DORA
Digital Operational Resilience Act
EU · RegulationRegister of Information, incident timelines, TLPT.
Compliance, made provable
Every compliance number, re-derivable.
One graph for every framework you answer to. Every score is a pure function your auditor can reproduce, line by line — EU-native, self-hostable, with national supervisory layers built in.
No account required for the gap report
Deterministic scoring — every number provable to its formula
Self-hostable in the EU — your data never leaves your infrastructure
Every EU framework in one graph — national layers built in, not a US checkbox
What compliance officers ask for on day one
The platform
One graph does the work
Select a capability. Watch what changes.
Regulation, control and evidence as one connected structure
Not lists. A directed graph where every obligation knows its systems, its evidence and its blast radius.
1 graph · every dependency
The difference
Deterministic, not probabilistic
The same inputs always produce the same posture. No model guesses between you and your auditor.
- Every score traceable to its inputs
- Every change writes an audit event
- Every export reproducible
The library
Every framework, one curated source
Versioned, machine-readable requirement trees — not paraphrased prompts.
MiCA
Markets in Crypto-Assets
EU · RegulationCASP authorisation, whitepapers, prudential safeguards.
NIS2
Network & Information Security 2
EU · DirectiveRisk management, reporting, supply-chain security.
GDPR
General Data Protection Regulation
EU · RegulationLawful basis, DPIAs, breach notification.
ISO 27001
Information Security Management
ISO · StandardAnnex A controls, Statement of Applicability.
SOC 2
Service Organization Control 2
AICPA · AttestationTrust services criteria, evidence over a period.
BaFin
KMAG · BAIT
Germany · NationalCrypto-custody and IT-supervision specifics.
FMA
Austrian Financial Market Authority
Austria · NationalNational CASP supervision layer.
AMF
Autorité des marchés financiers
France · NationalFrench market-authority requirements.
Trust
A number you can prove.
Vellorum gives you a compliance posture. It also gives you every input, formula, and audit event that produced it — so you never have to ask your system to trust itself.
Posture Score
57
weighted · deterministic
DORA Art. 2838%
GDPR Art. 3571%
ISO 27001 Annex A54%
Every number traceable to its formula. Hover any metric to see derivation.
Determinism
Same inputs, same output, always. The scoring engine is a pure function — injectable date, no global state, unit-tested at every boundary. Hover any number to see its derivation.
Provenance-locked AI
The AI assistant answers strictly from your workspace data. Every sentence carries an inline citation. No retrieval = no answer. Offline fallback produces the same structure without an API key.
Immutable audit trail
Every mutation — status change, evidence upload, member action — writes an audit event. Your auditor reads the same history you do. Nothing is editable after the fact.
Self-hostable for EU finance
EU CASPs and banks cannot load compliance data into US-SaaS. Vellorum runs entirely on your infrastructure via docker-compose. No phone-home. Ed25519-signed offline license.
Built for the actual regulation. Not a checkbox.
- Every framework parsed to the article and scored the same deterministic way — versioned requirement trees, never paraphrased prompts.
- DORA Register of Information: ESA ITS B_01.01–B_99.01 column names, enumerations, and sheet structure — validated against the live spec, not approximated.
- Incident deadlines per RTS (EU) 2024/1772: initial report within min(4h from classification, 24h from detection). Pure function. Tested against edge cases.
- TLPT scheduling per DORA Art. 26: 3-year cadence enforced deterministically. Overdue tests surface as graph insights.
- BaFin KMAG, GwG/KryptoWTransferV, BAIT/MaRisk: national supervisor layer included as first-class regulation packs — not mapped from a US framework.
- MiCA CASP authorisation obligations: article-level requirements, versioned, with EUR-Lex CELEX source links.
Demo data & privacy
Our public demo stores the email you enter so we can follow up, plus your IP address solely to prevent abuse. Both are deleted automatically after 90 days, and all data stays within the EU.
Deterministic scoring
Every number is a pure function of data + date. Hover any metric to see the exact formula. No model between you and your auditor.
Self-hostable
EU CASPs cannot load compliance data into US-SaaS. Run Vellorum on-premise on docker-compose. Zero external dependencies required.
Gap report in 5 minutes
Public, no-login. Select your entity type, member state, services. Receive a regulator-style PDF with per-article gap citations.
Company
Compliance should be a property of your systems
Not a quarterly panic. Vellorum exists to make regulatory posture something you can read off your infrastructure — at any moment, with proof.
Built in Austria
Vellorum is built in Europe, for the European regulatory reality, by people who believe auditability is an engineering discipline.
Why now
- Dec 2024
MiCA fully applicable to crypto-asset service providers
- Jan 2025
DORA in force for the financial sector
- 2025–2026
Active supervision — regulators are requesting evidence now.
Talk to us
Tell us where compliance hurts. We respond within one business day. (CET)