The Connector.

Welcome to the connector podcast, an ongoing conversation connecting FinTechs, banks and regulators worldwide. Join CEO and founder Koen Vanderhoydonk as you learn more about the latest available trends and solutions in the markets.

All Episodes

The Connector.

The Connector Podcast - How DORAedge is transforming compliance operations across the financial sector

May 12, 2025 • Koen Vanderhoydonk (The Connector) • Season 1 • Episode 86

The Digital Operational Resilience Act (DORA) creates significant new compliance requirements for financial institutions in the EU. DORAedge offers a technological solution to manage these complex challenges effectively.

• Copenhagen-based fintech Performativ created DORAedge to help financial entities comply with DORA regulations
• The Register of Information requirement demands mapping of ICT networks and third-party providers across jurisdictions
• DORA uniquely impacts organizations cross-functionally, requiring collaboration between IT, legal, compliance, and procurement
• DORAedge transforms static compliance reporting into dynamic, real-time data management
• Incident management module helps meet strict reporting timelines
• Policy governance tools include suggested controls mapped to DORA articles and AI-powered gap analysis
• Future enhancements focus on multi-entity collaboration, permissions management, and third-party integrations

Visit www.doraedge.com to book a demo and learn how the platform can help your organization achieve DORA compliance.

Thank you for tuning into our podcast about global trends in the FinTech industry.
Check out our podcast channel.
Learn more about The Connector.
Follow us on LinkedIn.

Cheers
Koen Vanderhoydonk
koen.vanderhoydonk@jointheconnector.com

#FinTech #RegTech #Scaleup #WealthTech

Speaker 1: 0:01

Welcome to the Connector Podcast, an ongoing conversation connecting fintechs, banks and regulators worldwide. Join CEO and founder Koen Vanderhoydonk van der Hooydonk

Koen Vanderhoydonk: 0:21

Connector Podcast, and today I'm with Marisa. Marisa, it's not your first time and it's really nice to have people coming back to this podcast, so tell us who you are, what you do and who you represent team at Performative.

Marissa Weiss: 0:35

We are a too, to help with managing their compliance operations related to the new regulatory framework, which is why I'm excited to be here and to speak a little bit more about the platform today.

Koen Vanderhoydonk: 1:03

I think it has been more than six months and the time we were talking, Dora was not yet in place. So what has changed and what has changed in your app? And maybe also a good opportunity to maybe reintroduce also DORAe dge to everyone here in the listening into the podcast.

Marissa Weiss: 1:20

So the performative team decided to build an app called DORAedge in Q3 of last year in response to many of our wealth management clients asking us for advice in terms of what they needed to do once the new Dora the Digital Operational Resilience Act new regulatory framework, came into effect in the EU in January of 2025.

Marissa Weiss: 1:40

So we built DORAedge as a standalone product within our suite to not just help our wealth management clients but actually entities across other sectors of the financial sector. So we're actually supporting large global international insurance institutions, stock markets, payments companies the list really goes on from being single entities to multi-jurisdiction global firms. So we've built this app and, of course, the regulation went into effect in Q1. It's been an interesting period of time, with the first regulatory reporting requirements that went into effect in April and some ongoing deadlines at the moment for each and every entity to submit a register of information that really shows the competent authorities and overall the financial sector supervisory authorities what their information communication technology network looks like, who are the primary vendors that they're using for cloud hosting to be able to operate their business and ultimately serve their clients and drive revenue for their organization.

Koen Vanderhoydonk: 2:49

Because indeed I hear some clients actually struggling today with the register of information. Could you specify a little bit how you are then specifically helping them to complete this task?

Marissa Weiss: 3:02

Yeah. So the EBA, the European Banking Association, has published a template which is the register of information, which is 12 distinct tabs within a workbook.

Speaker 1: 3:14

And if you're just looking at it only 12.

Marissa Weiss: 3:17

And they're all very interconnected. There's the data point model, which is a new, updated model within the supervisory authority that states how all of this information needs to connect. So if you're an insurance company, you have multiple entities across different jurisdictions in the EU and you need to then connect. How do, within the group? How do these entities receive services from those information communication technology third-party providers? So if you are outsourcing any of your activities, who are you outsourcing to? What service are they providing? What critical function within your business or license activity are they impacting and what is your assessment of that provider? So obviously, there's a lot of talk in the world right now, with the global political climate in terms of relationships from the west side of the world, to put it lightly, to really show what happens if a provider cannot offer those existing services to an entity like they might be receiving it today, what is the backup plan? You know what if there's?

Marissa Weiss: 4:21

not only a cyber threat or a risk, natural disaster that might take down that provider's ability to offer their service. But what if, due to political reasons, a certain provider pulls out of supporting or providing services to a particular region, country, et cetera? Super, super critical. While there are definitely complaints you know from every client that we are working with right now, again from small to really large institutions in what is the sophistication of this data point model, that is, the baseline formatting or foundational layer of the register of information. The fact of the matter is that the supervisory authority needs to have a better understanding. For who are these critical providers within the European financial sector? How are our financial sectors? Who are regulated? You know licensed entities. How are they impacted, in case you know there could be a threat or a stoppage entirely of these services, and how could that potentially impact customers and how could that potentially impact customers? So it is whether or not the right method forward. It is the first layer that is being done from a compliance and regulatory perspective.

