Skip to main content
RegulationsDORA

DORA requires ongoing oversight of third-party ICT providers.

Vendor decisions happen every day. When oversight is questioned, most organisations reconstruct what happened. That is not proof.
Art. 28Art. 30Art. 17In force since 17 Jan 2025
The obligation

This is what DORA looks like in your decisions.

Each obligation maps to a decision. Each decision must be provable.
// dora evidence surface

You have decisions you cannot prove.

You have decisions you cannot prove.

DORA obligations attach to decisions.
This shows where oversight cannot be proven.

DORAArticles 28 · 30 · 17

Ongoing oversight of ICT third-party providers

Updated today
6

oversight decisions lack retrievable evidence

26monitoring checks overdueNo change last 30 days
168policies awaiting ratificationOldest 359 days
3DORA articles affected28 · 30 · 17

DORA evidence is not a dashboard state. It is the proof that a specific decision was made under the right policy, with the right evidence, at the right time.

See the architecture
  • A vendor is approvedApproval exists, reasoning does not
  • A monitoring check is overdueNo retrievable evidence
  • An incident is classifiedClassification reconstructed later

Where this breaks.

  • Approval evidencedInputs + policy + actor bound
  • Monitoring action sealedCaptured at the moment
  • Classification provableReplayable end to end

With a Decision Receipt.

Logs capture events. DORA asks for decisions.

Policies are stored separately. Evidence changes over time. When asked to demonstrate oversight, systems reconstruct the past. DORA requires something stronger.

DORA attaches to decisions

Ongoing oversight is not abstract.

It is made up of decisions. Vendor approval. Risk classification. Monitoring actions. Incident response. Every supervisory question lands on one of them.
  • Vendor approvalArt. 28 · Art. 30
  • Risk classificationArt. 28
  • Monitoring actionArt. 28
  • Incident responseArt. 17

Each one must be provable.

MeshQu mapping

A regulatory obligation becomes a decision.

A decision produces a Decision Receipt — what was decided, which policy applied, what evidence was used, what outcome was reached. Captured at execution. Not reconstructed later.
Decision ReceiptVendor OversightDR-K7M9-2P4Q
Verified
Decision
Approved by Risk Committee
Policy
Third-party risk — Tier 1, v7
Evidence
3 attestations, 2 documents
Integrity
sha256:0xdead…beef

Oversight happens in chains

DORA does not ask for isolated decisions.

It asks for continuous oversight. Screening → Approval → Monitoring → Incident. Each step is captured. The full chain is sealed. You can prove not just what happened, but how it unfolded.
4 receipts1 provable lifecycle
  1. Step 01
    Intake
    r-001
    policyok
    resultvalid
    seal
  2. Step 02
    Classify
    r-002
    policyok
    resultvalid
    seal
  3. Step 03
    Policy
    r-003
    policyok
    resultvalid
    seal
  4. Step 04
    Outcome
    r-004
    policyok
    resultvalid
    seal
Trust posture

Verifiable without trusting MeshQu.

A receipt can be verified independently. No reliance on internal systems. No dependency on MeshQu. Proof stands on its own.
Questions

DORA, in practice

Does MeshQu replace our GRC or vendor risk system?
No. MeshQu sits alongside those systems and captures the decisions they depend on.
Why does DORA need decision-level evidence?
Because oversight is made up of decisions: vendor approval, risk classification, monitoring actions and incident response.
Can MeshQu prove an oversight chain?
Yes. Individual receipts can be linked into sealed decision chains.
The boundary

If you cannot prove these decisions, you cannot demonstrate oversight.

See how it works