DORA.ai - cybersecurity and cyberresilience platform
DORA.ai - cybersecurity and cyberresilience platform
Description
Who we are?
allclouds.pl is a Polish company that provides specialized IT services.
We specialize in Business Intelligence systems, IT security systems, and building low-code applications using AI.
For many years, we have been designing and implementing key reporting systems for the Polish Financial Supervision Authority.
We have credentials in taxonomy development and data validation, as well as experience in standards used in financial reporting such as XBRL, DPM, and taxonomies managed by European institutions such as ESMA, EIOPA, and EBA.
What do we want to do?
As part of our internal initiative, we plan to launch the innovative DORA.ai project,
in which we will encourage financial market entities to participate in supporting the development of the DORA.ai solution. In this project, we will use artificial intelligence to automate processes and administration, and which will be available to entities that decide to participate in the project through the 4fund.com platform. The entire initiative will be described in detail in our invitations to participate as Supporters. The DORA.ai project is an example of how regulation can become an impetus for the creation of a new, groundbreaking technological product that will benefit the entire financial market.
Why do we want to do this?
The idea for the project arose from the fact that allclouds.pl has extensive experience and expertise in building reporting systems for Polish regulators, and that there are over 2,000 entities in Poland required to report on operational digital resilience. The regulation necessitated a new, dedicated DORA Data Mart, ensuring the availability of data of appropriate quality and completeness within the timeframe required by the regulator.
For financial market entities, this presents an opportunity to build an innovative (AI-based) solution that will fulfill this obligation and simultaneously equip the financial entity with a centralized data and metadata platform for cybersecurity and cyber resilience. Thanks to DORA.ai, the entity will automate processes related to operational digital resilience and will be able to continuously monitor compliance with regulatory guidelines.
DORA.ai has the potential to transform the approach to compliance from a "duty" into a valuable business asset. The positive aspects of implementing DORA: regulatory compliance becomes not a cost, but a source of measurable added value in the form of a higher level of security, order in processes, and trust in the institution. Thanks to this tool, the term "digital resilience" ceases to be an abstraction and becomes a measurable standard of everyday practice in financial institutions.
Why is worth helping us?
Thanks to the support of our joint project, we can achieve an innovative solution for regulatory compliance and cybersecurity in the financial sector. DORA.ai has the potential to become synonymous with intelligent compliance automation and truly contribute to increasing digital resilience for many organizations. DORA.ai is not just another piece of software, but a socially significant project with a broad scope of ambition, worthy of financial and substantive support. This will make the crowdfunding campaign more than just a fundraiser - it will be the seed of a community focused on improving digital resilience, which perfectly aligns with
our product's mission.
ABOUT THIS PROJECT
DORA.ai is designed as an intelligent RegTech (Regulatory Technology) platform, integrating a range of functional modules covering the core areas of DORA regulation. It utilizes advanced AI algorithms - including natural language processing (NLP) and machine learning - combined with expert knowledge of cybersecurity and financial regulations. This allows the system to automate ≥90–95 of repetitive compliance tasks and serve as a "guardian of the organization's digital resilience." The platform not only acts as a recorder and reporter, but actively monitors the environment and supports users, going beyond passive compliance with regulatory obligations.
Key features and functions of DORA.ai (planned for implementation) include:
Automated Document Analysis – The system uses NLP to analyze the content of ICT contracts, security policies, and procedures to identify missing clauses or non-compliance with DORA requirements. This allows, for example, assessing supplier contracts for business continuity and security provisions without the need to physically read the documents, while simultaneously identifying potential gaps in compliance provisions.
Ongoing Supplier Risk Assessment (TPRM) – The Third-Party Risk Management module aggregates data from multiple sources (public registers, financial data, media, regulatory alerts) and uses AI to generate risk scores for key suppliers. This allows the organization to be immediately informed of potential threats from its partners (e.g., a deterioration in the financial condition of a key cloud service provider).
