DORA-ready ICT third-party control, on day one.
EU-domiciled banks, insurers, mid-size asset managers, and their UK FCA-regulated counterparts use 1331 so AI workloads pass BaFin, AMF, FCA, and CSSF questioning without rewriting the third-party register.
“Financial entities shall manage ICT third-party risk as an integral component of ICT risk, taking full responsibility — including for ICT services supporting critical or important functions provided through subcontractors.”
DORA makes you contractually and operationally responsible for every AI vendor in the chain — including incident reporting within 4 hours, full audit access, exit strategies, and concentration-risk limits. EU AI Act Article 6 then classifies credit scoring and insurance underwriting AI as high-risk. Schrems II and the European Commission's Cloud Sovereignty Framework v1.2.1 invalidate the 'EU region' fig leaf when the parent company is CLOUD Act-reachable.
“Our preferred-vendor LLM has an EU region, but our DPO can't sign off because the parent is US-domiciled and our DORA exit-strategy template requires we can move providers in 90 days. We've stalled three projects.”
EU institutions land on Controlled (sovereign VPC in Frankfurt, Paris, or Dublin under an EU-law DPA) or Governed (1331 Cloud with contractual isolation and a GDPR Art. 28 DPA that survives Schrems II review).
Compliance by architecture, not by contract footnote.
Pre-built DORA artifact pack
Register of information entries, exit strategy, subcontractor map, concentration-risk evidence — produced as exportable PDFs, not slide decks. Your DORA program lead inherits, doesn't rebuild.
4-hour incident log export
Structured incident exports in the ESA reporting template format. Audit logs are append-only, signed, and queryable by any DORA tier.
EU-only inference, EU-law contract
Controlled posture pins inference to Frankfurt or Paris regions under an EU-domiciled entity. Governed posture uses 1331 Cloud with no CLOUD Act-reachable parent in the inference path.
High-risk AI Act documentation
Model cards, evaluation sets, human-oversight logging, and post-market monitoring hooks for credit-scoring and underwriting workloads — what Article 9–15 of the AI Act will require before August 2026.
The decision is rarely one person.
We've built collateral for each seat at the table — from the GC reading the bulletin to the platform lead writing the diagram.
DORA requires you to control your AI vendors — not hope they comply.
1331 gives a CRO an exit strategy that fits in one page, a DPO a Schrems II memo their supervisory authority has already seen, and a Head of Platform a model-serving layer that doesn't have to be rebuilt every time procurement renegotiates a hyperscaler ELA.