Koen Vanderhoydonk: 5:41

And do you see?

Marissa Weiss: 5:42

a lot of impact within the compliance operations teams in terms of government and policies. I think so. This is one of the maybe not first regulations, but maybe first in a while that is impacting these financial entities in a cross-functional way. This is not just an IT issue, this is not just a legal issue, this is not just a compliance or risk issue together also with procurement, vendor management, contract management so the IT function as well, to say who are the providers that we're working with. How strong are they as providers in terms of their resiliency, our dependence upon their data? Do we actually have backups in that need? And it's sort of the first time that compliance teams are held responsible for having a grasp of that and ensuring that their governance as well. So policies and procedures that they have in place appropriately cover what's happening across all of these different functions internally.

Koen Vanderhoydonk: 6:37

So could you almost state that, because of doing the exercise of the register of information, that you get an insight in your company and that therefore, transparency creates a better resilience of what has happened or potentially should happen or could?

Marissa Weiss: 6:52

happen. I think that's entirely the idea, whether how effective it is. It is the exercise that every single regulated entity must follow, and if you don't submit the register of information, there will be ramifications for that. So it is at least the first layer for every single entity to do an assessment of what are their outsourced dependencies.

Speaker 1: 7:15

Who do they?

Marissa Weiss: 7:15

have providing those services and what could the potential impact be to a really critical business function in case that service goes down?

Koen Vanderhoydonk: 7:25

And I can understand you do that one time, but how does that look over time? Is there a way that DORAedge is helping you to keep that filter sort of dynamic and keep it up to date?

Marissa Weiss: 7:37

Yes, so I think many organizations are probably just using the EBA template and that is, you know, a version spreadsheet that they submitted with a reference date of March 31st and uploaded it to their competent authorities regulatory portal. What we've done is actually take that data and make it more dynamic so that compliance risk IT teams can actually manage that data, have a glance of it in real time at any point throughout the year, so not just hitting that reporting deadline annually, but actually being able to interact with that data as if it were your complete ICT network database.

Koen Vanderhoydonk: 8:16

I almost feel like I'm sitting in a plane and in that unlikely event that something would happen like an incident. I mean, this is exactly where it would be good to have, like such a very strong register. But how does it work when something happens? How do you support the event of an incident?

Marissa Weiss: 8:33

Absolutely so.

Marissa Weiss: 8:34

We have an end-to-end incident management module, so some organizations might have a disparate system to manage this, but within DORAedge you have your full ICT network at your fingertips where we're helping you throughout the process of being able to understand the impact of that incident on your organization and satisfy those reporting requirements as quickly as possible.

Marissa Weiss: 8:55

So for a lot of critical ICT vendors Performative, the company that I work for, as well being that to many of our wealth management clients we need to be able to abide by the DOOR regulation in terms of helping our clients provide information and work with them to achieve the time limit requirements for those reports, that being maybe 24 hours after a major incident needing to report initially, having 72 hours after that to provide an intermediate report, 30 days after resolution providing the final report. So what we're doing is helping these teams who are managing an incident in real time, have the data at their fingertips and get those reporting requirements executed as quickly as possible, but by also then being able to store it, learn from it in the context of that ICT network. So you could say, oh wow, my cloud hosting provider has gone down three times this year. I should highly suggest to my IT team that we actually look at alternatives so that we can find a more suitable, reliable vendor to work with in the future.

Koen Vanderhoydonk: 9:56

Yeah, you're getting close to SLAs as well.

Marissa Weiss: 9:59

Exactly, absolutely.

Koen Vanderhoydonk: 10:01

What I like about it is that compliance becomes a perpetual process. And it's storing information, it's storing incidents, but there's one thing missing in the mix, and that's the policies, the rules of engagements. How does that work DORAedge ?

Marissa Weiss: 10:20

This is my favorite module within DORAedge because governance can be seen.

Koen Vanderhoydonk: 10:23

Luckily you asked the question.

Marissa Weiss: 10:25

It can, maybe because I designed it, but I really do find that when I'm sharing it with clients and walking them through not just in a pre-sales context but actually in getting them up to speed on the app myself they are relieved to see a tool that can really drive value for them and they can practically use. So the policy module is an excellent tool that sits in tandem with the ICT network management side of the app and this is where the legal, the compliance team can maintain all of their DORA-related governance documents. So this could be the business continuity plan, this could be your third-party management policy, everything that the DORA regulation requires that you have in the implementation side of compliance. You can store that within the app and we've made a super cool module where we have some suggested policies. Sorry, I should say we have suggested controls that we think should be included within policies of certain types.