24/7 Incident and Compliance Monitoring – The platform enables integration with financial institution IT systems to track security incidents and other events relevant to DORA 24/7. It uses intelligent agent mechanisms to filter and correlate events, automatically generating alerts and recommendations when irregularities are detected (e.g. failure to perform a required test, delay in incident response).
Generating Logs and Reports – DORA.ai maintains legally required logs (incidents, risks, tests, etc.) and can automatically generate ready-made reports for the regulator in the required format (e.g., an incident report following the ESAs template). Built-in AI ensures the completeness and consistency of these reports before submission, minimizing the risk of errors and report rejection.
Proactive Assistant (AI Coach) – a unique feature of the system will be a virtual advisor supported by AI. This advisor acts as a "compliance coach" – reminding about upcoming responsibilities (e.g., policy review, contingency plan testing), suggesting checklists and best practices, and answering team questions via a conversational interface (a chatbot trained on knowledge of regulations and procedures). This AI Coach initiates actions before a problem occurs, reducing the risk of overlooking important tasks and raising awareness within the organization. Thanks to the features outlined above, DORA.ai will be more than just a traditional GRC (Governance, Risk, and Compliance) tool – it will actively improve an institution's cyber resilience. The platform will identify vulnerabilities before they lead to incidents, recommend corrective actions, and support the continuous improvement of security processes. As a result, the financial organization will not only meet formal DORA requirements but also significantly strengthen its infrastructure and threat preparedness.
System Modules and Coverage of DORA Requirements: DORA.ai's architecture assumes a modular structure aligned with the main pillars of the DORA regulations. Below are the platform's key domain modules (ultimately all integrated within a single ecosystem), along with their assignment to DORA areas:
ICT Risk Management – a central registry of ICT assets and business functions, and a tool for identifying, classifying, and assessing ICT risks. It supports the cyclical risk management process in accordance with DORA Articles 6 - 12 (strategies, policies, risk classification, business continuity). It includes, among other things, asset and dependency inventories (CMDBs), risk assessment matrices, incident-risk linking, risk acceptance registers, and integration with business continuity processes.
ICT Incident Management – a module for detecting, analyzing, and reporting security incidents, including serious incidents notified to the supervisor. It ensures compliance with DORA Articles 17 - 20 (incident handling procedures, classification, reporting obligation ≤72 hours). It offers, among other things, Incident logging (manually or via API), automatic classification according to the DORA taxonomy, verification of reportable incidents, tracking of corrective actions (RCA, remedial actions), generation of reports to the Polish Financial Supervision Authority (KNF)/EBA, integration with detection systems (SIEM), and a complete incident archive.
ICT Supplier Management (TPRM) – a third-party risk management module (outsourcing). It allows for maintaining a register of all outsourcing agreements and suppliers, with particular emphasis on those providing critical services. It enables, among other things, supplier due diligence, SLA/OLA monitoring, a register of subcontractors (so-called 4th parties), and tracking changes that may impact risk (e.g., supplier financial difficulties). It meets the requirements of Articles 28 - 30 of the DORA regarding external supplier risk oversight – including the obligation to have exit plans (exit plans) and supplier audit rights.
Digital Resilience Testing (TLPT & ORTM) – a set of modules supporting the planning and documentation of cyber resilience tests. The first is a TLPT (Threat-Led Penetration Testing) module for coordinating advanced penetration tests inspired by real-world attacks - required for the largest institutions every three years in accordance with Articles 26 - 27 of the DORA. It provides, among other things, a record of red/blue teams, a TLPT test schedule, a repository of test reports, and a log of post-test remediation actions. A complementary ORTM (Operational Resilience Testing Management) module will be introduced to handle other operational resilience tests (BCP/DR, failover, backup tests, etc.), allowing institutions to centrally manage their entire resilience testing program - not just TLPT but also the periodically required business continuity tests for all.
Business Continuity (BCDR) – a module for managing business continuity and disaster recovery plans (BCP/DRP). It allows you to create and update BCP/DRP plans, schedule their tests, and document test results and any discrepancies. It supports compliance with DORA Articles 10 - 12 regarding the maintenance of business continuity plans, disaster recovery, and the regular testing of these plans.
