Complara is a compliance tracking platform built for startups. It gives you plain-English checklists for frameworks like SOC 2, GDPR, ISO 27001, HIPAA, DORA, NIS2, and vendor security — with evidence management, team collaboration, and readiness reports in one place.

Which compliance frameworks are supported?

SOC 2, GDPR, ISO 27001, HIPAA, DORA, NIS2, EU AI Act, and Vendor Security. Each framework includes a complete checklist with actionable items and guidance. All future frameworks are included on the Pro plan.

How much does Complara cost?

Complara starts with a free 10-day trial. The Pro plan is $10/month with unlimited checklist items, evidence uploads, team invites, and CSV readiness reports. No per-seat fees.

Founders, CTOs, and engineering teams at startups that need to prove compliance to enterprise customers, investors, or regulators — without hiring a consultancy or spending months on spreadsheets.

Can I use Complara for multiple frameworks at once?

Yes. You can track as many frameworks as you need simultaneously. Many startups combine SOC 2 + GDPR, or SOC 2 + ISO 27001, since the controls overlap significantly.

How is Complara different from enterprise GRC tools?

Enterprise GRC platforms cost $10,000+/year, take weeks to configure, and are designed for large compliance teams. Complara is purpose-built for startups: you can set up your first checklist in under 10 minutes, and the interface is simple enough for engineers, not just auditors.

DORA Compliance Guide: Digital Operational Resilience for Financial Services

Complara Team·2026-04-13·7 min read

The Digital Operational Resilience Act (DORA) is an EU regulation that became enforceable on 17 January 2025. It sets uniform requirements for the security of network and information systems across the financial sector. If your startup provides technology services to banks, insurers, payment firms, or investment companies in the EU, DORA directly affects you.

What Is DORA?

DORA (Regulation 2022/2554) establishes a comprehensive framework for digital operational resilience in the EU financial sector. Its goal: ensure that financial entities can withstand, respond to, and recover from all types of ICT-related disruptions and threats.

Unlike previous guidance-based approaches, DORA is a binding regulation — directly applicable in all EU member states without national transposition.

Who Does DORA Apply To?

DORA applies to virtually all regulated financial entities, including:

Banks and credit institutions
Investment firms and trading venues
Insurance and reinsurance companies
Payment institutions and e-money institutions
Crypto-asset service providers
Fund managers and pension funds
Credit rating agencies

Critically, DORA also applies to ICT third-party service providers that serve these entities. If your startup provides cloud services, data analytics, SaaS tools, or any technology service to EU financial firms, you’re in scope as a third-party provider.

The Five Pillars of DORA

1. ICT risk management

Financial entities must implement a comprehensive ICT risk management framework that includes:

Identification of all ICT assets, risks, and dependencies
Protection and prevention measures
Detection of anomalous activities
Response and recovery plans
Learning and evolving from incidents

For startups serving financial firms, this means your systems need to meet the security and resilience standards your customers are required to maintain.

2. ICT-related incident management

Entities must classify ICT incidents by severity and report major incidents to their competent authority. DORA establishes harmonized reporting templates and timelines:

Initial notification: Within 4 hours of classifying a major incident (and no later than 24 hours after detection)
Intermediate report: Within 72 hours
Final report: Within 1 month

3. Digital operational resilience testing

Entities must conduct regular testing of their ICT systems:

Basic testing: Vulnerability assessments, network security assessments, gap analyses, physical security reviews, and software reviews — for all entities
Advanced testing (TLPT): Threat-Led Penetration Testing for significant financial entities, conducted at least every 3 years

4. ICT third-party risk management

This is where startups feel DORA most directly. Financial entities must:

Maintain a register of all ICT third-party service providers
Conduct due diligence before onboarding providers
Include specific contractual provisions (security measures, audit rights, exit strategies, data location)
Monitor provider performance and risk continuously

As a provider, your financial clients will require you to: demonstrate strong security practices, support their audit rights, maintain detailed incident reporting, and have clear exit/data portability plans.

5. Information sharing

DORA encourages (but doesn’t mandate) cyber threat intelligence sharing between financial entities to improve collective defense.

DORA Compliance Checklist for Startups

Assess applicability: Determine if you’re a regulated entity or an ICT third-party provider to regulated entities
Build your ICT risk framework: Document asset inventories, risk assessments, and mitigation measures
Implement incident management: Define classification criteria, escalation procedures, and reporting templates
Prepare for resilience testing: Schedule vulnerability assessments and penetration tests
Review vendor contracts: Ensure your contracts with financial clients include DORA-required provisions
Document exit strategies: Provide clear data portability and transition plans for your financial clients
Establish audit readiness: Be prepared for your financial clients’ audit rights and regulator inspections

Track each requirement with Complara’s DORA checklist to keep evidence organized and demonstrate compliance to your financial sector clients.

Frequently Asked Questions

Does DORA apply to startups outside the EU?

If you provide ICT services to EU-regulated financial entities, yes. DORA’s scope covers the contractual relationships between financial entities and their providers, regardless of the provider’s location.

How does DORA relate to NIS2?

DORA is sector-specific (financial services) while NIS2 is cross-sector. DORA is considered lex specialis — it takes precedence over NIS2 for entities in its scope. However, ICT providers not serving financial entities may still fall under NIS2.

What happens if I’m designated a “critical” ICT provider?

Critical ICT third-party providers are subject to direct oversight by EU supervisory authorities (ESAs). This includes inspections, recommendations, and the power to impose penalties. Designation is based on the systemic importance of the services you provide to the financial sector.