Marissa Weiss: 11:22

So if you were to say that this is a, if you were to upload a policy and say that this is for a third party provider management, you would select that button and then it would actually dynamically filter down the regulation to only provide you with articles where we think the controls set in stone or in place there in our interpretation should then be reflected back in that document. I think this can be a helpful tool for organizations who have not yet updated their policy documents pre-DORA, or they already have gone through that process, but do want to have the extra gut check or layer of confidence to know that they have everything included in there as possible. And so you know if we. If there are 46 or so different articles within the DORA regulation, we've identified 200 plus overall controls or requirements that an organization should put in place. But instead of having to go through every single article or requirement one by one, it does so in a more thematic way.

Koen Vanderhoydonk: 12:23

So it's a really useful tool. No, I think it's nice to have such guidance, but we should never forget that the end responsibility always lies with the company that's regulated. So therefore, I saw you playing around with words, but I think that's what you wanted to say, right, the end responsibility is always with the company and themselves.

Marissa Weiss: 12:41

Absolutely, and I explained the functionality of the product. But we have taken the approach that compliance is a human first and a human needs to be a part of that process and needs to be at the forefront of it too. So we have actually built an LLM within the app, but we recommend it to be the second line of defense. So this is a tool where you can upload your policy documents. Here's my business continuity plan. I have done the mapping based upon my review and performative suggested requirements. But what are the gaps? How would you recommend that I account for this type of control in my existing document to ensure that it fully fulfills my obligation to the door regulation for this particular type of document? So we have definitely made this a process so that it's more efficient for the human, so for the legal or compliance expert within the financial entity, but that they have tech to enable them through that process.

Koen Vanderhoydonk: 13:37

Yeah, we should not forget that many of the wealth managers don't necessarily have 10,000 compliance officers working for them.

Marissa Weiss: 13:45

Absolutely so. If you're an independent wealth manager, you have a pretty lean business operation. Absolutely so we highly recommend working with. If you don't have that expertise in-house, we can help connect you to legal expertise external to your organization. But the policy element, we want to make the process more efficient but it really is an entity level approach to fit that business best.

Koen Vanderhoydonk: 14:08

No, interesting. We're almost at the end of this podcast and what I always want to do at the end is to look forward. What's the future? And I really liked when you said there's human-like compliance rules. Is that the next thing we can expect in DORA?

Marissa Weiss: 14:25

Absolutely so. Within DORAedge we have made this 100% vertical DORA regulation compliance tool. So with that again you get to manage your ICT network, maintain a risk register, track, manage, report incidents and do all of your governance in one place. But we know that there are many clients today who are working with, who are in multi-entity international groups, and so we're making the platform even more feasible so that collaborative teams across time zones, across different functions, have the right ACL so permissions, access levels, viewability or viewing into particular records and that when it comes to an incident coming through, who is your line of attack? Who is there to follow along in that incident process to make sure it gets through resolution as quickly as possible? Who is managing a provider contract and ensuring that we are assessing it every year but also that we are proactively looking out for concerns that we should be assessing in the interim as well.

Marissa Weiss: 15:34

So all of the enhancements that we are continuing to make to the product is to continue to make it incredibly strong for the purposes of DORA.

Marissa Weiss: 15:43

So we're building it out internally to make enhancements, but also brand new product features, and then we're also looking at third parties, so really strong integrations that we can bring into the mix. Think GRC tools that don't have a DORA framework, policy management tools, where you need to make sure that every single employee has read through and approved every policy on an annual basis. How can we then make sure, from an executional standpoint, there are the right monitors in place? Call it multi-factor as an example, to ensure that you are running a compliant organization in the day-to-day and not just saying that you are. So I think this is we've heard from some of the larger institutions that we're working with. It is amazing to finally have one tool to bring it all in one place, when they might already have a separate compliance, a separate legal, multiple IT platforms already. But here's their source of truth for Dora and they can pull in that data where needed to ensure that they can fulfill the reporting requirements.

Koen Vanderhoydonk: 16:47

Super exciting and I guess I'll need to end up like I ended up last time. So how can people be part of this journey?

Marissa Weiss: 16:54

Well, we would love to have conversations with any regulated financial entity. Again, from wealth management through crypto, it really spans to see you know where are you today. What challenges did you face when you were going through the register of information process, but what gaps do you have to ensure that you're fulfilling all of the additional obligations under DORA to ensure that your organization really is compliant throughout the year? So our website is doraedge. com. You can book a demo with me directly. I would be more than happy to have a discovery conversation and show you the platform's capabilities, talk more about what's on the product roadmap and see what gaps we can help fill and value we can drive to your organization.

Koen Vanderhoydonk: 17:38

Marisa, thank you very much for having you again in our podcast, and I hope to see you again in the next six months. So we're curious to know what's the next update. But for now, thank you very much to you, but also to the listeners, and stay tuned.

Speaker 1: 18:00

More news from the financial industry will come in this podcast. Thanks, kuhn, bye-bye. Thanks for listening to another episode of the Connector Podcast. To connect and keep up to date with all the latest, head over to wwwjointhekonnectorcom or hit subscribe via your podcast streaming platform.