Taxonomy and Regulatory Change Management – a module that tracks changes in reporting requirements and standards (e.g., new forms, EBA/ESMA taxonomies). It enables versioning of report templates and data models so that the system can quickly adapt to new regulatory requirements. Thanks to this module, DORA.ai will remain compliant even when new technical guidelines are released – updates to taxonomies and reporting templates will be reflected in the system without delay.
Data Quality Management (DQ) – a module that ensures the accuracy and integrity of reporting data. It automatically validates data across multiple levels: it checks for syntactic and semantic correctness, consistency between forms, and compliance with the Data Point Model (DPM) definitions used by European regulators. It includes control rules (including context-specific ones), AI-powered error prediction mechanisms, and data quality indicators (DQR/DQI). This ensures that the reports submitted are complete and compliant with technical requirements, protecting against report rejection or sanctions.
KRI/KPI Monitoring – a module that defines and tracks key risk indicators (KRIs) and performance indicators (KPIs) related to digital resilience. It collects data from other modules (incidents, tests, suppliers, data quality) and presents it in the form of easy-to-read dashboards (e.g., risk heatmaps, trend charts). It allows for setting risk tolerance thresholds and generates alerts when they are exceeded, providing management with measurable information on the organization's security and compliance status.
Impact Simulation – an advanced analytical module enabling "what-if" analyses of business continuity and risk. It allows modeling the effects of hypothetical events (e.g., data center outage, key supplier unavailability, major incident) on business processes and infrastructure. By integrating data from all previous modules, this tool helps identify weakest links and assess the potential impact of incidents – supporting proactive remediation planning.
The above set of modules demonstrates that the DORA.ai platform strives to fully cover DORA regulatory requirements in an integrated manner. Each module addresses specific articles of the regulation while adding value beyond the regulatory minimum – through automation, intelligent data analysis, and user experience. The architecture is flexible: customers can start with the most important modules (e.g., risk, incidents, suppliers) and add additional components over time, scaling the system to an enterprise version that covers all areas.
PROJECT GOAL
The primary goal for the Supporter is to ensure compliance with DORA while simultaneously lowering the total cost of ownership (TCO) of compliance tools and reducing exposure to operational risk. In practice, the Supporter expects DORA.ai to transform regulatory obligations into operational and business advantages – standardizing workflows, shortening response times to threats, and providing measurable resilience metrics. From this perspective, the Supporter's goals can be summarized as follows:
a) Operational and compliance goals – achieving full coverage of DORA requirements: incident and risk logs, external vendor and third-party risk management, resilience testing planning and documentation, a policy repository, a regulatory report generator, a requirements library, and oversight of standard changes. DORA.ai aims to reduce manual work, standardize procedures, and minimize the risk of fines and non-compliance in the event of an audit.
b) Economic goals - measurable savings: reduced expenditure on ad-hoc work, consulting, and a distributed, heterogeneous tool stack. Automation (e.g., generating the initial incident report, classifying and validating data) is expected to reduce time and workload for teams, thus lowering costs. An additional benefit is reduced financial risk resulting from reporting errors or delays.
c) Strategic and development goals – achieving standardization and comparability of security processes across the entire organization (and, in the case of capital groups, also between companies), which improves management control and enables informed risk appetite management. DORA.ai is intended to be the foundation for continuous improvement (monitoring KRIs/KPIs and proactivity (telemetry, early warnings), and then - in version 2.0 - for impact simulations ("what-if") on critical functions. This translates into greater operational resilience and competitive advantage.
d) Technological and sovereignty goals – implementation flexibility (SaaS/hybrid/on-premises) and code control with significant financial investment. GDPR compliance and privacy-by-design principles (protecting privacy by design), full auditability, and the ability to integrate with existing ecosystems (SIEM/ITSM, data warehouses, analytical tools) are also crucial. The goal is technological sovereignty – no vendor lock-in and transparent AI mechanisms.
e) Reputational and social goals – implementing DORA.ai also signals responsibility to clients and the regulator: the institution not only meets requirements but also actively builds a culture of security and shares best practices within the industry. For investors financing development (e.g., crowdfunding), it offers added value: participation in the creation of European RegTech innovation that benefits the entire sector.
