AttestLayer

Program lane

DORA/VENDOR — Operational resilience and third-party evidence (illustrative profile, not legal DORA certification)

DORA/VENDOR packets record operational-resilience and third-party evidence for organizations that want a consistent packet shape around resilience workflows and critical-vendor reviews. The lane is illustrative; it is not a legal DORA certification or regulatory approval.

Evidence profileRecord-onlyVerifier-friendlyNot a certification

A program lane is a packet structure and an evidence-expectation profile. It is not a certification, audit opinion, or legal/regulatory approval.

Where DORA/VENDOR fits

Operational resilience teams

Teams documenting resilience evidence across critical processes and vendors.

Third-party risk

Third-party risk teams collecting standardized evidence around critical providers.

Banks and PSPs

Operational teams aligning resilience evidence with internal review workflows.

Insurers and counterparties

Counterparties asking for a structured resilience-and-vendor packet.

What the DORA/VENDOR packet records

Resilience scope

Which processes and vendors are in scope, and the time window.

Submitted evidence

Evidence supplied by the partner / submitter through the workspace.

Issuance metadata

Manifest, signed receipt, hash trail, and verification path.

Boundary statement

Explicit reminder that the packet is not legal DORA certification or regulator approval.

What DORA/VENDOR does not do

  • does not certify the underlying compliance, security, or legal state
  • does not promise buyer, regulator, insurer, PSP, or auditor acceptance
  • does not opine on the truthfulness of submitted records
  • does not replace DORA, regulatory, legal, banking, insurance, or audit review

Request Program review See illustrative case examples

The AttestLayer trust model

AttestLayer’s trust model is intentionally narrow. It records what was submitted, what was accepted into scope, what was issued, and how the issued kit can be checked.

The model uses

  • SHA-256 artifact hashing
  • manifest-based evidence inventory
  • canonical receipt hashing
  • Ed25519 receipt signatures
  • JWKS public-key discovery
  • offline verification
  • fail-closed verification behavior

What it proves

  • files match the manifest
  • manifest matches the receipt
  • receipt key ID matches a public key
  • receipt signature verifies
  • the kit has not been modified since issuance

What it does not prove

  • company compliance status
  • company security status
  • controls are operating effectively
  • a buyer, auditor, insurer, bank, regulator, or PSP has accepted the packet
  • the evidence content is legally sufficient

Integrity and issuance evidence only. Not audit, certification, or compliance guarantee.