this collapses the analysis window dramatically. We helped a payment institution rewire their incident classification automation so that the SOC's ticketing system flagged DORA-relevant incidents within 30 minutes of declaration. That gave the regulatory team 3.5 hours to draft and submit the initial notification.

4 hrs

for initial DORA major incident notification after classification

72 hrs

for the intermediate DORA incident report

1 month

for the final DORA incident report

20%

of EU bank ICT third-party providers expected to be designated CTPP by 2027

Third-party register: the document the regulator wants first

Article 28 requires financial entities to maintain a register of all contractual arrangements with ICT third-party service providers. The implementing technical standards specify the format. The register includes the function supported, criticality, the location of data and services, subcontracting chains, audit rights, exit strategies, and a long list of other fields.

For an institution with 200 ICT vendors, populating this register is a six to nine month project. Most of the data exists across procurement, IT asset management, and legal contract management, but it has never been consolidated. We helped one bank build a single data model that pulled from all three sources, with a quarterly reconciliation job that flagged drift. Their first register submission to the ECB had 8 percent fewer fields populated than required; the second submission was clean.

Threat-led penetration testing

DORA introduces threat-led penetration testing aligned with the TIBER-EU framework. Significant financial entities are required to perform TLPT at least every three years. The test is intelligence-led, scoped to the most critical functions, and conducted by external testers under regulator supervision.

TLPT is more expensive and more involved than a standard penetration test. The threat intelligence phase alone runs three to four months. The active testing phase runs another three to six months. For an institution that has only done compliance-driven pen tests, the operational overhead is real. Plan for 18 months from initial scoping to final report on a first TLPT cycle.

What suppliers should do

Map which of your customers are EU financial entities under DORA scope
Update your contracts to include the DORA-required clauses: audit rights, security requirements, incident notification, exit strategy, subcontracting
Build incident notification capability that meets your customer's 4-hour clock; a 24-hour SLA is now insufficient
Maintain documentation that supports your customer's third-party register population: function supported, criticality, data location, subcontractor list
If you might be designated a CTPP, build the operational capability to host EU regulator inspections and provide direct reporting

DORA is the most operationally invasive financial regulation in a decade. The institutions and suppliers that treated it as a serious program in 2024 are running steady-state in 2026. The ones that waited for the deadline are still rebuilding their incident reporting and third-party registers in production. The work compounds. Start it earlier than feels comfortable.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.