SUPPORT OFFERS
Participation in the project requires purchasing a participation package. Each package has a different value and functionalities. We have prepared an offer tailored to the varying expectations of financial market players. Of particular note is the measurable benefit each participant receives immediately upon joining the project – a yearly subscription to the DORA.insight system, which will support you in fulfilling your responsibilities from day one. Another reward, worth the wait, is DORA.ai.
______________________
PACKAGE 10 | 2,350 EUR
As part of Package 10, Supporters receive:
DORA.ai Subscription
• Cloud Version
• Valid for 1 year from the date of the first edition's public release
• Number of ICT contracts – up to 10
• The license includes: ICT supply chain management module + ICT risk management module + incident management module + system functions including: information exchange with suppliers, internal reporting, report generation and validation based on KNF templates, task scheduling, and supplier surveys
DORA.insight Subscription
• Cloud Version
• From January 1 to December 31, 2026
• The license includes: supplier management module + supply chain management module + ICT risk management module + incident management module + system functions including: information exchange with suppliers, internal reporting, report generation and validation based on KNF templates, task scheduling, and supplier surveys
• Number of ICT contracts – up to 10
• Support via the service portal + updates resulting from changes introduced by the Polish Financial Supervision Authority (KNF)
• Documentation available on the service portal
DORA.ai Training
Access to e-training courses available on the designated platform for 1 year from the date of public publication of the first edition of DORA.ai – 1 subscription
Direct DORA.ai implementation support
Under separately agreed terms
DORA.ai Technical Support
• Via the DORA.ai service portal
• For 1 year from the date of public publication of the first edition
• Regarding DORA.ai
DORA.ai Documentation
• User and Administrator Documentation
• Available on the service portal
DORA.ai new versions
• After the release of the production version
• Changes introduced by the KNF during the subscription period
_______________________
PACKAGE 50 | 11,650 EUR
As part of the 50 Package, Supporters receive:
DORA.ai Subscription
• Cloud Version
• For 1 year from the date of the public publication of the first edition
• Number of ICT contracts – up to 20
• The license includes: Package 10 + telemetry and proactive monitoring module + change management module + operational test scheduling module
DORA.insight Subscription
• Cloud Version
• From January 1 to December 31, 2026
• The license includes: Package 10 + telemetry and proactive monitoring module + change management module + operational test scheduling module
• Number of ICT contracts – up to 20
• Support via the service portal + updates resulting from changes introduced by the Polish Financial Supervision Authority (KNF)
• Documentation available on the service portal
DORA.ai Training
For 1 year from the date of the public publication of the first edition of DORA.ai, access to e-training courses available on the designated platform – 2 Subscriptions
Direct DORA.ai implementation support
Under separately agreed terms
DORA.ai technical support
• Via the DORA.ai service portal
• For 1 year from the date of public publication of the first edition
• Regarding DORA.ai
DORA.ai documentation
• User and administrator documentation
• Available within the service portal
DORA.ai new versions
• After the release of the production version
• Changes introduced by the Polish Financial Supervision Authority (KNF) during the subscription period
________________________
PACKAGE 100 | 23,300 EUR
As part of the 100 Package, Supporters receive:
DORA.ai Subscription
• Cloud Version
• For 1 year from the date of public publication of the first edition
• Number of ICT contracts – up to 40
• The license includes: Package 50 + taxonomy and regulatory change management module + data quality management module + digital resilience indicator monitoring module
DORA.insight Subscription
• Cloud Version
• From January 1 to December 31, 2026
• The license includes: Package 50 + taxonomy and regulatory change management module + data quality management module + digital resilience indicator monitoring module - available from July 2026 to July 2026
• Number of ICT contracts – up to 40
• Support via the service portal + updates resulting from changes introduced by the Polish Financial Supervision Authority (KNF)
• Documentation available on the service portal
DORA.ai Training
