DORA-first

AI-native DORA GRC

Risk Copilot

Use AI to read DORA requirements, understand enterprise evidence, explain risk, and continuously monitor changes.

Read requirements

Retrieve official DORA context, explain the obligation, and keep citations visible.

View step

Understand data

Read the vendor profile and evidence package, then compare it with DORA expectations.

View step

Explain risk

Explain why it is a risk, what is missing, and which obligation is triggered.

View step

Continuous monitoring

Monitor regulatory and evidence changes, then update the risk state and remediation action.

View step

1 / Read requirements

Ask a DORA question with official-source grounding.

Risk Copilot first retrieves source snippets, calls DeepSeek, and returns an answer with citations and confidence.

DeepSeek interaction trace

DORA Q&A request

Waiting

Frontend request

POST /api/ai/ask-dora

Server builds context

4 official source snippets

Call DeepSeek API

deepseek-v4-flash

Structured result

Answer · citations · confidence

Provider

DeepSeek

Model

deepseek-v4-flash

Source snippets

Latency

Question textOfficial source snippetsReturn JSON, citations, and confidence

Regulatory answer

Not free-form: show rationale, confidence, and citations.

Click “Read requirements” to show a concise explanation, confidence, and citations. The evidence review below uses the same DORA context.

2 / Understand data

Bring the DORA context into a vendor evidence review.

The same Risk Copilot now reads a critical ICT vendor profile and the collected evidence package.

CloudPay Processor

Critical ICT third-party service

Service

Payments processing

Access

API integration

Criticality

critical

Evidence package

3 documents

Auto-discovered vendor

Critical payment processor, API access, customer data, critical function support.

Evidence package

SOC 2, BCP/DR summary, contract extract, incident timing, subcontracting, exit evidence.

DORA context

Official source snippets from the first step become review context.

SOC 2 Type II report

The vendor provided a SOC 2 Type II report covering security, availability, and confidentiality controls.

BCP and disaster recovery summary

The vendor describes annual disaster recovery testing, but the summary does not include customer-specific recovery evidence, exit dependencies, or subcontractor impact.

ICT contract extract

The contract includes service availability language, but audit rights, exit assistance, subcontracting notification, and incident notification timing are not clearly evidenced.

3 / Explain risk

Run Risk Copilot on the evidence package.

DeepSeek receives the vendor profile, evidence package, and DORA source snippets, then returns structured risk output.

DeepSeek interaction trace

DeepSeek risk review request

Waiting

Frontend request

POST /api/vendors/review

Server builds context

3 evidence docs + 5 DORA snippets

Call DeepSeek API

deepseek-v4-flash

Risk result

Risk · gaps · remediation

Provider

DeepSeek

Model

deepseek-v4-flash

Evidence docs

Source snippets

Findings

Latency

Vendor profileEvidence packageDORA source snippetsReturn risk, gaps, and actions

Auditable risk output

Not just a score: show reason, evidence gap, triggered obligation, and action.

Run the review to turn the evidence package into four auditable outputs, not just a score.

Why this is a risk

What evidence is missing

Which DORA obligation is triggered

What remediation comes next

4 / Continuous monitoring

Simulate new evidence and update the risk state.

When the vendor provides missing recovery and exit evidence, Risk Copilot monitors the change and updates the follow-up action.

Waiting for evidence update

Run Risk Copilot first, then simulate the update.