HATS / DORA Crosswalk
1. Scope
This crosswalk maps HATS capabilities to the Digital Operational Resilience Act (DORA), which applies to financial entities in the EU from 17 January 2025. DORA establishes requirements for ICT risk management, ICT-related incident reporting, digital operational resilience testing, and ICT third-party risk management.
HATS capabilities are relevant to Chapters II (ICT Risk Management), III (ICT-Related Incident Management), IV (Digital Operational Resilience Testing), and V (Managing ICT Third-Party Risk). This crosswalk does not address governance and institutional provisions (Chapter I) or competent authorities (Chapter VI).
This crosswalk is a technical mapping. It does not constitute compliance with DORA or replace the oversight of the relevant national competent authority or European Supervisory Authority (ESA).
2. Chapter II -- ICT Risk Management
Article 5 -- Governance and Organisation
| Article | HATS Capability | Evidence Type | Verification Method |
|---|
Art. 5(2)(a) Management body bears ultimate responsibility for ICT risk management | Governance Replay | ICT risk management decision attestation receipts with management body approval binding | Replay governance decisions; verify management body identity in approval chain |
Art. 5(6) Management body keeps up to date on ICT risk | Evidence Chains | ICT risk briefing attestation chain recording periodic updates to management | Verify briefing attestation frequency; confirm management acknowledgment is attested |
Article 6 -- ICT Risk Management Framework
| Article | HATS Capability | Evidence Type | Verification Method |
|---|
Art. 6(1) Sound, comprehensive, and well-documented ICT risk management framework | Governance Replay + Evidence Chains | Framework documentation attestation chain with governance decision binding | Traverse documentation chain; replay framework adoption decisions; verify completeness |
Art. 6(5) Review at least once a year | Evidence Chains | Annual review attestation receipts with timestamp verification | Verify review attestation exists within each 12-month window; confirm management approval is attested |
Art. 6(8) ICT risk management framework documented and reviewed | Continuous Attestation | Framework version attestation receipts at each modification point | Verify each framework version change has a corresponding attestation receipt |
Article 8 -- Identification
| Article | HATS Capability | Evidence Type | Verification Method |
|---|
Art. 8(1) Identify, classify, and adequately document ICT assets | Continuous Attestation | ICT asset inventory attestation receipts at configurable intervals | Verify asset inventory attestation continuity; confirm classification fields are populated |
Art. 8(4) Identify all sources of ICT risk | Evidence Chains + Governance Replay | Risk source identification attestation chain with governance binding | Traverse risk identification chain; replay categorization decisions |
Article 9 -- Protection and Prevention
| Article | HATS Capability | Evidence Type | Verification Method |
|---|
Art. 9(2) Policies, procedures, protocols, and tools for ICT security | Continuous Attestation | Security control effectiveness attestation receipts | Verify control attestation continuity; confirm all documented controls have corresponding attestation |
Art. 9(3)(b) Strong authentication mechanisms | Agent Attestation | Authentication event attestation receipts with PQ key material | Verify authentication receipts demonstrate strong authentication with post-quantum cryptography |
Art. 9(4)(c) Data-at-rest and in-transit encryption | Encrypted Computation | Encryption attestation receipts for data at rest and in transit; FHE computation receipts for data in use | Verify encryption attestation covers all data states; confirm PQ key encapsulation for transit |
Article 10 -- Detection
| Article | HATS Capability | Evidence Type | Verification Method |
|---|
Art. 10(1) Mechanisms to promptly detect anomalous activities | Continuous Attestation | Real-time attestation receipt stream enabling anomaly detection through deviation analysis | Verify receipt stream granularity supports detection SLA; confirm no monitoring gaps |
Art. 10(2) Multiple layers of control, including network perimeter and internal monitoring | Evidence Chains | Multi-layer monitoring attestation chain spanning network, application, and data layers | Verify attestation coverage spans all documented monitoring layers |
3. Chapter III -- ICT-Related Incident Management
| Article | HATS Capability | Evidence Type | Verification Method |
|---|
Art. 17(1) ICT-related incident management process | Evidence Chains + Governance Replay | Incident lifecycle evidence chain from detection through resolution with governance decision attestation | Traverse complete incident chain; replay response decisions; verify causal linkage between events |
Art. 17(2) Indicators for early warning | Continuous Attestation | Early warning indicator attestation receipts at configurable thresholds | Verify indicator monitoring attestation; confirm threshold breach events generate receipts within SLA |
Art. 17(3)(a) Classification of incidents | Governance Replay | Incident classification decision attestation receipts with criteria binding | Replay classification decisions; verify criteria applied match documented classification methodology |
Art. 19(1) Major ICT-related incident reporting to competent authority | Independent Verification | Incident report attestation receipts verifiable by competent authorities | Competent authority verifies report receipts using H33 public keys; confirms report timestamps |
4. Chapter IV -- Digital Operational Resilience Testing
| Article | HATS Capability | Evidence Type | Verification Method |
|---|
Art. 24(1) Sound and comprehensive digital operational resilience testing programme | Evidence Chains | Resilience test execution attestation chain recording test methodology, inputs, and results | Verify test attestation chain completeness; confirm test scope covers documented ICT systems |
Art. 24(6) Prioritise, classify, and remedy all issues revealed during testing | Governance Replay + Evidence Chains | Finding-to-remediation attestation chain with governance decision binding | Traverse finding-remediation chain; replay prioritization decisions; verify remediation receipt for each finding |
Art. 25(1) Vulnerability assessments and scans, open source software analysis | Continuous Attestation | Vulnerability assessment attestation receipts at required frequency | Verify assessment attestation frequency meets DORA requirements; confirm no assessment gaps |
Art. 26(1) Threat-led penetration testing (TLPT) at least every 3 years | Evidence Chains | TLPT execution attestation chain recording scope, methodology, and findings | Verify TLPT attestation exists within each 3-year window; confirm scope matches critical ICT systems |
5. Chapter V -- ICT Third-Party Risk
| Article | HATS Capability | Evidence Type | Verification Method |
|---|
Art. 28(2) Contractual arrangements with ICT third-party providers | Evidence Chains | Third-party service attestation chain recording service level and security control attestations | Verify third-party attestation chain covers contractual obligations; confirm continuity |
Art. 28(5) ICT concentration risk assessment | Governance Replay | Concentration risk assessment decision attestation receipts | Replay concentration risk decisions; verify assessment methodology binding |
Art. 30(2)(b) Service level descriptions including quantitative and qualitative targets | Continuous Attestation | Service level measurement attestation receipts at contractual frequency | Verify SLA measurement attestation continuity; confirm measurements against contractual targets |
Art. 30(3)(a) Full descriptions of functions and services provided | Independent Verification | Service description attestation receipts verifiable by the financial entity | Financial entity verifies service description receipts; confirms alignment with contractual scope |
6. Coverage Notes
HATS provides technical evidence relevant to all five substantive chapters of DORA (Chapters II-V and the overarching Chapter I governance requirements). The strongest coverage is in ICT risk management (Chapter II) and incident management (Chapter III), where HATS evidence chains and continuous attestation directly produce the records and audit trails required by the regulation.
DORA obligations that fall outside the scope of HATS technical capabilities include: contractual arrangement negotiation (organizational), information sharing arrangements (Article 45), and direct engagement with ESA oversight frameworks. HATS-generated evidence can support these processes but does not replace the organizational and contractual measures required.
For financial entities using AI systems, the combination of HATS agent attestation (per-action AI governance) and the EU AI Act crosswalk provides a unified evidence framework spanning both DORA operational resilience and EU AI Act high-risk AI system requirements.