Access to e-training for 1 year from the date of public publication of the first edition of DORA.ai Available on the specified platform – 3 subscriptions
Direct DORA.ai implementation support
Under separately agreed terms
DORA.ai technical support
• Via the DORA.ai service portal
• For 1 year from the date of public publication of the first edition
• For DORA.ai and Cloudera
• Telephone support Mon-Fri, 8:00 AM – 4:00 PM
DORA.ai documentation
• User and administrator documentation
• Available through the service portal
New DORA.ai versions
• After the release of the production version
• Changes introduced by the Polish Financial Supervision Authority (KNF) during the subscription period
DORA.ai source code
Full access to the source code upon project completion
Cloudera software for DORA.ai (optional)
• For the period until production implementation
• Preferential terms for purchasing a production subscription (discount level) "100")
________________________
PACKAGE 250 | 58,150 EUR
As part of the 250 Package, Supporters receive:
DORA.ai Subscription
• Cloud or On-premises Version
• For 1 year from the date of the public publication of the first edition
• Number of ICT contracts – up to 100
• The license includes: Package 100 + Business Continuity, Disaster Recovery, and BCP Testing Module + Impact and Cross-Area Analysis Module + Integrated ISO/IEC27001 Compliance Management Module + ITIL4 Interoperability Module + Cognitive Module
• Guaranteed DORA.ai subscription price for 3 years
DORA.insight Subscription
• Cloud or On-premises Version
• From January 1st to December 31st, 2026
• The license includes: Package 100 + Business Continuity, Disaster Recovery, and BCP Testing Module + Impact and Cross-Area Analysis Module + Integrated ISO/IEC27001 Compliance Management Module + Compliance Module ITIL4 operational training + cognitive module - availability 2026-07
• Number of ICT contracts - up to 100
• Support via the service portal + updates resulting from changes introduced by the Polish Financial Supervision Authority (KNF)
• Telephone support Mon-Fri, 8:00 AM - 4:00 PM
• Documentation available on the service portal
DORA.ai Training
• For 1 year from the date of public publication of the first edition of DORA.ai, access to e-training courses available on the designated platform - 5 subscriptions
• 3-day, in-person training for 2 people (DORA.ai Leaders)
Direct DORA.ai implementation support
On preferential terms guaranteed (discount level "250") - implemented based on an agreement with allclouds.pl or another partner company
DORA.ai Technical Support
• Via the DORA.ai service portal
• For 1 year from the date of public publication of the first edition Editions
• For DORA.ai and Cloudera
• Phone support Mon-Fri, 8:00 AM - 6:00 PM
DORA.ai Documentation
• User and administrator documentation
• Available through the service portal
DORA.ai new versions
• Early access after the release of "BETA-250"
• Changes introduced by the Polish Financial Supervision Authority (KNF) during the subscription period
DORA.ai source code
Full access to the source code upon project completion
Cloudera software for DORA.ai (optional)
• For the period until production deployment
• Preferential terms for purchasing a production subscription (discount level "250")
________________________
PACKAGE 500 | 116,300 EUR
As part of the 500 Package, Supporters receive:
DORA.ai Subscription
• Cloud or On-premises Version
• For 1 year from the date of the public publication of the first edition
• Unlimited number of ICT contracts
• The license covers: all available DORA.ai modules (additionally: supervisory documentation and corrective actions module + cyber maturity management module)
• Guaranteed DORA.ai subscription price for 5 years
DORA.insight Subscription
• Cloud or On-premises Version
• From January 1 to December 31, 2026
• The license covers: all available DORA.insight modules (additionally: supervisory documentation and corrective actions module + cyber maturity management module) - available from July 2026
• Unlimited number of ICT contracts
• Support via the service portal + updates resulting from changes introduced by the Polish Financial Supervision Authority (KNF)
• Telephone support Mon-Fri, 8:00 AM – 6:00 PM
• Documentation available on the service portal
DORA.ai Training
• Access to e-training courses available on the designated platform for 1 year from the date of public publication of the first edition of DORA.ai – 10 subscriptions
• 3-day, in-person training for 5 people (DORA.ai Leaders)
Direct DORA.ai implementation support
On preferential terms guaranteed ("500" discount level) – implemented based on an agreement with allclouds.pl or another partner company
DORA.ai Technical Support
• DORA.ai Service Portal
• For 1 year from the date of public publication of the first edition
• For DORA.ai and Cloudera
• Telephone support Mon-Fri, 8:00 AM – 6:00 PM
DORA.ai Documentation
• User documentation and Administrator
• Available within the service portal
• Source code documentation (including the code)
DORA.ai new versions
• Early access after the release of "BETA-500"
• Changes introduced by the Polish Financial Supervision Authority (KNF) during the subscription period
DORA.ai source code
• Full access to the source code upon project termination
• Guaranteed access to the DORA.ai source code during the subscription period (upon request / no more than once per year) – the latest production version (no distribution rights)
Cloudera software for DORA.ai (optional)
• For the period until production deployment
• Preferential terms for purchasing a production subscription (discount level "500")
ABOUT US
The success of such a complex, innovative project requires an interdisciplinary team composed of top-tier specialists. We are establishing a permanent, 10-person Core Team: nine technical/domain experts and a Project Manager (PM) to coordinate. Below are proposed team member profiles, along with the rationale for their necessity:
Architect / Senior Backend Developer – an experienced software engineer responsible for the design and implementation of the system's core. They will ensure the appropriate architecture (microservices, databases) and integration of individual modules. Their skills are crucial for the platform's scalability and reliability, especially since DORA.ai must handle sensitive data and ensure a high level of transaction security.
AI/ML (NLP) Specialist – an expert in artificial intelligence with a particular focus on natural language processing and machine learning. They will develop AI models for analyzing legal and technical documents, risk assessment, and AI Coach mechanisms. Their expertise will ensure autonomous, intelligent platform functions (such as automatic contract interpretation and risk scoring). This is a key role for achieving the project's innovative potential.
UX Designer / Frontend Developer – a specialist responsible for the presentation layer and UX/UI. Their responsibilities will include designing a user-friendly interface for web applications. Intuitive and ergonomic operation is critical to ensure that users (risk and compliance specialists) can easily utilize advanced AI features. This individual will ensure that the complexity of the technology is presented in an accessible, visually appealing format.
DevOps Engineer / Infrastructure Specialist – an expert in cloud and IT infrastructure who will automate system deployment, maintain development and production environments, and ensure service scalability and availability. Their role will also include optimizing infrastructure costs (important in crowdfunding projects) and ensuring platform-level security (containerization, CI/CD, backups).
Cybersecurity/Compliance Expert – a specialist combining IT security expertise with regulatory knowledge (DORA, related standards). They will serve as a business analyst and technical advisor, ensuring that the designed functions meet legal requirements and address the realities of cyber threats. Their presence ensures that the technical content (e.g., risk catalog, reporting requirements, test scenarios) is accurate and that the system effectively improves its resilience in line with the regulations.
Data Specialist/QA Analyst – responsible for preparing data for AI model training (collecting a corpus of documents, anonymizing, and labeling) and for testing and validating the system's performance. They will ensure systematic testing of AI modules (e.g., whether the model correctly classifies contracts or whether alerts do not generate false positives) and help measure the progress of research and development. If budget does not allow for a separate position, these responsibilities can be partially assumed by the AI Specialist (with the support of other team members).
The Project Manager (PM) will coordinate the work of the entire team, managing the schedule, budget, and communication. The PM is not directly involved in code production or research, but is crucial to the smooth implementation of the project: he or she is responsible for iteration planning, minimizing organizational risk, and reporting progress.
CONTACT:
allclouds.pl sp. z o.o.
Jutrzenki Street 139, 02-231 Warsaw, Poland
DORA contact:
+48-22-100-41-08
https://www.allclouds.pl/dora-ai-en
RISK
DORA.ai is a ground-up project that combines ambitious R&D with a specific business plan. Risks have been identified and mitigated (through phasing, budgetary reserves, and a communication plan with campaign backers), and the potential benefits are enormous – both financial and social.
